Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
data.exe

Overview

General Information

Sample name:data.exe
Analysis ID:1578691
MD5:be36675f14fb0099896527084200cc80
SHA1:7f004012c05fca17a746629179463f6274c48055
SHA256:025134d77dcd4ab189301ed58a5c6f5046ac71e2fc3c017fce4122529fc0d7e8
Tags:exereconuser-meanjellybeanx
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Contain functionality to detect virtual machines
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • data.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\data.exe" MD5: BE36675F14FB0099896527084200CC80)
    • WMIC.exe (PID: 6764 cmdline: "wmic" bios get serialnumber MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 344 cmdline: "wmic" baseboard get serialnumber MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 3912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 5164 cmdline: "wmic" cpu get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 2312 cmdline: "wmic" computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 4624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 5912 cmdline: "wmic" diskdrive get model,size MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 3320 cmdline: "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • getmac.exe (PID: 5304 cmdline: "getmac" MD5: 7D4B72DFF5B8E98DD1351A401E402C33)
      • conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • systeminfo.exe (PID: 1856 cmdline: "systeminfo" MD5: EE309A9C61511E907D87B10EF226FDCD)
      • conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 2896 cmdline: "wmic" computersystem get model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 6788 cmdline: "tasklist" /fi "IMAGENAME eq vmtoolsd.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 6668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 2472 cmdline: "tasklist" /fi "IMAGENAME eq vmwaretray.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 3320 cmdline: "tasklist" /fi "IMAGENAME eq vmwareuser.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 6112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 3368 cmdline: "tasklist" /fi "IMAGENAME eq vmacthlp.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 6668 cmdline: "tasklist" /fi "IMAGENAME eq vmware-vmx.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 3192 cmdline: "tasklist" /fi "IMAGENAME eq vmware-authd.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 6112 cmdline: "tasklist" /fi "IMAGENAME eq vboxservice.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 6388 cmdline: "tasklist" /fi "IMAGENAME eq vboxtray.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 6764 cmdline: "tasklist" /fi "IMAGENAME eq vboxcontrol.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 4080 cmdline: "tasklist" /fi "IMAGENAME eq vboxheadless.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 6112 cmdline: "tasklist" /fi "IMAGENAME eq qemu-ga.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 2472 cmdline: "tasklist" /fi "IMAGENAME eq qemu-system-x86.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 3192 cmdline: "tasklist" /fi "IMAGENAME eq qemu-system-x86_64.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 6620 cmdline: "tasklist" /fi "IMAGENAME eq sandboxie.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 6104 cmdline: "tasklist" /fi "IMAGENAME eq sbiesvc.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 3384 cmdline: "tasklist" /fi "IMAGENAME eq sbiectrl.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 6784 cmdline: "tasklist" /fi "IMAGENAME eq sandman.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 2564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 5164 cmdline: "tasklist" /fi "IMAGENAME eq cockoo.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 6128 cmdline: "tasklist" /fi "IMAGENAME eq analyser.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 6388 cmdline: "tasklist" /fi "IMAGENAME eq wireshark.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 1856 cmdline: "tasklist" /fi "IMAGENAME eq fiddler.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 5772 cmdline: "tasklist" /fi "IMAGENAME eq processhacker.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 7068 cmdline: "tasklist" /fi "IMAGENAME eq procmon.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 2664 cmdline: "tasklist" /fi "IMAGENAME eq procexp.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 5424 cmdline: "tasklist" /fi "IMAGENAME eq ida64.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 5304 cmdline: "tasklist" /fi "IMAGENAME eq ollydbg.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 1928 cmdline: "tasklist" /fi "IMAGENAME eq x32dbg.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 3332 cmdline: "tasklist" /fi "IMAGENAME eq x64dbg.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 348 cmdline: "tasklist" /fi "IMAGENAME eq windbg.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
data.exeJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000000.1673028261.00007FF796368000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Process Memory Space: data.exe PID: 6644JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.data.exe.7ff796320000.0.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            0.2.data.exe.7ff796320000.0.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: data.exeVirustotal: Detection: 9%Perma Link
              Machine Learning detection for sample
              Source: data.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF796332CC0 BCryptGenRandom,SystemFunction036,BCryptGenRandom,SystemFunction036,0_2_00007FF796332CC0
              Source: data.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: data.pdb3444 source: data.exe
              Source: Binary string: data.pdb source: data.exe
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF796346360 CloseHandle,FindFirstFileW,FindClose,0_2_00007FF796346360
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6-77a
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6-77aLoc
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocument
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4o
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4o.txt
              Source: data.exeString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
              Source: tasklist.exeProcess created: 44
              Source: conhost.exeProcess created: 47

              System Summary

              barindex
              Writes or reads registry keys via WMI
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF796346920 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_00007FF796346920
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF796346A40 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_00007FF796346A40
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF7963476300_2_00007FF796347630
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF7963224500_2_00007FF796322450
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF7963491300_2_00007FF796349130
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF7963548400_2_00007FF796354840
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF7963669100_2_00007FF796366910
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF7963458A00_2_00007FF7963458A0
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF7963375300_2_00007FF796337530
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF79635E5500_2_00007FF79635E550
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF79632E3300_2_00007FF79632E330
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF7963513300_2_00007FF796351330
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF79635D3400_2_00007FF79635D340
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF7963433A00_2_00007FF7963433A0
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF79632B3C00_2_00007FF79632B3C0
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF79635A4D00_2_00007FF79635A4D0
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF79635B1E00_2_00007FF79635B1E0
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF79634ED600_2_00007FF79634ED60
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF796333B500_2_00007FF796333B50
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF796359C600_2_00007FF796359C60
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF79633E9700_2_00007FF79633E970
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF7963589800_2_00007FF796358980
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF79635D9300_2_00007FF79635D930
              Source: C:\Users\user\Desktop\data.exeCode function: String function: 00007FF796336D20 appears 69 times
              Source: C:\Users\user\Desktop\data.exeCode function: String function: 00007FF79635CCA0 appears 61 times
              Source: data.exeStatic PE information: Section: .padding ZLIB complexity 0.9964192708333334
              Source: system_info.txt.0.drBinary string: EC-F4-BB-EA-15-88 \Device\Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
              Source: system_info.txt.0.drBinary string: Boot Device: \Device\HarddiskVolume1
              Source: classification engineClassification label: mal80.evad.winEXE@135/1@0/0
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF796346B70 GetModuleHandleW,FormatMessageW,GetLastError,0_2_00007FF796346B70
              Source: C:\Users\user\Desktop\data.exeFile created: C:\Users\user\Desktop\system_info.txtJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2564:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6112:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:480:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4624:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3912:120:WilError_03
              Source: data.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXCONTROL.EXE'
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'COCKOO.EXE'
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'PROCMON64.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'DEPENDS.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SBIESVC.EXE'
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWAREUSER.EXE'
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'REGSHOT.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXHEADLESS.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'IDAG.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'HOOKEXPLORER.EXE'
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OLLYDBG.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'PETOOLS.EXE'
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'FIDDLER.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'PRL_CC.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SYSTEMEXPLORERSERVICE.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-VMX.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARETRAY.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-AUTHD.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86_64.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TCPDUMP.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWAREUSER.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'REGSHOT.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-GA.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMACTHLP.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WIRESHARK.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'IDAQ64.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'FILESCAN.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-VMX.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-AUTHD.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86_64.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TCPDUMP.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-GA.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OLLYDBG.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WIRESHARK.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'IDAQ64.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'FILESCAN.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'FILEMON.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXCONTROL.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXHEADLESS.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'IDAG.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'HOOKEXPLORER.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-GA.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARETRAY.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'PETOOLS.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-AUTHD.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86_64.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'TCPDUMP.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SANDBOXIE.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXHEADLESS.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'IDAG.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'HOOKEXPLORER.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SBIESVC.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'IDAU64.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SBIECTRL.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SANDMAN.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'PROTECTION_ID.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XENSERVICE.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'PRL_TOOLS.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'COCKOO.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'PROCMON64.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SANDBOXIE.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'ANALYSER.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'FILEMON.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WIRESHARK.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'IDAQ64.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'FILESCAN.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'REGMON.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'DUMPCAP.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'FIDDLER.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'PROCESSHACKER.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'PROCMON.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'PROCEXP.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'IDA64.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OLLYDBG.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'X32DBG.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'PETOOLS.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'X64DBG.EXE'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'DEPENDS.EXE'
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WINDBG.EXE'
              Source: C:\Users\user\Desktop\data.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: tasklist.exe, 0000003C.00000003.1791179787.000002215F7F6000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003C.00000003.1791092346.000002215F7E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'FIDDLER.EXE';
              Source: data.exeVirustotal: Detection: 9%
              Source: unknownProcess created: C:\Users\user\Desktop\data.exe "C:\Users\user\Desktop\data.exe"
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" bios get serialnumber
              Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" baseboard get serialnumber
              Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" cpu get name
              Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get totalphysicalmemory
              Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" diskdrive get model,size
              Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayName
              Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\getmac.exe "getmac"
              Source: C:\Windows\System32\getmac.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\systeminfo.exe "systeminfo"
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get model
              Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmtoolsd.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmwaretray.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmwareuser.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmacthlp.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware-vmx.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmware-authd.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxservice.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxtray.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxcontrol.exe"
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxheadless.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq sandboxie.exe"
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq sbiesvc.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq sbiectrl.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq sandman.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq cockoo.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq analyser.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq fiddler.exe"
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq processhacker.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq procmon.exe"
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq procexp.exe"
              Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq ida64.exe"
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq ollydbg.exe"
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq x32dbg.exe"
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq x64dbg.exe"
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq windbg.exe"
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" bios get serialnumberJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" baseboard get serialnumberJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" cpu get nameJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get totalphysicalmemoryJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" diskdrive get model,sizeJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayNameJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\getmac.exe "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\systeminfo.exe "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get modelJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmtoolsd.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmwaretray.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayNameJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmacthlp.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" bios get serialnumberJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmwaretray.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq sandboxie.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq sbiectrl.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq sandman.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" cpu get nameJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq analyser.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\systeminfo.exe "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq processhacker.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq procmon.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq procexp.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq ida64.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\getmac.exe "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq x32dbg.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq x64dbg.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq windbg.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" cpu get nameJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq sandman.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmtoolsd.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq sandman.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayNameJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmtoolsd.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: sbiedll.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: sf2.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: snxhk.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: cmdvrt32.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: cmdvrt64.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: cyberghostvpn.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: vboxmrxnp.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: vmsrvc.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: vmhgfs.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: vm3dgl.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: vmrig.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: vmusb.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: vboxhook.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: vboxdisp.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: vboxservice.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: dbghelp.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: api_log.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: dir_watch.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: wpespy.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: cigdll.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: vmcheck.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: allerror.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: sample.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: sandbox.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: agent.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: dbgcore.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: avghook.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: avghooka.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: snxhk.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: log_api.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: api_hook.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: apimon.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: apispy.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: regmon.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: filemon.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: procmon.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: sysmon.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: syscall.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: hooks.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: monitor.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: defense.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: protect.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: analyzer.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: trace.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: qemu-ga.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: parallels.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: prl_tools.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: vpcmap.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: vmsrvc.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: vmusbmouse.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: vmtray.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: wireshark.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: windbg.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: ollydbg.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: immunity.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: ghidra.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: ida.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: x64dbg.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\getmac.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\getmac.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\getmac.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\getmac.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\getmac.exeSection loaded: framedynos.dllJump to behavior
              Source: C:\Windows\System32\getmac.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\getmac.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\getmac.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\getmac.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\getmac.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\getmac.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\getmac.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\systeminfo.exe "systeminfo"
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmtoolsd.exe"
              Source: data.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: data.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: data.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: data.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: data.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: data.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: data.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: data.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: data.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: data.pdb3444 source: data.exe
              Source: Binary string: data.pdb source: data.exe
              Source: data.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: data.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: data.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: data.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: data.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF7963522A0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,ReleaseMutex,0_2_00007FF7963522A0
              Source: data.exeStatic PE information: section name: .padding
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\getmac.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: data.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.data.exe.7ff796320000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.data.exe.7ff796320000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1673028261.00007FF796368000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: data.exe PID: 6644, type: MEMORYSTR
              Contain functionality to detect virtual machines
              Source: C:\Users\user\Desktop\data.exeCode function: USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsam sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsam sf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsand sf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsand snxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dll snxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dll cmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvbo0_2_00007FF796322450
              Source: C:\Users\user\Desktop\data.exeCode function: USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS 0_2_00007FF796321000
              Source: C:\Users\user\Desktop\data.exeCode function: USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS 0_2_00007FF79633BB20
              Source: C:\Users\user\Desktop\data.exeCode function: USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS 0_2_00007FF79634FD10
              Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Size FROM Win32_DiskDrive
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Size FROM Win32_DiskDrive
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Size FROM Win32_DiskDrive
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - PETOOLS.EXEID.EXE
              Source: tasklist.exe, 0000003C.00000003.1791179787.000002215F7F6000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003C.00000003.1791092346.000002215F7E5000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003C.00000002.1791633342.000002215F7F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'FIDDLER.EXE'0
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - X64DBG.EXE
              Source: data.exeBinary or memory string: SF2.DLLSNXHK.DLLCMDVRT32.DLLCMDVRT64.DLLCYBERGHOSTVPN.DLLVBOXMRXNP.DLLVMSRVC.DLLVMHGFS.DLLVM3DGL.DLLVMRIG.DLLVMUSB.DLLVBOXHOOK.DLLVBOXDISP.DLLVBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSAND
              Source: tasklist.exe, 0000003E.00000003.1793216492.0000020DC31FB000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003E.00000003.1793093614.0000020DC31E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'PROCESSHACKER.EXE');
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - WIRESHARK.EXE
              Source: data.exeBinary or memory string: AUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME EQ
              Source: data.exeBinary or memory string: AVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMONITOR.DLLDEFENSE.DLLPROTECT.DLLANALYZER.DLLTRACE.DLLQEMU-GA.DLLPARALLELS.DLLPRL_TOOLS.DLLVPCMAP.DLLVMUSBMOUSE.DLLVMTRAY.DLLWIRESHA
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXESYSTEM32OC
              Source: tasklist.exe, 0000004A.00000002.1814055515.0000016ABAFC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'X64DBG.EXE'4PRO
              Source: data.exeBinary or memory string: XENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME
              Source: data.exeBinary or memory string: IMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNSC.EXEOOLS.EXE
              Source: tasklist.exe, 00000046.00000003.1803133186.000002A34BD0D000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000046.00000002.1803740966.000002A34BD09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME EQ OLLYDBG.EXE
              Source: tasklist.exe, 0000003A.00000002.1789364129.0000018BD93E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /FI "IMAGENAME EQ WIRESHARK.EXE"
              Source: tasklist.exe, 0000004C.00000002.1816002182.000002137307B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000004C.00000003.1815560430.000002137307B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME EQ WINDBG.EXE
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNS.EXELSTRI
              Source: data.exeBinary or memory string: CIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMONITOR.DLLDEFENSE.DLLPROTECT.DLLANALYZER.DLLTR
              Source: tasklist.exe, 0000003A.00000003.1788739414.0000018BD941B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'WIRESHARK.EXE'2
              Source: tasklist.exe, 0000003A.00000002.1789683616.0000018BD9705000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'WIRESHARK.EXE'RO}
              Source: tasklist.exe, 0000003A.00000003.1788739414.0000018BD941B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'WIRESHARK.EXE'1
              Source: data.exeBinary or memory string: SYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME EQ
              Source: tasklist.exe, 0000004C.00000002.1815952530.000002137306B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000004C.00000003.1815456892.0000021373065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'WINDBG.EXE'0SCHANNEL
              Source: tasklist.exe, 00000040.00000002.1796094473.000001BDEC6C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /FI "IMAGENAME EQ PROCMON.EXE"C:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULT
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - PETOOLS.EXEID.EXE:\
              Source: tasklist.exe, 0000004C.00000002.1816002182.000002137307B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'WINDBG.EXE');
              Source: tasklist.exe, 00000028.00000002.1763830079.0000025BE524C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'QEMU-GA.EXE'[
              Source: data.exeBinary or memory string: FILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME EQ
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - HOOKEXPLORER.EXE
              Source: tasklist.exe, 00000046.00000002.1803570268.000002A34BCB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'OLLYDBG.EXE'PROI
              Source: tasklist.exe, 00000040.00000002.1796094473.000001BDEC6C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /FI "IMAGENAME EQ PROCMON.EXE"
              Source: data.exeBinary or memory string: PRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.E
              Source: tasklist.exe, 00000030.00000002.1775554271.0000029DB3E28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'SBIESVC.EXE'B
              Source: tasklist.exe, 00000032.00000003.1777860795.0000026CE8237000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000032.00000003.1778039592.0000026CE8246000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'SBIECTRL.EXE'
              Source: tasklist.exe, 0000003E.00000002.1794204833.0000020DC33C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ PROCESSHACKER.EXE3U
              Source: data.exeBinary or memory string: PROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLOR
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - FIDDLER.EXE
              Source: tasklist.exe, 0000004C.00000002.1816074687.0000021373280000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ WINDBG.EXEPDATA\LOCAL\TEZB
              Source: tasklist.exe, 0000003A.00000002.1789364129.0000018BD93E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /FI "IMAGENAME EQ WIRESHARK.EXE"V
              Source: tasklist.exe, 00000030.00000002.1775554271.0000029DB3E20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /FI "IMAGENAME EQ SBIESVC.EXE"
              Source: data.exeBinary or memory string: WMICC:\WINDOWS\SYSNATIVE\DRIVERS\VMMOUSE.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VMHGFS.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VMUSBMOUSE.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VMRAWDSK.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VMMEMCTL.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VMX86.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VMNET.SYSC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\C:\WINDOWS\SYSNATIVE\DRIVERS\VBOXMOUSE.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VBOXGUEST.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VBOXSF.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VBOXVIDEO.SYSC:\WINDOWS\SYSNATIVE\VBOXDISP.DLLC:\WINDOWS\SYSNATIVE\VBOXHOOK.DLLC:\WINDOWS\SYSNATIVE\VBOXMRXNP.DLLC:\PROGRAM FILES\ORACLE\VIRTUALBOX GUEST ADDITIONS\C:\WINDOWS\SYSNATIVE\DRIVERS\QEMU-GA.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\QEMUFWCFG.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\QEMUPCISERIAL.SYSC:\SANDCASTLE\C:\SANDBOX\C:\TOOLS\SANDBOX\C:\PROGRAM FILES\SANDBOXIE\C:\PROGRAM FILES\CUCKOO\C:\PROGRAM FILES\JOE SANDBOX\C:\PROGRAM FILES\WIRESHARK\C:\PROGRAM FILES\FIDDLER\C:\PROGRAM FILES\PROCESS HACKER\C:\PROGRAM FILES\PROCESS MONITOR\C:\PROGRAM FILES\PROCESS EXPLORER\C:\PROGRAM FILES\IDA PRO\C:\PROGRAM FILES\X64DBG\C:\PROGRAM FILES\OLLYDBG\C:\ANALYSIS\C:\ANALYSER\C:\SANDBOX\C:\MALWARE\C:\RESEARCH\C:\TEST\C:\WINDOWS\SYSNATIVE\DRIVERS\PRLETH.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\PRLFS.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\PRLMOUSE.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\PRLVIDEO.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\XENNET.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\XENSVC.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\XENVBD.SYSVMTOOLSD.EXEVMWARETRAY.EXEVMWAREUSER.EXEVMACTHLP.EXEVMWARE-VMX.EXEVMWARE-AUTHD.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVBOXHEADLESS.EXEQEMU-GA.EXEQEMU-SYSTEM-X86.EXEQEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME EQ
              Source: tasklist.exe, 0000004A.00000002.1814055515.0000016ABAFC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ X64DBG.EXEPDATA\LOCAL\TE
              Source: data.exeBinary or memory string: VMACTHLP.EXEVMWARE-VMX.EXEVMWARE-AUTHD.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVBOXHEADLESS.EXEQEMU-GA.EXEQEMU-SYSTEM-X86.EXEQEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.E
              Source: tasklist.exe, 0000003A.00000002.1789683616.0000018BD9700000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ WIRESHARK.EXELOCAL\TEY
              Source: tasklist.exe, 00000030.00000002.1775554271.0000029DB3E28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXECQUERYSELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'SBIESVC.EXE'X
              Source: data.exeBinary or memory string: VMSRVC.DLLVMHGFS.DLLVM3DGL.DLLVMRIG.DLLVMUSB.DLLVBOXHOOK.DLLVBOXDISP.DLLVBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.
              Source: data.exeBinary or memory string: SBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPRO
              Source: tasklist.exe, 0000004C.00000002.1816074687.0000021373285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'WINDBG.EXE'4PRO^B
              Source: tasklist.exe, 00000028.00000002.1763830079.0000025BE524C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'QEMU-GA.EXE'
              Source: tasklist.exe, 00000032.00000002.1778919878.0000026CE8248000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000032.00000003.1777860795.0000026CE8237000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000032.00000003.1778039592.0000026CE8246000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ SBIECTRL.EXEP
              Source: data.exeBinary or memory string: DBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMONITOR.DLLDEFENSE.DLLPROTECT.DLLANALYZER.DLLTRACE.DLLQEMU-GA.DLLPARALLELS.DLLPRL_TOOLS.DLLVPCMAP.DLLVMUSBMOUSE.DLLVMTRAY
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - REGMON.EXE
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - AUTORUNS.EXE.EXE2T.EXE
              Source: data.exeBinary or memory string: VBOXHEADLESS.EXEQEMU-GA.EXEQEMU-SYSTEM-X86.EXEQEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.
              Source: tasklist.exe, 00000040.00000003.1795510815.000001BDEC6E6000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000040.00000003.1795609354.000001BDEC6F6000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000040.00000002.1796168046.000001BDEC6F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'PROCMON.EXE'
              Source: data.exeBinary or memory string: PRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EX
              Source: tasklist.exe, 0000003E.00000003.1793394447.0000020DC320A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'PROCESSHACKER.EXE');
              Source: tasklist.exe, 00000040.00000003.1795510815.000001BDEC703000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000040.00000002.1796168046.000001BDEC703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ PROCMON.EXE
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - REGSHOT.EXE
              Source: data.exeBinary or memory string: IDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONI
              Source: tasklist.exe, 00000030.00000002.1775554271.0000029DB3E28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'SBIESVC.EXE'
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDAG.EXEF
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - REGSHOT.EXESTEM32
              Source: tasklist.exe, 0000004A.00000002.1813975970.0000016ABADCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'X64DBG.EXE'J!
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - AUTORUNSC.EXE
              Source: tasklist.exe, 0000003A.00000002.1789472804.0000018BD941B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'WIRESHARK.EXE'0`
              Source: tasklist.exe, 0000003C.00000003.1791179787.000002215F7F6000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003C.00000003.1791092346.000002215F7E5000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003C.00000002.1791633342.000002215F7F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME EQ FIDDLER.EXE
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNSC.EXE
              Source: tasklist.exe, 00000032.00000003.1777860795.0000026CE8237000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000032.00000003.1778039592.0000026CE8246000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'SBIECTRL.EXE'`
              Source: data.exeBinary or memory string: VMTOOLSD.EXEVMWARETRAY.EXEVMWAREUSER.EXEVMACTHLP.EXEVMWARE-VMX.EXEVMWARE-AUTHD.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVBOXHEADLESS.EXEQEMU-GA.EXEQEMU-SYSTEM-X86.EXEQEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EX
              Source: tasklist.exe, 0000003A.00000002.1789364129.0000018BD93E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /FI "IMAGENAME EQ WIRESHARK.EXE"C:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULT2
              Source: tasklist.exe, 0000003A.00000002.1789472804.0000018BD941B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003A.00000003.1788739414.0000018BD941B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME EQ WIRESHARK.EXE
              Source: tasklist.exe, 0000004C.00000003.1815560430.000002137307B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'WINDBG.EXE');
              Source: data.exeBinary or memory string: REGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.
              Source: data.exeBinary or memory string: VBOXTRAY.EXEVBOXCONTROL.EXEVBOXHEADLESS.EXEQEMU-GA.EXEQEMU-SYSTEM-X86.EXEQEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64
              Source: data.exeBinary or memory string: VBOXMRXNP.DLLVMSRVC.DLLVMHGFS.DLLVM3DGL.DLLVMRIG.DLLVMUSB.DLLVBOXHOOK.DLLVBOXDISP.DLLVBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API
              Source: tasklist.exe, 00000040.00000003.1795510815.000001BDEC703000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000040.00000002.1796168046.000001BDEC703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME EQ PROCMON.EXE
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - QEMU-GA.EXE
              Source: data.exeBinary or memory string: CMDVRT64.DLLCYBERGHOSTVPN.DLLVBOXMRXNP.DLLVMSRVC.DLLVMHGFS.DLLVM3DGL.DLLVMRIG.DLLVMUSB.DLLVBOXHOOK.DLLVBOXDISP.DLLVBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLA
              Source: tasklist.exe, 0000004A.00000002.1813975970.0000016ABADCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'X64DBG.EXE'
              Source: tasklist.exe, 0000004C.00000002.1815903544.0000021373040000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /FI "IMAGENAME EQ WINDBG.EXE"
              Source: tasklist.exe, 0000003A.00000003.1788739414.0000018BD941B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'WIRESHARK.EXE'0
              Source: tasklist.exe, 0000004A.00000002.1813951593.0000016ABADBB000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000004A.00000003.1813501660.0000016ABADB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'X64DBG.EXE'0SCHANNEL
              Source: data.exeBinary or memory string: VM3DGL.DLLVMRIG.DLLVMUSB.DLLVBOXHOOK.DLLVBOXDISP.DLLVBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.
              Source: tasklist.exe, 0000003E.00000002.1794084423.0000020DC320F000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003E.00000003.1793360911.0000020DC320D000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003E.00000003.1793216492.0000020DC320C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'PROCESSHACKER.EXE'
              Source: tasklist.exe, 00000046.00000003.1803009654.000002A34BCF7000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000046.00000003.1803133186.000002A34BD07000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000046.00000002.1803740966.000002A34BD09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'OLLYDBG.EXE'0
              Source: tasklist.exe, 0000004A.00000003.1813501660.0000016ABADCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'X64DBG.EXE'J!
              Source: tasklist.exe, 00000028.00000003.1763350632.0000025BE525B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'QEMU-GA.EXE');
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - FILEMON.EXE
              Source: data.exeBinary or memory string: DUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLO
              Source: tasklist.exe, 00000032.00000002.1778779364.0000026CE8210000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /FI "IMAGENAME EQ SBIECTRL.EXE"$
              Source: data.exeBinary or memory string: NETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME EQ
              Source: tasklist.exe, 0000004C.00000002.1815903544.0000021373040000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /FI "IMAGENAME EQ WINDBG.EXE"C:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULT
              Source: tasklist.exe, 00000032.00000002.1778683853.0000026CE8205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'SBIECTRL.EXE'PRO
              Source: tasklist.exe, 00000032.00000002.1778779364.0000026CE8210000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /FI "IMAGENAME EQ SBIECTRL.EXE"
              Source: tasklist.exe, 0000004C.00000002.1816002182.000002137307B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000004C.00000003.1815560430.000002137307B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'WINDBG.EXE'
              Source: data.exeBinary or memory string: XENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK
              Source: data.exeBinary or memory string: SYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME EQ
              Source: tasklist.exe, 00000030.00000002.1775623650.0000029DB3E4E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000030.00000003.1774975895.0000029DB3E49000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000030.00000003.1775205001.0000029DB3E4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ SBIESVC.EXE
              Source: tasklist.exe, 0000004A.00000003.1813501660.0000016ABADCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'X64DBG.EXE');
              Source: data.exeBinary or memory string: AUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME EQ
              Source: data.exeBinary or memory string: SANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXE
              Source: data.exeBinary or memory string: DEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME EQ
              Source: tasklist.exe, 0000004A.00000002.1813900025.0000016ABAD90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /FI "IMAGENAME EQ X64DBG.EXE"
              Source: data.exeBinary or memory string: OLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEP
              Source: data.exeBinary or memory string: VBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVBOXHEADLESS.EXEQEMU-GA.EXEQEMU-SYSTEM-X86.EXEQEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.E
              Source: data.exeBinary or memory string: VMUSB.DLLVBOXHOOK.DLLVBOXDISP.DLLVBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMO
              Source: data.exeBinary or memory string: PESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME EQ
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMPORTREC.EXE
              Source: data.exeBinary or memory string: PETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EX
              Source: tasklist.exe, 00000030.00000002.1775623650.0000029DB3E4E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000030.00000003.1774975895.0000029DB3E49000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000030.00000003.1775205001.0000029DB3E4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME EQ SBIESVC.EXE
              Source: tasklist.exe, 0000003C.00000002.1791497310.000002215F7C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /FI "IMAGENAME EQ FIDDLER.EXE"
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - XENSERVICE.EXE
              Source: tasklist.exe, 00000028.00000003.1762936104.0000025BE524C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000028.00000002.1763830079.0000025BE524C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME EQ QEMU-GA.EXE
              Source: tasklist.exe, 0000003C.00000002.1791633342.000002215F7F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'FIDDLER.EXE'!
              Source: tasklist.exe, 0000003C.00000003.1791179787.000002215F7F6000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003C.00000003.1791092346.000002215F7E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'FIDDLER.EXE');
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - TCPDUMP.EXESTEM32
              Source: tasklist.exe, 00000030.00000002.1775554271.0000029DB3E20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /FI "IMAGENAME EQ SBIESVC.EXE"C:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULT
              Source: data.exeBinary or memory string: QEMU-GA.EXEQEMU-SYSTEM-X86.EXEQEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXERE
              Source: data.exeBinary or memory string: PROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EX
              Source: tasklist.exe, 00000046.00000002.1803740966.000002A34BD09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'OLLYDBG.EXE');
              Source: data.exeBinary or memory string: WIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPE
              Source: tasklist.exe, 0000003E.00000002.1793821238.0000020DC31C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /FI "IMAGENAME EQ PROCESSHACKER.EXE"C:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULTR
              Source: tasklist.exe, 00000028.00000003.1762936104.0000025BE524C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'QEMU-GA.EXE');
              Source: tasklist.exe, 0000004A.00000002.1813975970.0000016ABADCB000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000004A.00000003.1813501660.0000016ABADCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ X64DBG.EXE
              Source: tasklist.exe, 00000040.00000002.1796029909.000001BDEC6A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ PROCMON.EXEATA\LOCAL\TE
              Source: tasklist.exe, 00000046.00000002.1803639164.000002A34BCD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXECQUERYSELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'OLLYDBG.EXE'
              Source: data.exeBinary or memory string: C:\WINDOWS\SYSNATIVE\DRIVERS\XENSVC.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\XENVBD.SYSVMTOOLSD.EXEVMWARETRAY.EXEVMWAREUSER.EXEVMACTHLP.EXEVMWARE-VMX.EXEVMWARE-AUTHD.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVBOXHEADLESS.EXEQEMU-GA.EXEQEMU-SYSTEM-X86.EXEQEMU-SYSTEM-
              Source: data.exeBinary or memory string: IDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT
              Source: data.exeBinary or memory string: QEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.E
              Source: tasklist.exe, 0000004A.00000003.1813501660.0000016ABADCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'X64DBG.EXE'
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\API_LOG.DLL
              Source: tasklist.exe, 0000003C.00000002.1791633342.000002215F7F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'FIDDLER.EXE'WW
              Source: tasklist.exe, 00000040.00000003.1795510815.000001BDEC6E6000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000040.00000003.1795609354.000001BDEC6F6000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000040.00000002.1796168046.000001BDEC6F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'PROCMON.EXE'0
              Source: data.exeBinary or memory string: SYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME EQ
              Source: data.exeBinary or memory string: WPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMONITOR.DLLDEFENSE.DLLPROTECT.DLLANAL
              Source: tasklist.exe, 0000003E.00000003.1793216492.0000020DC31FB000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003E.00000002.1793995453.0000020DC31FD000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003E.00000003.1793093614.0000020DC31E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME EQ PROCESSHACKER.EXE
              Source: data.exeBinary or memory string: COCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLO
              Source: tasklist.exe, 0000003E.00000003.1793216492.0000020DC31FB000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003E.00000002.1793995453.0000020DC31FD000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003E.00000003.1793093614.0000020DC31E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'PROCESSHACKER.EXE'0
              Source: tasklist.exe, 0000003C.00000003.1791179787.000002215F7F6000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003C.00000003.1791092346.000002215F7E5000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003C.00000002.1791633342.000002215F7F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ FIDDLER.EXE
              Source: tasklist.exe, 0000004C.00000002.1816002182.000002137307B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000004C.00000003.1815560430.000002137307B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ WINDBG.EXE7^M
              Source: data.exeBinary or memory string: AGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMONITOR.DLLDEFENSE.DLLPROTECT.DLLANALYZER.DLLTRACE.DLLQEMU-GA.DLLPARALLELS.DLLPRL_TOOLS.DLLVPCMAP.DLLVMUSBMOUSE.
              Source: data.exeBinary or memory string: SNXHK.DLLCMDVRT32.DLLCMDVRT64.DLLCYBERGHOSTVPN.DLLVBOXMRXNP.DLLVMSRVC.DLLVMHGFS.DLLVM3DGL.DLLVMRIG.DLLVMUSB.DLLVBOXHOOK.DLLVBOXDISP.DLLVBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLL
              Source: tasklist.exe, 00000046.00000002.1803639164.000002A34BCD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /FI "IMAGENAME EQ OLLYDBG.EXE"C:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULT
              Source: tasklist.exe, 00000030.00000002.1775623650.0000029DB3E4E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000030.00000003.1774975895.0000029DB3E49000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000030.00000003.1775205001.0000029DB3E4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'SBIESVC.EXE'0
              Source: data.exeBinary or memory string: VMHGFS.DLLVM3DGL.DLLVMRIG.DLLVMUSB.DLLVBOXHOOK.DLLVBOXDISP.DLLVBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - XENSERVICE.EXEE
              Source: data.exeBinary or memory string: LOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMONITOR.DLLDEFENSE.DLLPROTECT.DLLANALYZER.DLLTRACE.DLLQEMU-GA.DLLPARALLELS.DLLPRL_TOOLS.DLLVPCMAP.DLLVMUSBMOUSE.DLLVMTRAY.DLLWIRESHARK.DLLWINDBG.DLLOLLYDBG
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - WINDBG.EXE
              Source: data.exeBinary or memory string: HOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.
              Source: data.exeBinary or memory string: QEMU-SYSTEM-X86.EXEQEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDA
              Source: data.exeBinary or memory string: DIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMONITOR.DLLDEFENSE.DLLPR
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INDOWS\SYSTEM32\TASKLIST.EXE226"TASKLIST" /FI "IMAGENAME EQ TCPDUMP.EXE"WC:\WINDOWS\SYSTE
              Source: data.exeBinary or memory string: X64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEA
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMPORTREC.EXEDBG.EXE
              Source: tasklist.exe, 0000003C.00000002.1791633342.000002215F7F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'FIDDLER.EXE');
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - IDAG.EXE
              Source: tasklist.exe, 00000032.00000002.1778779364.0000026CE8210000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /FI "IMAGENAME EQ SBIECTRL.EXE"C:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULT`
              Source: tasklist.exe, 0000003E.00000003.1793216492.0000020DC31FB000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003E.00000002.1793995453.0000020DC31FD000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003E.00000003.1793093614.0000020DC31E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ PROCESSHACKER.EXE<
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - TCPDUMP.EXESTEM32_I!
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - XENSERVICE.EXEEE=A#
              Source: tasklist.exe, 00000040.00000002.1796029909.000001BDEC6A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'PROCMON.EXE'PRO
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - DUMPCAP.EXE
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - OLLYDBG.EXECOMMO
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - IMPORTREC.EXE
              Source: data.exeBinary or memory string: SBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - REGSHOT.EXESTEM32ST
              Source: tasklist.exe, 00000028.00000003.1762936104.0000025BE524C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'QEMU-GA.EXE'
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - TCPDUMP.EXE
              Source: data.exeBinary or memory string: VBOXHOOK.DLLVBOXDISP.DLLVBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROC
              Source: data.exeBinary or memory string: SBIEDLL.DLLSF2.DLLSNXHK.DLLCMDVRT32.DLLCMDVRT64.DLLCYBERGHOSTVPN.DLLVBOXMRXNP.DLLVMSRVC.DLLVMHGFS.DLLVM3DGL.DLLVMRIG.DLLVMUSB.DLLVBOXHOOK.DLLVBOXDISP.DLLVBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMONITOR.DLLDEFENSE.DLLPROTECT.DLLANALYZER.DLLTRACE.DLLQEMU-GA.DLLPARALLELS.DLLPRL_TOOLS.DLLVPCMAP.DLLVMUSBMOUSE.DLLVMTRAY.DLLWIRESHARK.DLLWINDBG.DLLOLLYDBG.DLLIMMUNITY.DLLGHIDRA.DLLIDA.DLLX64DBG.DLL
              Source: tasklist.exe, 0000003C.00000003.1791179787.000002215F7F6000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003C.00000003.1791092346.000002215F7E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'FIDDLER.EXE';
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGMON.EXEU
              Source: tasklist.exe, 00000046.00000002.1803639164.000002A34BCD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'OLLYDBG.EXE'
              Source: data.exeBinary or memory string: SCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESY
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGMON.EXEULM32CO
              Source: tasklist.exe, 00000028.00000003.1762936104.0000025BE5236000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000028.00000003.1763071032.0000025BE5246000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000028.00000002.1763830079.0000025BE5248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'QEMU-GA.EXE'0
              Source: tasklist.exe, 0000004C.00000002.1816002182.000002137307B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'WINDBG.EXE'
              Source: data.exeBinary or memory string: VBOXDISP.DLLVBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMO
              Source: tasklist.exe, 0000003A.00000002.1789472804.0000018BD941B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'WIRESHARK.EXE'
              Source: data.exeBinary or memory string: SBIEDLL.DLLSF2.DLLSNXHK.DLLCMDVRT32.DLLCMDVRT64.DLLCYBERGHOSTVPN.DLLVBOXMRXNP.DLLVMSRVC.DLLVMHGFS.DLLVM3DGL.DLLVMRIG.DLLVMUSB.DLLVBOXHOOK.DLLVBOXDISP.DLLVBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAM
              Source: tasklist.exe, 00000028.00000002.1763961284.0000025BE54D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'QEMU-GA.EXE'PRO
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - SBIECTRL.EXE
              Source: data.exeBinary or memory string: ALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMONITOR.DLLDEFENSE.DLLPROTECT.DLLANALYZER.DLLTRACE.DLLQEMU-GA.DLLPARALLELS.DLLP
              Source: data.exeBinary or memory string: WINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.E
              Source: tasklist.exe, 00000032.00000002.1778919878.0000026CE8248000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000032.00000003.1777860795.0000026CE8237000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000032.00000003.1778039592.0000026CE8246000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME EQ SBIECTRL.EXE
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXESYSTEM32
              Source: data.exeBinary or memory string: VMWARE-AUTHD.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVBOXHEADLESS.EXEQEMU-GA.EXEQEMU-SYSTEM-X86.EXEQEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEID
              Source: tasklist.exe, 0000003C.00000003.1791179787.000002215F7F6000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003C.00000003.1791092346.000002215F7E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'FIDDLER.EXE'!
              Source: data.exeBinary or memory string: SANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.E
              Source: tasklist.exe, 00000030.00000002.1775847559.0000029DB4095000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'SBIESVC.EXE'PRO
              Source: data.exeBinary or memory string: X32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUT
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SYSTEM32\API_LOG.DLL
              Source: data.exeBinary or memory string: WMICC:\WINDOWS\SYSNATIVE\DRIVERS\VMMOUSE.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VMHGFS.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VMUSBMOUSE.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VMRAWDSK.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VMMEMCTL.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VMX86.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VMNET.SYSC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\C:\WINDOWS\SYSNATIVE\DRIVERS\VBOXMOUSE.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VBOXGUEST.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VBOXSF.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\VBOXVIDEO.SYSC:\WINDOWS\SYSNATIVE\VBOXDISP.DLLC:\WINDOWS\SYSNATIVE\VBOXHOOK.DLLC:\WINDOWS\SYSNATIVE\VBOXMRXNP.DLLC:\PROGRAM FILES\ORACLE\VIRTUALBOX GUEST ADDITIONS\C:\WINDOWS\SYSNATIVE\DRIVERS\QEMU-GA.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\QEMUFWCFG.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\QEMUPCISERIAL.SYSC:\SANDCASTLE\C:\SANDBOX\C:\TOOLS\SANDBOX\C:\PROGRAM FILES\SANDBOXIE\C:\PROGRAM FILES\CUCKOO\C:\PROGRAM FILES\JOE SANDBOX\C:\PROGRAM FILES\WIRESHARK\C:\PROGRAM FILES\FIDDLER\C:\PROGRAM FILES\PROCESS HACKER\C:\PROGRAM FILES\PROCESS MONITOR\C:\PROGRAM FILES\PROCESS EXPLORER\C:\PROGRAM FILES\IDA PRO\C:\PROGRAM FILES\X64DBG\C:\PROGRAM FILES\OLLYDBG\C:\ANALYSIS\C:\ANALYSER\C:\SANDBOX\C:\MALWARE\C:\RESEARCH\C:\TEST\C:\WINDOWS\SYSNATIVE\DRIVERS\PRLETH.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\PRLFS.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\PRLMOUSE.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\PRLVIDEO.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\XENNET.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\XENSVC.SYSC:\WINDOWS\SYSNATIVE\DRIVERS\XENVBD.SYSVMTOOLSD.EXEVMWARETRAY.EXEVMWAREUSER.EXEVMACTHLP.EXEVMWARE-VMX.EXEVMWARE-AUTHD.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVBOXHEADLESS.EXEQEMU-GA.EXEQEMU-SYSTEM-X86.EXEQEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME EQ Q
              Source: tasklist.exe, 0000004A.00000002.1813975970.0000016ABADCB000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000004A.00000003.1813501660.0000016ABADCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME EQ X64DBG.EXE
              Source: tasklist.exe, 00000028.00000002.1763706201.0000025BE5210000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /FI "IMAGENAME EQ QEMU-GA.EXE"C:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULT
              Source: tasklist.exe, 00000030.00000003.1775097656.0000029DB3E60000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000030.00000003.1774975895.0000029DB3E49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'SBIESVC.EXE');
              Source: tasklist.exe, 0000003C.00000002.1791497310.000002215F7C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /FI "IMAGENAME EQ FIDDLER.EXE"C:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULTI
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - SBIESVC.EXE
              Source: tasklist.exe, 00000030.00000002.1775847559.0000029DB4090000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ SBIESVC.EXEATA\LOCAL\TE
              Source: data.exeBinary or memory string: AVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMONITOR.DLLDEFENSE.DLLPROTECT.DLLANALYZER.DLLTRACE.DLLQEMU-GA.DLLPARALLELS.DLLPRL_TOOLS.DLLVPCMAP.DLLVMUSBMOUSE.DLLVMTRAY.DLLWIRESHARK.DLLWINDB
              Source: data.exeBinary or memory string: IDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXES
              Source: tasklist.exe, 0000003A.00000002.1789472804.0000018BD941B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'WIRESHARK.EXE');
              Source: tasklist.exe, 00000040.00000002.1796094473.000001BDEC6C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /FI "IMAGENAME EQ PROCMON.EXE"\
              Source: data.exeBinary or memory string: SANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMONITOR.DLLDEFENSE.DLLPROTECT.DLLANALYZER.DLLTRACE.DLLQEMU-GA.DLLPARALLELS.DLLPRL_TOOLS.DLLVPCMAP.DLL
              Source: tasklist.exe, 0000003E.00000002.1794204833.0000020DC33C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'PROCESSHACKER.EXE'NTIFIE
              Source: tasklist.exe, 0000003E.00000003.1793216492.0000020DC31FB000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003E.00000002.1793995453.0000020DC31FD000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003E.00000003.1793093614.0000020DC31E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'PROCESSHACKER.EXE'6
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - PROCESSHACKER.EXE
              Source: tasklist.exe, 00000046.00000003.1803133186.000002A34BD0D000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000046.00000002.1803740966.000002A34BD09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ OLLYDBG.EXE
              Source: data.exeBinary or memory string: TCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME EQ
              Source: tasklist.exe, 00000046.00000002.1803639164.000002A34BCD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /FI "IMAGENAME EQ OLLYDBG.EXE"
              Source: tasklist.exe, 00000040.00000002.1796168046.000001BDEC6F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'PROCMON.EXE'
              Source: tasklist.exe, 00000028.00000002.1763961284.0000025BE54D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ QEMU-GA.EXEATA\LOCAL\TE
              Source: tasklist.exe, 00000032.00000002.1778779364.0000026CE823C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000032.00000003.1777860795.0000026CE8237000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'SBIECTRL.EXE'0HANNEL
              Source: data.exeBinary or memory string: IDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROC
              Source: tasklist.exe, 0000003C.00000002.1791497310.000002215F7C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /FI "IMAGENAME EQ FIDDLER.EXE"-
              Source: tasklist.exe, 0000004A.00000002.1813975970.0000016ABADCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'X64DBG.EXE');
              Source: data.exeBinary or memory string: FILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.E
              Source: data.exeBinary or memory string: REGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME EQ
              Source: tasklist.exe, 00000030.00000003.1775296692.0000029DB3E6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'SBIESVC.EXE');
              Source: data.exeBinary or memory string: SAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMONITOR.DLLDEFENSE.DLLPROTECT.DLLANALYZER.DLLTRACE.DLLQEMU-GA.DLLPARALLELS.DLLPRL_TOOLS.DLL
              Source: data.exeBinary or memory string: IDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVI
              Source: data.exeBinary or memory string: PROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_T
              Source: tasklist.exe, 00000028.00000003.1762936104.0000025BE524C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'QEMU-GA.EXE'[
              Source: data.exeBinary or memory string: VMWARE-VMX.EXEVMWARE-AUTHD.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVBOXHEADLESS.EXEQEMU-GA.EXEQEMU-SYSTEM-X86.EXEQEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EX
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - PETOOLS.EXE
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNS.EXEL
              Source: data.exeBinary or memory string: PSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMONITOR.DLLDEFENSE.DLLPROTECT.DLLANALYZER.DLLTRACE.DLLQEM
              Source: tasklist.exe, 00000032.00000002.1778683853.0000026CE8200000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ SBIECTRL.EXEA\LOCAL\TE
              Source: tasklist.exe, 00000040.00000003.1795510815.000001BDEC703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'PROCMON.EXE');
              Source: tasklist.exe, 00000046.00000002.1803570268.000002A34BCB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ OLLYDBG.EXEATA\LOCAL\TEM
              Source: data.exeBinary or memory string: API_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMONITOR.DLLDE
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXEQ IDAQ64.EXE
              Source: data.exeBinary or memory string: LORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRA
              Source: data.exeBinary or memory string: FIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORD
              Source: data.exeBinary or memory string: DBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMO
              Source: data.exeBinary or memory string: VMRIG.DLLVMUSB.DLLVBOXHOOK.DLLVBOXDISP.DLLVBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.
              Source: tasklist.exe, 00000032.00000003.1777860795.0000026CE8237000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000032.00000003.1778039592.0000026CE8246000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'SBIECTRL.EXE');
              Source: data.exeBinary or memory string: IDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN.EXETCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPL
              Source: tasklist.exe, 00000028.00000003.1762936104.0000025BE524C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000028.00000002.1763830079.0000025BE524C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ QEMU-GA.EXEN
              Source: tasklist.exe, 00000028.00000002.1763706201.0000025BE5210000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /FI "IMAGENAME EQ QEMU-GA.EXE"
              Source: tasklist.exe, 0000003E.00000002.1793821238.0000020DC31C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /FI "IMAGENAME EQ PROCESSHACKER.EXE"
              Source: tasklist.exe, 00000032.00000002.1778919878.0000026CE8248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'SBIECTRL.EXE');
              Source: tasklist.exe, 0000003A.00000003.1788739414.0000018BD941B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'WIRESHARK.EXE');
              Source: data.exeBinary or memory string: C:\WINDOWS\SYSNATIVE\DRIVERS\XENVBD.SYSVMTOOLSD.EXEVMWARETRAY.EXEVMWAREUSER.EXEVMACTHLP.EXEVMWARE-VMX.EXEVMWARE-AUTHD.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVBOXHEADLESS.EXEQEMU-GA.EXEQEMU-SYSTEM-X86.EXEQEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIEC
              Source: tasklist.exe, 00000032.00000002.1778919878.0000026CE8248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'SBIECTRL.EXE'
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - OLLYDBG.EXE
              Source: tasklist.exe, 0000003C.00000002.1791792831.000002215FAA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ FIDDLER.EXEATA\LOCAL\TE2
              Source: data.exeBinary or memory string: VBOXCONTROL.EXEVBOXHEADLESS.EXEQEMU-GA.EXEQEMU-SYSTEM-X86.EXEQEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDB
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - PROCMON.EXE
              Source: data.exeBinary or memory string: VBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL
              Source: tasklist.exe, 0000003A.00000002.1789472804.0000018BD941B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000003A.00000003.1788739414.0000018BD941B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/FIIMAGENAME EQ WIRESHARK.EXE++
              Source: data.exeBinary or memory string: CMDVRT32.DLLCMDVRT64.DLLCYBERGHOSTVPN.DLLVBOXMRXNP.DLLVMSRVC.DLLVMHGFS.DLLVM3DGL.DLLVMRIG.DLLVMUSB.DLLVBOXHOOK.DLLVBOXDISP.DLLVBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLL
              Source: data.exeBinary or memory string: ANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEPROCESSHACKER.EXEPROCMON.EXEPROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMP
              Source: data.exeBinary or memory string: PROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.EXEXENSERVICE.EXEDEPENDS.EXEAUTORUNS.EXEAUTORUNSC.EXEFILESCAN
              Source: tasklist.exe, 00000040.00000002.1796168046.000001BDEC703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CQUERY(SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'PROCMON.EXE');
              Source: tasklist.exe, 0000004A.00000002.1813900025.0000016ABAD90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /FI "IMAGENAME EQ X64DBG.EXE"C:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULT
              Source: data.exeBinary or memory string: VMWARETRAY.EXEVMWAREUSER.EXEVMACTHLP.EXEVMWARE-VMX.EXEVMWARE-AUTHD.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVBOXHEADLESS.EXEQEMU-GA.EXEQEMU-SYSTEM-X86.EXEQEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.E
              Source: data.exeBinary or memory string: TCPVIEW.EXEPESTUDIO.EXEREGSHOT.EXEPROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME EQ
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - IDAQ.EXE
              Source: data.exeBinary or memory string: PROCESS MONITOR.EXESYSTEM EXPLORER.EXESYSTEMEXPLORER.EXESYSTEMEXPLORERSERVICE.EXENETWORKMINER.EXETCPDUMP.EXENETWORKTRAFFICVIEW.EXEETTERCAP.EXEFIRESHARK.EXEIMAGENAME EQ
              Source: data.exeBinary or memory string: VMWAREUSER.EXEVMACTHLP.EXEVMWARE-VMX.EXEVMWARE-AUTHD.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVBOXHEADLESS.EXEQEMU-GA.EXEQEMU-SYSTEM-X86.EXEQEMU-SYSTEM-X86_64.EXESANDBOXIE.EXESBIESVC.EXESBIECTRL.EXESANDMAN.EXECOCKOO.EXEANALYSER.EXEWIRESHARK.EXEFIDDLER.EXEP
              Source: data.exeBinary or memory string: CYBERGHOSTVPN.DLLVBOXMRXNP.DLLVMSRVC.DLLVMHGFS.DLLVM3DGL.DLLVMRIG.DLLVMUSB.DLLVBOXHOOK.DLLVBOXDISP.DLLVBOXSERVICE.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLWPESPY.DLLCIGDLL.DLLPSTOREC.DLLVMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAV
              Source: tasklist.exe, 0000003C.00000002.1791792831.000002215FAA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'FIDDLER.EXE'PRO
              Source: data.exeBinary or memory string: VMCHECK.DLLALLERROR.DLLSAMPLE.DLLSANDBOX.DLLAGENT.DLLDBGCORE.DLLAVGHOOK.DLLAVGHOOKA.DLLLOG_API.DLLAPI_HOOK.DLLAPIMON.DLLAPISPY.DLLREGMON.DLLFILEMON.DLLPROCMON.DLLSYSMON.DLLSYSCALL.DLLHOOKS.DLLMONITOR.DLLDEFENSE.DLLPROTECT.DLLANALYZER.DLLTRACE.DLLQEMU-GA.DLLPAR
              Source: tasklist.exe, 0000003A.00000002.1789472804.0000018BD941B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, PROCESSID, CSNAME, CAPTION, SESSIONID, THREADCOUNT, WORKINGSETSIZE, KERNELMODETIME, USERMODETIME FROM WIN32_PROCESS WHERE CAPTION = 'WIRESHARK.EXE'
              Source: data.exeBinary or memory string: PROCEXP.EXEIDA64.EXEOLLYDBG.EXEX32DBG.EXEX64DBG.EXEWINDBG.EXEPROCMON64.EXEFILEMON.EXEREGMON.EXEIDAG.EXEIDAW.EXEIDAQ.EXEIDAQ64.EXEIDAU64.EXESCYLLA.EXEPROTECTION_ID.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXEPRL_TOOLS.EXEPRL_CC.EXEXENCLIENT.
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - AUTORUNS.EXE
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Users\user\Desktop\vboxservice.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\vboxservice.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\SYSTEM32\vmsrvc.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\vmsrvc.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\System32\OpenSSH\vmhgfs.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\drivers\prleth.sysJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\System32\Wbem\vmsrvc.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\drivers\VBoxVideo.sysJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\vmsrvc.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Users\user\AppData\Local\Microsoft\WindowsApps\vboxhook.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\drivers\vmnet.sysJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\drivers\xennet.sysJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\system32\vboxservice.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\System32\WindowsPowerShell\v1.0\vmhgfs.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\drivers\prlvideo.sysJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\System32\OpenSSH\vboxhook.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\drivers\vmhgfs.sysJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\SYSTEM32\vboxhook.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\system\vboxhook.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\System32\WindowsPowerShell\v1.0\vboxservice.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\system32\vmsrvc.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\system\vmhgfs.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Users\user\AppData\Local\Microsoft\WindowsApps\vmsrvc.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\vboxhook.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\vmhgfs.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\SYSTEM32\vmhgfs.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Users\user\Desktop\vmsrvc.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\drivers\prlmouse.sysJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\System32\Wbem\vmhgfs.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\drivers\VBoxGuest.sysJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\System32\OpenSSH\vmsrvc.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Users\user\Desktop\vboxhook.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\drivers\VBoxSF.sysJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\vmhgfs.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\vboxhook.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\drivers\vmmouse.sysJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\system32\vboxhook.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Program Files\VMware\VMware Tools\Jump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\System32\Wbem\vboxservice.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\drivers\VBoxMouse.sysJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\System32\WindowsPowerShell\v1.0\vmsrvc.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\SYSTEM32\vboxservice.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\System32\OpenSSH\vboxservice.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\drivers\prlfs.sysJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\drivers\vmx86.sysJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\drivers\vmmemctl.sysJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\system\vboxservice.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\drivers\xensvc.sysJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\System32\WindowsPowerShell\v1.0\vboxhook.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\windows\sysnative\vboxhook.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Users\user\AppData\Local\Microsoft\WindowsApps\vboxservice.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Users\user\Desktop\vmhgfs.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\vboxservice.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\System32\Wbem\vboxhook.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\system\vmsrvc.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Users\user\AppData\Local\Microsoft\WindowsApps\vmhgfs.dllJump to behavior
              Source: C:\Users\user\Desktop\data.exeFile opened / queried: C:\Windows\system32\vmhgfs.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BIOS
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BIOS
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_ComputerSystem
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF796346360 CloseHandle,FindFirstFileW,FindClose,0_2_00007FF796346360
              Source: tasklist.exe, 0000002A.00000002.1767174277.0000020257465000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86.EXE'IFIE~px
              Source: data.exeBinary or memory string: 111122223333444455556666777D4B67276A58480C8ete9t8e8t3UnknownDefault string1234567890 NoneN/AAllDefaultSystem50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 7
              Source: tasklist.exe, 0000002A.00000003.1765434444.0000020257257000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002A.00000003.1765550120.0000020257268000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86.EXE'-+V9C
              Source: tasklist.exe, 0000002A.00000002.1766358377.000002025726A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86.EXE');
              Source: data.exeBinary or memory string: labuserlabtechlabtestersandbox_uservm_usertest_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HA
              Source: data.exeBinary or memory string: 1RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware, Inc.VirtualBox-00 11 22 33 44 55 66 77-88 99 aa bb cc dd ee ffVBOX-1234567890VBOX_HARDDISK0VIRTUAL_DISKQEMU0001QEMU1234TES
              Source: data.exeBinary or memory string: testingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefendereset
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - qemu-system-x86.exe
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\prlvideo.sysC:\windows\sysnative\drivers\xennet.sysC:\windows\sysnative\drivers\xensvc.sysC:\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxt
              Source: data.exeBinary or memory string: analysisanalyzerresearchsecuritytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosm
              Source: tasklist.exe, 0000002C.00000003.1769103886.000001C8E2E97000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002C.00000002.1769852625.000001C8E2EAB000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002C.00000003.1769215795.000001C8E2EA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq qemu-system-x86_64.exe
              Source: data.exeBinary or memory string: vboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-x86_64.exesandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.exefiddler.exeprocesshacker.exeprocmon.exeprocexp.exeida64.exeollydbg.e
              Source: tasklist.exe, 00000016.00000002.1739744379.000002B0928BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARETRAY.EXE');
              Source: tasklist.exe, 0000001E.00000003.1751629569.000001D59AF4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-AUTHD.EXE'0
              Source: data.exeBinary or memory string: cmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dllagent.dll
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - qemu-system-x86_64.exe
              Source: tasklist.exe, 0000001E.00000003.1751509089.000001D59AF60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-AUTHD.EXE');
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\VBoxVideo.sysC:\windows\sysnative\vboxdisp.dllC:\windows\sysnative\vboxhook.dllC:\windows\sysnative\vboxmrxnp.dllC:\Program Files\Oracle\VirtualBox Guest Additions\C:\windows\sysnative\drivers\qemu-ga.sysC:\windows\sysnative\driver
              Source: tasklist.exe, 0000002C.00000003.1769103886.000001C8E2E97000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002C.00000003.1769215795.000001C8E2EA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86_64.EXE'
              Source: tasklist.exe, 00000018.00000002.1742374397.00000134C6045000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWAREUSER.EXE'I
              Source: tasklist.exe, 00000022.00000002.1757334217.0000025874745000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'PROr
              Source: data.exeBinary or memory string: N/AAllDefaultSystem50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware
              Source: tasklist.exe, 00000022.00000002.1757334217.0000025874740000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vboxtray.exea\Local\TeV
              Source: data.exeBinary or memory string: dbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray
              Source: data.exeBinary or memory string: qemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefenderesettrendpandadefendercorpcyberinfosecforensicsincidentreversesocbl
              Source: data.exeBinary or memory string: SUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOO
              Source: data.exeBinary or memory string: XVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRANTEC2
              Source: data.exeBinary or memory string: XEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGC
              Source: data.exeBinary or memory string: FredGeorgeharry johnsonLisaPaul Joneslabuserlabtechlabtestersandbox_uservm_usertest_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRT
              Source: tasklist.exe, 0000002C.00000002.1769661849.000001C8E2E70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq qemu-system-x86_64.exe"C:\Windows\system32\tasklist.exeWinsta0\Defaultq
              Source: data.exeBinary or memory string: analyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dllx64dbg.dll
              Source: data.exeBinary or memory string: log_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysC:\windows\sysnative\drivers\vmrawdsk.sysC:\windows\sysnative\drivers\vmmemctl.sysC:\windows\sysnative\drivers\vmx86.sysC:\windows\sysnati
              Source: data.exeBinary or memory string: PARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRANTEC2AMAZONT2.MICROT3.MICROGOOGLE CLOUDMICROSOFT AZUREDIGITALOCEANLINODEVULTRSANDBOXVIRTUAL PLATFORMWINEANUBISCUCKOOJOEBOXV
              Source: tasklist.exe, 00000016.00000003.1739349375.000002B0928B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vmwaretray.exe
              Source: data.exeBinary or memory string: protect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dllx64dbg.dll
              Source: data.exeBinary or memory string: vboxcontrol.exevboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-x86_64.exesandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.exefiddler.exeprocesshacker.exeprocmon.exeprocexp.exeida64.exeollydbg.exex32dbg.exex64dbg.exewindb
              Source: tasklist.exe, 00000028.00000003.1762936104.0000025BE524C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-GA.EXE');
              Source: data.exeBinary or memory string: vmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-x86_64.exesandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.exefiddler.exeprocesshacker.exeprocmon.exeprocexp.exeid
              Source: data.exeBinary or memory string: viruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefenderesettrendpa
              Source: tasklist.exe, 00000028.00000002.1763961284.0000025BE54D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq qemu-ga.exeata\Local\Te
              Source: data.exeBinary or memory string: testtestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitde
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\vmhgfs.dll
              Source: tasklist.exe, 0000001E.00000002.1752141431.000001D59AF20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vmware-authd.exe"C:\Windows\system32\tasklist.exeWinsta0\Default
              Source: tasklist.exe, 00000020.00000002.1754236986.0000025E1E4A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vboxservice.exe"
              Source: data.exeBinary or memory string: USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS
              Source: tasklist.exe, 00000020.00000003.1753721268.0000025E1E4DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE');
              Source: tasklist.exe, 0000002A.00000002.1766358377.000002025726A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86.EXE'
              Source: data.exeBinary or memory string: supporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL
              Source: data.exeBinary or memory string: QEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRANTEC2AMAZONT2.MICROT3.MICROGOOGLE CLOUDMICROSOFT AZUREDIGITALOCEANLINODEVULTRSANDBOXVIRTUAL PLATFORMWINEANUBISCUCKOOJOEBOXVPCJETBRAINSHYBRID
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\qemufwcfg.sysC:\windows\sysnative\drivers\qemupciserial.sysC:\sandcastle\C:\sandbox\C:\tools\sandbox\C:\Program Files\Sandboxie\C:\Program Files\Cuckoo\C:\Program Files\Joe Sandbox\C:\Program Files\Wireshark\C:\Program Files\Fiddle
              Source: data.exeBinary or memory string: INNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALL
              Source: tasklist.exe, 0000002A.00000002.1767174277.0000020257460000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq qemu-system-x86.exeMP=C:\Users\Ypy
              Source: data.exeBinary or memory string: 3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware, Inc.VirtualBox-00 11 22 33 44 55 66 77-88 99 aa bb cc dd ee ffVBOX-1234567890VBOX_HARDDISK
              Source: data.exeBinary or memory string: vmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefenderesettrendpandadefendercorpcyberinfosecforensicsi
              Source: tasklist.exe, 00000016.00000002.1739673980.000002B092880000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vmwaretray.exe"
              Source: data.exeBinary or memory string: systemsandboxmalwareanalysisanalyzerresearchsecuritytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldumm
              Source: data.exeBinary or memory string: securediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefenderesettrendpandadefendercorpcyberi
              Source: data.exeBinary or memory string: MICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRANTEC2AMAZONT2.M
              Source: data.exeBinary or memory string: defense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dllx64dbg.dll
              Source: data.exeBinary or memory string: VIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARAL
              Source: data.exeBinary or memory string: 7D4B67276A58480C8ete9t8e8t3UnknownDefault string1234567890 NoneN/AAllDefaultSystem50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d
              Source: data.exeBinary or memory string: vmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-x86_64.exesandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.exefiddler.exeprocesshacker.e
              Source: data.exeBinary or memory string: VIRTUAL_DISKQEMU0001QEMU1234TEST-1234567890DESKTOP-TESTSANDBOX-PCANALYSIS-PCVirtual-1234567890VM-TEST-PCVM-ANALYSISVIRTUAL_MACHINE000000000000111111111111AAAAAAAAAAAABCDEF123456TEMP-CLONE-EC2-GCP-AZURE-AWS-LAB-PC-RESEARCH-MALWARE-ANALYSIS-123456789012987654321
              Source: system_info.txt.0.drBinary or memory string: - vmware-authd.exe
              Source: tasklist.exe, 00000018.00000003.1741168370.00000134C5E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWAREUSER.EXE');
              Source: tasklist.exe, 0000001C.00000003.1748940545.000001B213E77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-VMX.EXE');
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysC:\windows\sysnative\drivers\vmrawdsk.sysC:\windows\sysnative\drivers\vmmemctl.sysC:\windows\sysnative\drivers\vmx86.sysC:\windows\sysnative\drivers\vmnet.sysC:\Program Files\VMw
              Source: data.exeBinary or memory string: administratoradminrootguestuserdefaultsystemsandboxmalwareanalysisanalyzerresearchsecuritytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhone
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - qemu-ga.exe
              Source: data.exeBinary or memory string: wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysC:\windows\sysnative\drivers\vmrawdsk.sysC:\windows\sysnative\drivers\vmmemctl.sysC:\windows\sysnative\drivers\vmx86.sysC:\windows\sysnative\drivers\vmnet.sysC:\Program Files\VMware\VMware Tools\C:\windows\sysnative\drivers\VBoxMouse.sysC:\windows\sysnative\drivers\VBoxGuest.sysC:\windows\sysnative\drivers\VBoxSF.sysC:\windows\sysnative\drivers\VBoxVideo.sysC:\windows\sysnative\vboxdisp.dllC:\windows\sysnative\vboxhook.dllC:\windows\sysnative\vboxmrxnp.dllC:\Program Files\Oracle\VirtualBox Guest Additions\C:\windows\sysnative\drivers\qemu-ga.sysC:\windows\sysnative\drivers\qemufwcfg.sysC:\windows\sysnative\drivers\qemupciserial.sysC:\sandcastle\C:\sandbox\C:\tools\sandbox\C:\Program Files\Sandboxie\C:\Program Files\Cuckoo\C:\Program Files\Joe Sandbox\C:\Program Files\Wireshark\C:\Program Files\Fiddler\C:\Program Files\Process Hacker\C:\Program Files\Process Monitor\C:\Program Files\Process Explorer\C:\Program Files\IDA Pro\C:\Program Files\x64dbg\C:\Program Files\OllyDbg\C:\Analysis\C:\Analyser\C:\Sandbox\C:\Malware\C:\Research\C:\Test\C:\windows\sysnative\drivers\prleth.sysC:\windows\sysnative\drivers\prlfs.sysC:\windows\sysnative\drivers\prlmouse.sysC:\windows\sysnative\drivers\prlvideo.sysC:\windows\sysnative\drivers\xennet.sysC:\windows\sysnative\drivers\xensvc.sysC:\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-x86_64.exesandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.exefiddler.exeprocesshacker.exeprocmon.exeprocexp.exeida64.exeollydbg.exex32dbg.exex64dbg.exewindbg.exeprocmon64.exefilemon.exeregmon.exeidag.exeidaw.exeidaq.exeidaq64.exeidau64.exescylla.exeprotection_id.exedumpcap.exehookexplorer.exeimportrec.exepetools.exelordpe.exeprl_tools.exeprl_cc.exexenclient.exexenservice.exedepends.exeautoruns.exeautorunsc.exefilescan.exetcpview.exepestudio.exeregshot.exeprocess monitor.exesystem explorer.exesystemexplorer.exesystemexplorerservice.exenetworkminer.exetcpdump.exenetworktrafficview.exeettercap.exefireshark.exeIMAGENAME eq
              Source: data.exeBinary or memory string: PARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRANTEC2AMAZONT2.MICROT3.MICROGOOGLE CLOUDMICROSOFT AZUREDIGITALOCEANLINODEVULTRSANDBOXVIRT
              Source: data.exeBinary or memory string: wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysC:\windows\sysnative\drivers\vmrawdsk.sysC:\windows\sysnative\drivers\vmmemctl.sysC:\windows\sysnative\drivers\vmx86.sysC:\windows\sysnative\drivers\vmnet.sysC:\Program Files\VMware\VMware Tools\C:\windows\sysnative\drivers\VBoxMouse.sysC:\windows\sysnative\drivers\VBoxGuest.sysC:\windows\sysnative\drivers\VBoxSF.sysC:\windows\sysnative\drivers\VBoxVideo.sysC:\windows\sysnative\vboxdisp.dllC:\windows\sysnative\vboxhook.dllC:\windows\sysnative\vboxmrxnp.dllC:\Program Files\Oracle\VirtualBox Guest Additions\C:\windows\sysnative\drivers\qemu-ga.sysC:\windows\sysnative\drivers\qemufwcfg.sysC:\windows\sysnative\drivers\qemupciserial.sysC:\sandcastle\C:\sandbox\C:\tools\sandbox\C:\Program Files\Sandboxie\C:\Program Files\Cuckoo\C:\Program Files\Joe Sandbox\C:\Program Files\Wireshark\C:\Program Files\Fiddler\C:\Program Files\Process Hacker\C:\Program Files\Process Monitor\C:\Program Files\Process Explorer\C:\Program Files\IDA Pro\C:\Program Files\x64dbg\C:\Program Files\OllyDbg\C:\Analysis\C:\Analyser\C:\Sandbox\C:\Malware\C:\Research\C:\Test\C:\windows\sysnative\drivers\prleth.sysC:\windows\sysnative\drivers\prlfs.sysC:\windows\sysnative\drivers\prlmouse.sysC:\windows\sysnative\drivers\prlvideo.sysC:\windows\sysnative\drivers\xennet.sysC:\windows\sysnative\drivers\xensvc.sysC:\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-x86_64.exesandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.exefiddler.exeprocesshacker.exeprocmon.exeprocexp.exeida64.exeollydbg.exex32dbg.exex64dbg.exewindbg.exeprocmon64.exefilemon.exeregmon.exeidag.exeidaw.exeidaq.exeidaq64.exeidau64.exescylla.exeprotection_id.exedumpcap.exehookexplorer.exeimportrec.exepetools.exelordpe.exeprl_tools.exeprl_cc.exexenclient.exexenservice.exedepends.exeautoruns.exeautorunsc.exefilescan.exetcpview.exepestudio.exeregshot.exeprocess monitor.exesystem explorer.exesystemexplorer.exesystemexplorerservice.exenetworkminer.exetcpdump.exenetworktrafficview.exeettercap.exefireshark.exeIMAGENAME eq Q
              Source: data.exeBinary or memory string: vmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-x86_64.exesandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.exefiddler.exeprocesshacker.exeprocmon.ex
              Source: data.exeBinary or memory string: sec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER
              Source: tasklist.exe, 00000028.00000002.1763830079.0000025BE524C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-GA.EXE'[
              Source: tasklist.exe, 00000016.00000003.1739349375.000002B0928B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARETRAY.EXE'
              Source: tasklist.exe, 0000002A.00000003.1765434444.0000020257257000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002A.00000003.1765550120.0000020257268000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002A.00000002.1766358377.000002025726A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq qemu-system-x86.exe
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\vmrawdsk.sysC:\windows\sysnative\drivers\vmmemctl.sysC:\windows\sysnative\drivers\vmx86.sysC:\windows\sysnative\drivers\vmnet.sysC:\Program Files\VMware\VMware Tools\C:\windows\sysnative\drivers\VBoxMouse.sysC:\windows\sysnative\dr
              Source: tasklist.exe, 00000016.00000003.1739349375.000002B0928B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmwaretray.exe
              Source: tasklist.exe, 0000002C.00000002.1770054138.000001C8E3075000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86_64.EXE'6
              Source: data.exeBinary or memory string: VIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRANTEC2AMAZONT2.MICROT3.MICROGOOGL
              Source: data.exeBinary or memory string: 7865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware, Inc.VirtualBox-00 11 22 33 44 55 66 77-88 99 aa bb cc dd ee ffV
              Source: data.exeBinary or memory string: vboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-x86_64.exesandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.exefiddler.exeprocesshacker.exeprocmon.exeprocexp.exeida64.exeollydbg.exex32dbg.exex64dbg.exewindbg.exeprocmon64.
              Source: data.exeBinary or memory string: BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWS
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\VBoxMouse.sysC:\windows\sysnative\drivers\VBoxGuest.sysC:\windows\sysnative\drivers\VBoxSF.sysC:\windows\sysnative\drivers\VBoxVideo.sysC:\windows\sysnative\vboxdisp.dllC:\windows\sysnative\vboxhook.dllC:\windows\sysnative\vboxmrxn
              Source: tasklist.exe, 00000022.00000003.1756516530.0000025874597000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000022.00000002.1757202842.0000025874599000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000022.00000003.1756294925.0000025874591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vboxtray.exe
              Source: data.exeBinary or memory string: guestuserdefaultsystemsandboxmalwareanalysisanalyzerresearchsecuritytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalauditt
              Source: data.exeBinary or memory string: labtechlabtestersandbox_uservm_usertest_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQ
              Source: tasklist.exe, 0000002A.00000002.1766178644.0000020257230000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq qemu-system-x86.exe"
              Source: getmac.exe, 0000000D.00000003.1723622903.000001BCB64DB000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1723882712.000001BCB64EE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1724545195.000001BCB64EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V
              Source: tasklist.exe, 0000002C.00000003.1769215795.000001C8E2EBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86_64.EXE'%
              Source: data.exeBinary or memory string: virtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefenderesettrendpandadefendercorpcyberinfosecforensicsincidentrev
              Source: data.exeBinary or memory string: netadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUAL
              Source: data.exeBinary or memory string: vmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.
              Source: data.exeBinary or memory string: C:\Program Files\OllyDbg\C:\Analysis\C:\Analyser\C:\Sandbox\C:\Malware\C:\Research\C:\Test\C:\windows\sysnative\drivers\prleth.sysC:\windows\sysnative\drivers\prlfs.sysC:\windows\sysnative\drivers\prlmouse.sysC:\windows\sysnative\drivers\prlvideo.sysC:\windows
              Source: data.exeBinary or memory string: malwareanalysisanalyzerresearchsecuritytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoeval
              Source: data.exeBinary or memory string: vmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefenderesettrendpandadefendercorpcyberinfosecforensicsincidentreversesoc
              Source: data.exeBinary or memory string: C:\Program Files\IDA Pro\C:\Program Files\x64dbg\C:\Program Files\OllyDbg\C:\Analysis\C:\Analyser\C:\Sandbox\C:\Malware\C:\Research\C:\Test\C:\windows\sysnative\drivers\prleth.sysC:\windows\sysnative\drivers\prlfs.sysC:\windows\sysnative\drivers\prlmouse.sysC:
              Source: data.exeBinary or memory string: VM-1234567890VMWVMware, Inc.VirtualBox-00 11 22 33 44 55 66 77-88 99 aa bb cc dd ee ffVBOX-1234567890VBOX_HARDDISK0VIRTUAL_DISKQEMU0001QEMU1234TEST-1234567890DESKTOP-TESTSANDBOX-PCANALYSIS-PCVirtual-1234567890VM-TEST-PCVM-ANALYSISVIRTUAL_MACHINE000000000000111
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\qemupciserial.sysC:\sandcastle\C:\sandbox\C:\tools\sandbox\C:\Program Files\Sandboxie\C:\Program Files\Cuckoo\C:\Program Files\Joe Sandbox\C:\Program Files\Wireshark\C:\Program Files\Fiddler\C:\Program Files\Process Hacker\C:\Progr
              Source: tasklist.exe, 00000028.00000003.1762936104.0000025BE524C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-GA.EXE'[
              Source: data.exeBinary or memory string: sf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsand
              Source: data.exeBinary or memory string: snxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dll
              Source: getmac.exe, 0000000D.00000003.1723622903.000001BCB64DB000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1723882712.000001BCB64EE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1724545195.000001BCB64EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: data.exeBinary or memory string: XENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGL
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system\vboxservice.dlll
              Source: data.exeBinary or memory string: diagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefenderesettrendpandadefendercorpcyberinfosec
              Source: tasklist.exe, 00000020.00000002.1754362631.0000025E1E4DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vboxservice.exe
              Source: data.exeBinary or memory string: MICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRANTEC2AMAZONT2.MICROT3.MICROGOOGLE CLOUDMICROSOFT AZUREDIGI
              Source: tasklist.exe, 0000002A.00000002.1766178644.0000020257230000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq qemu-system-x86.exe"C:\Windows\system32\tasklist.exeWinsta0\Default-+W8"
              Source: data.exeBinary or memory string: VMWVMware, Inc.VirtualBox-00 11 22 33 44 55 66 77-88 99 aa bb cc dd ee ffVBOX-1234567890VBOX_HARDDISK0VIRTUAL_DISKQEMU0001QEMU1234TEST-1234567890DESKTOP-TESTSANDBOX-PCANALYSIS-PCVirtual-1234567890VM-TEST-PCVM-ANALYSISVIRTUAL_MACHINE000000000000111111111111AAAA
              Source: data.exeBinary or memory string: helpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICRO
              Source: tasklist.exe, 00000016.00000003.1739349375.000002B0928B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARETRAY.EXE'J!
              Source: tasklist.exe, 00000018.00000002.1742184142.00000134C5E58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWAREUSER.EXE'
              Source: data.exeBinary or memory string: BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware, Inc.VirtualBox-00 11 22 33 44 55 66 77-88 99 aa b
              Source: data.exeBinary or memory string: servicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRT
              Source: data.exeBinary or memory string: UnknownDefault string1234567890 NoneN/AAllDefaultSystem50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11
              Source: data.exeBinary or memory string: DefaultSystem50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware, Inc.
              Source: tasklist.exe, 0000002A.00000002.1766178644.0000020257230000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq qemu-system-x86.exe"i+W|P
              Source: tasklist.exe, 00000028.00000003.1762936104.0000025BE524C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-GA.EXE'
              Source: data.exeBinary or memory string: BrunoFredGeorgeharry johnsonLisaPaul Joneslabuserlabtechlabtestersandbox_uservm_usertest_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM
              Source: data.exeBinary or memory string: C:\Program Files\Process Explorer\C:\Program Files\IDA Pro\C:\Program Files\x64dbg\C:\Program Files\OllyDbg\C:\Analysis\C:\Analyser\C:\Sandbox\C:\Malware\C:\Research\C:\Test\C:\windows\sysnative\drivers\prleth.sysC:\windows\sysnative\drivers\prlfs.sysC:\window
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\vboxhook.dll(
              Source: data.exeBinary or memory string: wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysC:\windows\sysnative\drivers\vmrawdsk.sysC:\windows\sysnative\drivers\vmmemctl.sysC:\windows\sysnative\drivers\vmx86.sysC:\windows\sys
              Source: tasklist.exe, 00000022.00000003.1756516530.0000025874597000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000022.00000002.1757202842.0000025874599000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000022.00000003.1756294925.0000025874591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vboxtray.exe
              Source: tasklist.exe, 00000022.00000002.1757202842.0000025874599000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\vmmemctl.sysC:\windows\sysnative\drivers\vmx86.sysC:\windows\sysnative\drivers\vmnet.sysC:\Program Files\VMware\VMware Tools\C:\windows\sysnative\drivers\VBoxMouse.sysC:\windows\sysnative\drivers\VBoxGuest.sysC:\windows\sysnative\d
              Source: data.exeBinary or memory string: 1234567890 NoneN/AAllDefaultSystem50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234
              Source: data.exeBinary or memory string: maltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefenderesettrendpandadefen
              Source: tasklist.exe, 0000001C.00000002.1749955209.000001B213E79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmware-vmx.exe;
              Source: data.exeBinary or memory string: regmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dllx64dbg.dll
              Source: data.exeBinary or memory string: NoneN/AAllDefaultSystem50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWV
              Source: data.exeBinary or memory string: System50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware, Inc.Virtual
              Source: tasklist.exe, 00000022.00000002.1757018378.0000025874560000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vboxtray.exe"C:\Windows\system32\tasklist.exeWinsta0\Default
              Source: data.exeBinary or memory string: VM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIR
              Source: data.exeBinary or memory string: analysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXE
              Source: data.exeBinary or memory string: vboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api
              Source: data.exeBinary or memory string: qemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dllx64dbg.dll
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\vmnet.sysC:\Program Files\VMware\VMware Tools\C:\windows\sysnative\drivers\VBoxMouse.sysC:\windows\sysnative\drivers\VBoxGuest.sysC:\windows\sysnative\drivers\VBoxSF.sysC:\windows\sysnative\drivers\VBoxVideo.sysC:\windows\sysnative
              Source: tasklist.exe, 00000028.00000003.1762936104.0000025BE5236000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000028.00000003.1763071032.0000025BE5246000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000028.00000002.1763830079.0000025BE5248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-GA.EXE'0
              Source: data.exeBinary or memory string: trace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dllx64dbg.dll
              Source: tasklist.exe, 0000001E.00000002.1752083825.000001D59AF15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-AUTHD.EXE'ENTIFIE
              Source: data.exeBinary or memory string: MICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRANTEC2AMAZONT2.MICROT3.MICROGOOGLE CLOUDMIC
              Source: data.exeBinary or memory string: sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dllx64dbg.dll
              Source: data.exeBinary or memory string: sample.dllsandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dll
              Source: data.exeBinary or memory string: ete9t8e8t3UnknownDefault string1234567890 NoneN/AAllDefaultSystem50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee
              Source: tasklist.exe, 0000001C.00000002.1749842289.000001B213E40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vmware-vmx.exe"C:\Windows\system32\tasklist.exeWinsta0\Default]
              Source: data.exeBinary or memory string: sandbox_uservm_usertest_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\VBoxSF.sysC:\windows\sysnative\drivers\VBoxVideo.sysC:\windows\sysnative\vboxdisp.dllC:\windows\sysnative\vboxhook.dllC:\windows\sysnative\vboxmrxnp.dllC:\Program Files\Oracle\VirtualBox Guest Additions\C:\windows\sysnative\drivers
              Source: tasklist.exe, 0000002C.00000003.1769103886.000001C8E2E97000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002C.00000003.1769215795.000001C8E2EA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86_64.EXE');
              Source: data.exeBinary or memory string: C:\Program Files\Oracle\VirtualBox Guest Additions\C:\windows\sysnative\drivers\qemu-ga.sysC:\windows\sysnative\drivers\qemufwcfg.sysC:\windows\sysnative\drivers\qemupciserial.sysC:\sandcastle\C:\sandbox\C:\tools\sandbox\C:\Program Files\Sandboxie\C:\Program F
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq qemu-system-x86.exe\
              Source: tasklist.exe, 0000002A.00000003.1765434444.0000020257257000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002A.00000003.1765550120.0000020257268000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86.EXE');
              Source: data.exeBinary or memory string: vboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmo
              Source: data.exeBinary or memory string: C:\Program Files\Process Monitor\C:\Program Files\Process Explorer\C:\Program Files\IDA Pro\C:\Program Files\x64dbg\C:\Program Files\OllyDbg\C:\Analysis\C:\Analyser\C:\Sandbox\C:\Malware\C:\Research\C:\Test\C:\windows\sysnative\drivers\prleth.sysC:\windows\sys
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq qemu-system-x86.exe\Cuckoo\
              Source: tasklist.exe, 00000014.00000003.1737442300.000001E562596000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vmtoolsd.exe
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
              Source: data.exeBinary or memory string: avghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindb
              Source: tasklist.exe, 0000001C.00000002.1749955209.000001B213E79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vmware-vmx.exe
              Source: tasklist.exe, 0000002A.00000003.1765434444.0000020257257000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002A.00000003.1765550120.0000020257268000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002A.00000002.1766358377.000002025726A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86.EXE'
              Source: data.exeBinary or memory string: VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUA
              Source: tasklist.exe, 0000001E.00000002.1752296696.000001D59AF69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-AUTHD.EXE');
              Source: tasklist.exe, 0000001E.00000002.1752236174.000001D59AF60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmware-authd.exe
              Source: data.exeBinary or memory string: QEMU1234TEST-1234567890DESKTOP-TESTSANDBOX-PCANALYSIS-PCVirtual-1234567890VM-TEST-PCVM-ANALYSISVIRTUAL_MACHINE000000000000111111111111AAAAAAAAAAAABCDEF123456TEMP-CLONE-EC2-GCP-AZURE-AWS-LAB-PC-RESEARCH-MALWARE-ANALYSIS-123456789012987654321098ABCDEFGHIJKLTo be
              Source: data.exeBinary or memory string: PARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRANTEC2AMAZONT2.MICROT3.MICROGOOGLE CLOUDMICROSOFT AZUREDIGITALOCEANLINODEVULTRSANDBOXVIRTUAL PLATFORMWINEA
              Source: tasklist.exe, 0000001E.00000002.1752236174.000001D59AF60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-AUTHD.EXE'
              Source: data.exeBinary or memory string: monitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dllx64dbg.dll
              Source: data.exeBinary or memory string: ORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATF
              Source: data.exeBinary or memory string: 111122223333444455556666777D4B67276A58480C8ete9t8e8t3UnknownDefault string1234567890 NoneN/AAllDefaultSystem50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware, Inc.VirtualBox-00 11 22 33 44 55 66 77-88 99 aa bb cc dd ee ffVBOX-1234567890VBOX_HARDDISK0VIRTUAL_DISKQEMU0001QEMU1234TEST-1234567890DESKTOP-TESTSANDBOX-PCANALYSIS-PCVirtual-1234567890VM-TEST-PCVM-ANALYSISVIRTUAL_MACHINE000000000000111111111111AAAAAAAAAAAABCDEF123456TEMP-CLONE-EC2-GCP-AZURE-AWS-LAB-PC-RESEARCH-MALWARE-ANALYSIS-123456789012987654321098ABCDEFGHIJKLTo be filled by O.E.M.System manufacturerNot ApplicableXen-KVM-Parallels-HyperV-Virtual-Bochs-0123-4567-89AB-CDEFFFFF-FFFF-FFFF-FFFF0000-0000-0000-00001111-1111-1111-1111SANDBOX_MALTEST_VIRUS_SECURITY_TEST_MACHINE_AUTO-TEST-CI-SERVER-BUILD-MACHINE-JENKINS-GITLAB-RUNNER-12345ABCDETEST1DEMO1TEMP11111-2222-3333-4444-5555-6666-77%Y-%m-%d %H:%M:%STimestamp (PT):
              Source: data.exeBinary or memory string: vm_usertest_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BO
              Source: data.exeBinary or memory string: VMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMK
              Source: data.exeBinary or memory string: PARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRANTEC2AMAZONT2.MICROT3.MICROGOOGLE CLOUDMICROSOFT AZUREDIGITALOCEANLINODEVULTRSA
              Source: tasklist.exe, 00000018.00000002.1742042633.00000134C5E20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vmwareuser.exe"C:\Windows\system32\tasklist.exeWinsta0\Default
              Source: data.exeBinary or memory string: LisaPaul Joneslabuserlabtechlabtestersandbox_uservm_usertest_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86V
              Source: data.exeBinary or memory string: vm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.
              Source: data.exeBinary or memory string: C:\Analysis\C:\Analyser\C:\Sandbox\C:\Malware\C:\Research\C:\Test\C:\windows\sysnative\drivers\prleth.sysC:\windows\sysnative\drivers\prlfs.sysC:\windows\sysnative\drivers\prlmouse.sysC:\windows\sysnative\drivers\prlvideo.sysC:\windows\sysnative\drivers\xennet
              Source: getmac.exe, 0000000D.00000003.1723839005.000001BCB651D000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1723622903.000001BCB64DB000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1724545195.000001BCB6520000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
              Source: data.exeBinary or memory string: 0VIRTUAL_DISKQEMU0001QEMU1234TEST-1234567890DESKTOP-TESTSANDBOX-PCANALYSIS-PCVirtual-1234567890VM-TEST-PCVM-ANALYSISVIRTUAL_MACHINE000000000000111111111111AAAAAAAAAAAABCDEF123456TEMP-CLONE-EC2-GCP-AZURE-AWS-LAB-PC-RESEARCH-MALWARE-ANALYSIS-12345678901298765432
              Source: tasklist.exe, 0000002C.00000003.1769103886.000001C8E2E97000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002C.00000002.1769852625.000001C8E2EAB000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002C.00000003.1769215795.000001C8E2EA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86_64.EXE'0`
              Source: tasklist.exe, 0000001E.00000002.1752141431.000001D59AF20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vmware-authd.exe"
              Source: tasklist.exe, 00000028.00000003.1762936104.0000025BE524C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000028.00000002.1763830079.0000025BE524C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq qemu-ga.exeN
              Source: data.exeBinary or memory string: allerror.dllsample.dllsandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllp
              Source: data.exeBinary or memory string: XENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRA
              Source: data.exeBinary or memory string: KVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRANTEC2AMAZONT2.MICROT3.MICROGOOGLE CLOUDMICROSOFT AZUREDIGITALOCEANLINODEVULTRSANDBOXVIRTUAL PLATFORMWINEANUBISCUCKOOJOEBOXVPCJETBRAINSHYBR
              Source: data.exeBinary or memory string: hooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dllx64dbg.dll
              Source: tasklist.exe, 0000001E.00000002.1752083825.000001D59AF10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmware-authd.exeTe,C
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002C.00000003.1769103886.000001C8E2E97000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002C.00000002.1769852625.000001C8E2EAB000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002C.00000003.1769215795.000001C8E2EA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq qemu-system-x86_64.exe
              Source: data.exeBinary or memory string: VMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED H
              Source: tasklist.exe, 0000001C.00000002.1749955209.000001B213E79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-VMX.EXE'J!
              Source: data.exeBinary or memory string: HVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE C
              Source: tasklist.exe, 00000016.00000002.1739805617.000002B092A50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmwaretray.execal\Te
              Source: tasklist.exe, 0000002C.00000003.1769327998.000001C8E2EC1000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002C.00000002.1769852625.000001C8E2EAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86_64.EXE'
              Source: data.exeBinary or memory string: Default string1234567890 NoneN/AAllDefaultSystem50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 4
              Source: data.exeBinary or memory string: test_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENH
              Source: data.exeBinary or memory string: C:\windows\sysnative\vboxmrxnp.dllC:\Program Files\Oracle\VirtualBox Guest Additions\C:\windows\sysnative\drivers\qemu-ga.sysC:\windows\sysnative\drivers\qemufwcfg.sysC:\windows\sysnative\drivers\qemupciserial.sysC:\sandcastle\C:\sandbox\C:\tools\sandbox\C:\Pr
              Source: tasklist.exe, 00000018.00000002.1742042633.00000134C5E4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWAREUSER.EXE'0nnel
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\prleth.sysC:\windows\sysnative\drivers\prlfs.sysC:\windows\sysnative\drivers\prlmouse.sysC:\windows\sysnative\drivers\prlvideo.sysC:\windows\sysnative\drivers\xennet.sysC:\windows\sysnative\drivers\xensvc.sysC:\windows\sysnative\dr
              Source: tasklist.exe, 00000018.00000002.1742042633.00000134C5E20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vmwareuser.exe"
              Source: data.exeBinary or memory string: scanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLEL
              Source: data.exeBinary or memory string: sysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dllx64dbg.dll
              Source: data.exeBinary or memory string: agent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.
              Source: tasklist.exe, 00000020.00000002.1754362631.0000025E1E4DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE');
              Source: tasklist.exe, 00000022.00000003.1756516530.0000025874597000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000022.00000003.1756294925.0000025874591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'
              Source: data.exeBinary or memory string: Georgeharry johnsonLisaPaul Joneslabuserlabtechlabtestersandbox_uservm_usertest_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL
              Source: system_info.txt.0.drBinary or memory string: - vmware-vmx.exe
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\qemu-ga.dll
              Source: tasklist.exe, 00000014.00000003.1737442300.000001E562596000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'0
              Source: tasklist.exe, 00000018.00000003.1741168370.00000134C5E56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWAREUSER.EXE'
              Source: tasklist.exe, 0000001C.00000002.1749768348.000001B213DC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmware-vmx.execal\Te
              Source: data.exeBinary or memory string: L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware, Inc.VirtualBox-00 11 22 33 44 55 66 77-88 99 aa bb cc dd ee ffVBOX-1234567890VB
              Source: data.exeBinary or memory string: sysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT
              Source: tasklist.exe, 00000020.00000002.1754362631.0000025E1E4DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vboxservice.exeV
              Source: data.exeBinary or memory string: C:\Program Files\x64dbg\C:\Program Files\OllyDbg\C:\Analysis\C:\Analyser\C:\Sandbox\C:\Malware\C:\Research\C:\Test\C:\windows\sysnative\drivers\prleth.sysC:\windows\sysnative\drivers\prlfs.sysC:\windows\sysnative\drivers\prlmouse.sysC:\windows\sysnative\driver
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\xennet.sysC:\windows\sysnative\drivers\xensvc.sysC:\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exeqem
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vmware-authd.exes\Sandboxie\
              Source: getmac.exe, 0000000D.00000003.1723839005.000001BCB651D000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1723622903.000001BCB64DB000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1724545195.000001BCB6520000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport6
              Source: tasklist.exe, 00000028.00000002.1763706201.0000025BE5210000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq qemu-ga.exe"C:\Windows\system32\tasklist.exeWinsta0\Default
              Source: tasklist.exe, 0000001C.00000002.1749955209.000001B213E79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-VMX.EXE'b
              Source: tasklist.exe, 0000002A.00000003.1765434444.0000020257257000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002A.00000003.1765550120.0000020257268000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002A.00000002.1766358377.000002025726A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86.EXE'0
              Source: data.exeBinary or memory string: vboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllproc
              Source: tasklist.exe, 00000018.00000002.1742374397.00000134C6040000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmwareuser.execal\Te
              Source: data.exeBinary or memory string: apimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.
              Source: data.exeBinary or memory string: procmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dllx64dbg.dll
              Source: data.exeBinary or memory string: VBOX_HARDDISK0VIRTUAL_DISKQEMU0001QEMU1234TEST-1234567890DESKTOP-TESTSANDBOX-PCANALYSIS-PCVirtual-1234567890VM-TEST-PCVM-ANALYSISVIRTUAL_MACHINE000000000000111111111111AAAAAAAAAAAABCDEF123456TEMP-CLONE-EC2-GCP-AZURE-AWS-LAB-PC-RESEARCH-MALWARE-ANALYSIS-1234567
              Source: data.exeBinary or memory string: QEMU0001QEMU1234TEST-1234567890DESKTOP-TESTSANDBOX-PCANALYSIS-PCVirtual-1234567890VM-TEST-PCVM-ANALYSISVIRTUAL_MACHINE000000000000111111111111AAAAAAAAAAAABCDEF123456TEMP-CLONE-EC2-GCP-AZURE-AWS-LAB-PC-RESEARCH-MALWARE-ANALYSIS-123456789012987654321098ABCDEFGHI
              Source: data.exeBinary or memory string: harry johnsonLisaPaul Joneslabuserlabtechlabtestersandbox_uservm_usertest_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHIN
              Source: data.exeBinary or memory string: avghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwiresha
              Source: tasklist.exe, 00000014.00000003.1737442300.000001E562596000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmtoolsd.exe
              Source: data.exeBinary or memory string: AlBrunoFredGeorgeharry johnsonLisaPaul Joneslabuserlabtechlabtestersandbox_uservm_usertest_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWARE
              Source: data.exeBinary or memory string: QEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITR
              Source: tasklist.exe, 00000014.00000002.1737825715.000001E562570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vmtoolsd.exe"
              Source: tasklist.exe, 00000022.00000002.1757202842.0000025874599000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE');
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\prlfs.sysC:\windows\sysnative\drivers\prlmouse.sysC:\windows\sysnative\drivers\prlvideo.sysC:\windows\sysnative\drivers\xennet.sysC:\windows\sysnative\drivers\xensvc.sysC:\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.
              Source: data.exeBinary or memory string: VMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVM
              Source: tasklist.exe, 00000014.00000003.1737442300.000001E562596000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE');
              Source: tasklist.exe, 00000028.00000003.1763350632.0000025BE525B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-GA.EXE');
              Source: tasklist.exe, 00000016.00000003.1739349375.000002B0928B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARETRAY.EXE');
              Source: tasklist.exe, 00000020.00000002.1754362631.0000025E1E4DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE'
              Source: data.exeBinary or memory string: sandboxmalwareanalysisanalyzerresearchsecuritytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempd
              Source: data.exeBinary or memory string: 2290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware, Inc.VirtualBox-00 11 22 33 44 55
              Source: data.exeBinary or memory string: VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware, Inc.VirtualBox-00 11 22 33 44 55 66 77-88 99 aa bb cc dd ee ffVBOX-1234567890VBOX_HARDDISK0VIRTUAL_DISKQEMU0001QEMU1234TEST-1234567890DESKTOP-TESTSANDBOX-PCANALYSIS-PCVirtual-1234567
              Source: data.exeBinary or memory string: VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTU
              Source: tasklist.exe, 00000020.00000003.1753841473.0000025E1E4D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: B, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE'0
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\Wbem\vmhgfs.dll
              Source: getmac.exe, 0000000D.00000003.1723622903.000001BCB64DB000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1723882712.000001BCB64EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
              Source: tasklist.exe, 00000028.00000002.1763830079.0000025BE524C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-GA.EXE'
              Source: data.exeBinary or memory string: AllDefaultSystem50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware, I
              Source: tasklist.exe, 0000001C.00000002.1749842289.000001B213E40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vmware-vmx.exe"
              Source: tasklist.exe, 00000016.00000002.1739805617.000002B092A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARETRAY.EXE'I
              Source: data.exeBinary or memory string: VMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware, Inc.VirtualBox-00 11 22 33 44 55 66 77-88 99 aa bb cc dd ee ffVBOX-1234567890VBOX_HARDDISK0VIRTUAL_DISKQEMU0001QEMU1234TEST-1234
              Source: data.exeBinary or memory string: userdefaultsystemsandboxmalwareanalysisanalyzerresearchsecuritytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechde
              Source: getmac.exe, 0000000D.00000003.1723622903.000001BCB64DB000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1723882712.000001BCB64EE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1724545195.000001BCB64EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWc
              Source: data.exeBinary or memory string: vmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-x86_64.exesandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.e
              Source: data.exeBinary or memory string: sandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dll
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\prlmouse.sysC:\windows\sysnative\drivers\prlvideo.sysC:\windows\sysnative\drivers\xennet.sysC:\windows\sysnative\drivers\xensvc.sysC:\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vm
              Source: data.exeBinary or memory string: C:\Analyser\C:\Sandbox\C:\Malware\C:\Research\C:\Test\C:\windows\sysnative\drivers\prleth.sysC:\windows\sysnative\drivers\prlfs.sysC:\windows\sysnative\drivers\prlmouse.sysC:\windows\sysnative\drivers\prlvideo.sysC:\windows\sysnative\drivers\xennet.sysC:\windo
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SYSTEM32\vboxservice.dll/
              Source: tasklist.exe, 00000018.00000003.1741168370.00000134C5E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmwareuser.exeHw
              Source: tasklist.exe, 0000001C.00000002.1749768348.000001B213DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-VMX.EXE'I
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\vmx86.sysC:\windows\sysnative\drivers\vmnet.sysC:\Program Files\VMware\VMware Tools\C:\windows\sysnative\drivers\VBoxMouse.sysC:\windows\sysnative\drivers\VBoxGuest.sysC:\windows\sysnative\drivers\VBoxSF.sysC:\windows\sysnative\dri
              Source: tasklist.exe, 00000014.00000003.1737442300.000001E562596000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'
              Source: data.exeBinary or memory string: vmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.
              Source: tasklist.exe, 00000018.00000002.1742042633.00000134C5E20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vmwareuser.exe"Nl
              Source: data.exeBinary or memory string: Q35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2
              Source: system_info.txt.0.drBinary or memory string: - vmwareuser.exe
              Source: tasklist.exe, 00000014.00000002.1737874317.000001E5625AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE');
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\xensvc.sysC:\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-
              Source: tasklist.exe, 0000002C.00000002.1769852625.000001C8E2EAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-SYSTEM-X86_64.EXE');
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\vmusbmouse.sysC:\windows\sysnative\drivers\vmrawdsk.sysC:\windows\sysnative\drivers\vmmemctl.sysC:\windows\sysnative\drivers\vmx86.sysC:\windows\sysnative\drivers\vmnet.sysC:\Program Files\VMware\VMware Tools\C:\windows\sysnative\d
              Source: data.exeBinary or memory string: Paul Joneslabuserlabtechlabtestersandbox_uservm_usertest_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQ
              Source: data.exeBinary or memory string: labmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefenderesettrendpandade
              Source: data.exeBinary or memory string: labtestersandbox_uservm_usertest_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD
              Source: tasklist.exe, 00000014.00000002.1737784059.000001E562560000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmtoolsd.exea\Local\Te
              Source: tasklist.exe, 00000018.00000003.1741168370.00000134C5E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vmwareuser.exe
              Source: data.exeBinary or memory string: vmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.
              Source: tasklist.exe, 0000001C.00000002.1749955209.000001B213E79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-VMX.EXE');
              Source: tasklist.exe, 00000022.00000002.1757018378.0000025874560000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vboxtray.exe"
              Source: data.exeBinary or memory string: QEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEP
              Source: tasklist.exe, 00000016.00000002.1739744379.000002B0928BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARETRAY.EXE'
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\vmhgfs.dll
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\VBoxGuest.sysC:\windows\sysnative\drivers\VBoxSF.sysC:\windows\sysnative\drivers\VBoxVideo.sysC:\windows\sysnative\vboxdisp.dllC:\windows\sysnative\vboxhook.dllC:\windows\sysnative\vboxmrxnp.dllC:\Program Files\Oracle\VirtualBox Gu
              Source: tasklist.exe, 00000016.00000002.1739673980.000002B092880000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vmwaretray.exe"C:\Windows\system32\tasklist.exeWinsta0\Default
              Source: data.exeBinary or memory string: sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsam
              Source: data.exeBinary or memory string: securitytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyav
              Source: tasklist.exe, 00000018.00000002.1742184142.00000134C5E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWAREUSER.EXE');
              Source: data.exeBinary or memory string: C:\Test\C:\windows\sysnative\drivers\prleth.sysC:\windows\sysnative\drivers\prlfs.sysC:\windows\sysnative\drivers\prlmouse.sysC:\windows\sysnative\drivers\prlvideo.sysC:\windows\sysnative\drivers\xennet.sysC:\windows\sysnative\drivers\xensvc.sysC:\windows\sysn
              Source: data.exeBinary or memory string: vmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemo
              Source: data.exeBinary or memory string: rootguestuserdefaultsystemsandboxmalwareanalysisanalyzerresearchsecuritytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalau
              Source: data.exeBinary or memory string: VirtualBox-00 11 22 33 44 55 66 77-88 99 aa bb cc dd ee ffVBOX-1234567890VBOX_HARDDISK0VIRTUAL_DISKQEMU0001QEMU1234TEST-1234567890DESKTOP-TESTSANDBOX-PCANALYSIS-PCVirtual-1234567890VM-TEST-PCVM-ANALYSISVIRTUAL_MACHINE000000000000111111111111AAAAAAAAAAAABCDEF12
              Source: system_info.txt.0.drBinary or memory string: - vboxservice.exe
              Source: tasklist.exe, 00000028.00000003.1762936104.0000025BE524C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000028.00000002.1763830079.0000025BE524C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq qemu-ga.exe
              Source: tasklist.exe, 00000028.00000002.1763961284.0000025BE54D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QEMU-GA.EXE'PRO
              Source: data.exeBinary or memory string: vboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefenderesettrendpandadefendercorpcyberinfosecforensicsinciden
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - vboxtray.exe
              Source: data.exeBinary or memory string: VBOX-1234567890VBOX_HARDDISK0VIRTUAL_DISKQEMU0001QEMU1234TEST-1234567890DESKTOP-TESTSANDBOX-PCANALYSIS-PCVirtual-1234567890VM-TEST-PCVM-ANALYSISVIRTUAL_MACHINE000000000000111111111111AAAAAAAAAAAABCDEF123456TEMP-CLONE-EC2-GCP-AZURE-AWS-LAB-PC-RESEARCH-MALWARE-A
              Source: tasklist.exe, 00000016.00000002.1739744379.000002B0928BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARETRAY.EXE'J!
              Source: data.exeBinary or memory string: filemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dllx64dbg.dll
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\qemu-ga.sysC:\windows\sysnative\drivers\qemufwcfg.sysC:\windows\sysnative\drivers\qemupciserial.sysC:\sandcastle\C:\sandbox\C:\tools\sandbox\C:\Program Files\Sandboxie\C:\Program Files\Cuckoo\C:\Program Files\Joe Sandbox\C:\Program
              Source: data.exeBinary or memory string: maintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORP
              Source: data.exeBinary or memory string: qemu-system-x86_64.exesandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.exefiddler.exeprocesshacker.exeprocmon.exeprocexp.exeida64.exeollydbg.exex32dbg.exex64dbg.exewindbg.exeprocmon64.exefilemon.exeregmon.exeidag.exeidaw.exeidaq.e
              Source: data.exeBinary or memory string: vmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-x86_64.exesandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.ex
              Source: data.exeBinary or memory string: QEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERL
              Source: data.exeBinary or memory string: analyzerresearchsecuritytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesym
              Source: tasklist.exe, 0000002C.00000002.1770054138.000001C8E3070000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq qemu-system-x86_64.exeUsers\
              Source: data.exeBinary or memory string: cmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dllagent.dlldbgcore.dlla
              Source: data.exeBinary or memory string: qemu-system-x86.exeqemu-system-x86_64.exesandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.exefiddler.exeprocesshacker.exeprocmon.exeprocexp.exeida64.exeollydbg.exex32dbg.exex64dbg.exewindbg.exeprocmon64.exefilemon.exeregmon.exeida
              Source: data.exeBinary or memory string: monitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPAR
              Source: data.exeBinary or memory string: vboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall
              Source: data.exeBinary or memory string: cyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsample.dllsandbox.dllagent.dlldbgcore.dllavghook.dllav
              Source: data.exeBinary or memory string: C:\windows\sysnative\vboxdisp.dllC:\windows\sysnative\vboxhook.dllC:\windows\sysnative\vboxmrxnp.dllC:\Program Files\Oracle\VirtualBox Guest Additions\C:\windows\sysnative\drivers\qemu-ga.sysC:\windows\sysnative\drivers\qemufwcfg.sysC:\windows\sysnative\driver
              Source: data.exeBinary or memory string: supervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICR
              Source: data.exeBinary or memory string: testertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefend
              Source: data.exeBinary or memory string: C:\Program Files\VMware\VMware Tools\C:\windows\sysnative\drivers\VBoxMouse.sysC:\windows\sysnative\drivers\VBoxGuest.sysC:\windows\sysnative\drivers\VBoxSF.sysC:\windows\sysnative\drivers\VBoxVideo.sysC:\windows\sysnative\vboxdisp.dllC:\windows\sysnative\vbox
              Source: data.exeBinary or memory string: vmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-x86_64.exesandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.exefiddler.exep
              Source: tasklist.exe, 00000020.00000002.1754236986.0000025E1E4A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vboxservice.exe"C:\Windows\system32\tasklist.exeWinsta0\Default3`
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-system-x86_64.exeA
              Source: data.exeBinary or memory string: qemu-ga.exeqemu-system-x86.exeqemu-system-x86_64.exesandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.exefiddler.exeprocesshacker.exeprocmon.exeprocexp.exeida64.exeollydbg.exex32dbg.exex64dbg.exewindbg.exeprocmon64.exefilemon.exere
              Source: data.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\vboxservice.dll"
              Source: data.exeBinary or memory string: researchsecuritytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckas
              Source: tasklist.exe, 00000014.00000002.1737825715.000001E562570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vmtoolsd.exe"C:\Windows\system32\tasklist.exeWinsta0\Default
              Source: data.exeBinary or memory string: vmcheck.dllallerror.dllsample.dllsandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllpar
              Source: data.exeBinary or memory string: api_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunit
              Source: data.exeBinary or memory string: C:\Research\C:\Test\C:\windows\sysnative\drivers\prleth.sysC:\windows\sysnative\drivers\prlfs.sysC:\windows\sysnative\drivers\prlmouse.sysC:\windows\sysnative\drivers\prlvideo.sysC:\windows\sysnative\drivers\xennet.sysC:\windows\sysnative\drivers\xensvc.sysC:\
              Source: tasklist.exe, 00000020.00000002.1754574566.0000025E1E7E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE's
              Source: system_info.txt.0.drBinary or memory string: - vmwaretray.exe
              Source: data.exeBinary or memory string: HYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRANTEC2AMA
              Source: system_info.txt.0.drBinary or memory string: - vmtoolsd.exe
              Source: data.exeBinary or memory string: C:\windows\sysnative\vboxhook.dllC:\windows\sysnative\vboxmrxnp.dllC:\Program Files\Oracle\VirtualBox Guest Additions\C:\windows\sysnative\drivers\qemu-ga.sysC:\windows\sysnative\drivers\qemufwcfg.sysC:\windows\sysnative\drivers\qemupciserial.sysC:\sandcastle\
              Source: data.exeBinary or memory string: apispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dll
              Source: data.exeBinary or memory string: adminrootguestuserdefaultsystemsandboxmalwareanalysisanalyzerresearchsecuritytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlo
              Source: data.exeBinary or memory string: administratoradminrootguestuserdefaultsystemsandboxmalwareanalysisanalyzerresearchsecuritytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonuserlisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefenderesettrendpandadefendercorpcyberinfosecforensicsincidentreversesocblueteamredteamanalystanalyticresearchertestmaltestusertestsystemtestpctestboxnewuserstudentpocAdministratorAlBrunoFredGeorgeharry johnsonLisaPaul userlabuserlabtechlabtestersandbox_uservm_usertest_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRANTEC2AMAZONT2.MICROT3.MICROGOOGLE CLOUDMICROSOFT AZUREDIGITALOCEANLINODEVULTRSANDBOXVIRTUAL PLATFORMWINEANUBISCUCKOOJOEBOXVPCJETBRAINSHYBRID ANALYSISVM PLATFORMVIRTUALIZEDPCVMGENERATIONVM INSTANCECLOUD INSTANCEcomputersystemgetmodel
              Source: data.exeBinary or memory string: C:\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-x86_64.exesandboxie.exesbiesvc.exesbiec
              Source: tasklist.exe, 00000014.00000002.1737784059.000001E562565000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'PRO
              Source: tasklist.exe, 00000022.00000002.1757018378.0000025874591000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000022.00000003.1756294925.0000025874591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'0
              Source: data.exeBinary or memory string: C:\Malware\C:\Research\C:\Test\C:\windows\sysnative\drivers\prleth.sysC:\windows\sysnative\drivers\prlfs.sysC:\windows\sysnative\drivers\prlmouse.sysC:\windows\sysnative\drivers\prlvideo.sysC:\windows\sysnative\drivers\xennet.sysC:\windows\sysnative\drivers\xe
              Source: tasklist.exe, 0000001C.00000002.1749917881.000001B213E6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-VMX.EXE'0z
              Source: data.exeBinary or memory string: defaultsystemsandboxmalwareanalysisanalyzerresearchsecuritytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugn
              Source: tasklist.exe, 0000001E.00000002.1752236174.000001D59AF60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARE-AUTHD.EXE'
              Source: tasklist.exe, 00000028.00000002.1763706201.0000025BE5210000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq qemu-ga.exe"
              Source: tasklist.exe, 0000002C.00000002.1769661849.000001C8E2E70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq qemu-system-x86_64.exe"5
              Source: tasklist.exe, 00000020.00000002.1754236986.0000025E1E4A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vboxservice.exe"w`
              Source: data.exeBinary or memory string: C:\Sandbox\C:\Malware\C:\Research\C:\Test\C:\windows\sysnative\drivers\prleth.sysC:\windows\sysnative\drivers\prlfs.sysC:\windows\sysnative\drivers\prlmouse.sysC:\windows\sysnative\drivers\prlvideo.sysC:\windows\sysnative\drivers\xennet.sysC:\windows\sysnative
              Source: data.exeBinary or memory string: VBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALP
              Source: data.exeBinary or memory string: samplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhoneypotcurrentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefenderesettrendpandadefendercorp
              Source: tasklist.exe, 0000002C.00000002.1769661849.000001C8E2E70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq qemu-system-x86_64.exe"
              Source: data.exeBinary or memory string: syscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dllvmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dllx64dbg.dll
              Source: tasklist.exe, 0000001E.00000002.1752236174.000001D59AF60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vmware-authd.exe
              Source: getmac.exe, 0000000D.00000003.1723622903.000001BCB64DB000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1724545195.000001BCB6502000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1723882712.000001BCB64EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"?
              Source: tasklist.exe, 0000002A.00000003.1765434444.0000020257257000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002A.00000003.1765550120.0000020257268000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 0000002A.00000002.1766358377.000002025726A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq qemu-system-x86.exe
              Source: data.exeBinary or memory string: QEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS VIRTUALPARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBH
              Source: data.exe, 00000000.00000002.2485496817.000001DFC2010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\sysnative\drivers\vmmouse.sysa.dll4343578?
              Source: data.exeBinary or memory string: NoneN/AAllDefaultSystem50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVM
              Source: data.exeBinary or memory string: malwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN
              Source: data.exeBinary or memory string: controlscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONP
              Source: data.exeBinary or memory string: 50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 78 90 12 34 56VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware, Inc.VirtualBox-00
              Source: getmac.exe, 0000000D.00000003.1723622903.000001BCB64DB000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1723882712.000001BCB64EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V`s
              Source: data.exeBinary or memory string: vboxtray.exevboxcontrol.exevboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-x86_64.exesandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.exefiddler.exeprocesshacker.exeprocmon.exeprocexp.exeida64.exeollydbg.exex32dbg.exex64
              Source: data.exeBinary or memory string: VMware, Inc.VirtualBox-00 11 22 33 44 55 66 77-88 99 aa bb cc dd ee ffVBOX-1234567890VBOX_HARDDISK0VIRTUAL_DISKQEMU0001QEMU1234TEST-1234567890DESKTOP-TESTSANDBOX-PCANALYSIS-PCVirtual-1234567890VM-TEST-PCVM-ANALYSISVIRTUAL_MACHINE000000000000111111111111AAAAAAA
              Source: tasklist.exe, 00000016.00000003.1739205548.000002B0928A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMWARETRAY.EXE'0
              Source: tasklist.exe, 00000020.00000002.1754574566.0000025E1E7E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vboxservice.exel\TeW
              Source: tasklist.exe, 00000022.00000003.1756516530.0000025874597000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000022.00000003.1756294925.0000025874591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE');
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF796360B84 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF796360B84
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF7963522A0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,ReleaseMutex,0_2_00007FF7963522A0
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF796345870 HeapAlloc,GetProcessHeap,HeapAlloc,0_2_00007FF796345870
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF796360D28 SetUnhandledExceptionFilter,0_2_00007FF796360D28
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF796360B84 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF796360B84
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF796363A8C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF796363A8C
              Source: C:\Users\user\Desktop\data.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" bios get serialnumberJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" baseboard get serialnumberJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" cpu get nameJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get totalphysicalmemoryJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" diskdrive get model,sizeJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayNameJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\getmac.exe "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\systeminfo.exe "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get modelJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmtoolsd.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmwaretray.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayNameJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmacthlp.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" bios get serialnumberJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmwaretray.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq sandboxie.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq sbiectrl.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq sandman.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" cpu get nameJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq analyser.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\systeminfo.exe "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq processhacker.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq procmon.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq procexp.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq ida64.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\getmac.exe "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq x32dbg.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq x64dbg.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq windbg.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" cpu get nameJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq sandman.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmtoolsd.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq sandman.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayNameJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmtoolsd.exe"Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\data.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF796347630 ProcessPrng,GetCurrentProcessId,ProcessPrng,CreateNamedPipeW,GetLastError,CloseHandle,ProcessPrng,0_2_00007FF796347630
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF796342350 GetSystemTimePreciseAsFileTime,0_2_00007FF796342350
              Source: C:\Users\user\Desktop\data.exeCode function: 0_2_00007FF7963352B0 GetTimeZoneInformationForYear,0_2_00007FF7963352B0
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts341
              Windows Management Instrumentation              		1
              DLL Side-Loading              		12
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory461
              Security Software Discovery              		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
              Process Injection              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Obfuscated Files or Information              		Cached Domain Credentials124
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1578691 Sample: data.exe Startdate: 20/12/2024 Architecture: WINDOWS Score: 80 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected AntiVM3 2->36 38 Machine Learning detection for sample 2->38 40 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->40 7 data.exe 1 2->7         started        process3 signatures4 46 Contain functionality to detect virtual machines 7->46 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->48 10 WMIC.exe 1 7->10         started        13 getmac.exe 1 7->13         started        15 tasklist.exe 7->15         started        17 35 other processes 7->17 process5 signatures6 50 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->50 19 conhost.exe 10->19         started        52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->52 54 Writes or reads registry keys via WMI 13->54 22 conhost.exe 13->22         started        24 conhost.exe 15->24         started        56 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->56 26 conhost.exe 17->26         started        28 conhost.exe 17->28         started        30 conhost.exe 17->30         started        32 32 other processes 17->32 process7 signatures8 42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->42 44 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->44

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              data.exe11%ReversingLabs
              data.exe10%VirustotalBrowse
              data.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
              		217.20.58.99
              		truefalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentdata.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4odata.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4o.txtdata.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://api.telegram.org/bot6-77adata.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://api.telegram.org/bot6-77aLocdata.exe, 00000000.00000002.2485496817.000001DFC201B000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://docs.rs/getrandom#nodejs-es-module-supportdata.exefalse
                            		high

                            World Map of Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1578691
                            Start date and time:2024-12-20 05:15:06 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 29s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:78
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:data.exe
                            Detection:MAL
                            Classification:mal80.evad.winEXE@135/1@0/0
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 16
                            • Number of non-executed functions: 57
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): WmiPrvSE.exe
                            • Excluded IPs from analysis (whitelisted): 172.202.163.200, 40.69.42.241, 13.107.246.63
                            • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, api.telegram.org, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            23:15:57API Interceptor7x Sleep call for process: WMIC.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com4hSuRTwnWJ.dllGet hashmaliciousUnknownBrowse
                            • 217.20.58.100
                            YinLHGpoX4.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                            • 217.20.58.99
                            gCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                            • 217.20.58.99
                            H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                            • 84.201.212.68
                            H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                            • 217.20.58.100
                            KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                            • 217.20.58.100
                            1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                            • 84.201.211.18
                            v4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                            • 217.20.58.101
                            FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                            • 217.20.58.100
                            t5lpvahkgypd7wy.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                            • 217.20.58.98

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\Desktop\system_info.txt

                            Download File
                            Process:C:\Users\user\Desktop\data.exe
                            File Type:ASCII text, with CRLF, CR, LF line terminators
                            Category:dropped
                            Size (bytes):4319
                            Entropy (8bit):4.906162746100535
                            Encrypted:false
                            SSDEEP:96:d5fTvqjuDyC2+b28r6SkKdQehV+Uq1OgqCXg2ASqQ8uoc3:HbvmC2+SE6SkKJhVtgFXUo8o3
                            MD5:17CD8C6E15B6CA5F929C287306567A0C
                            SHA1:8E2853036A77A6DE7CA5E97A3BA2A36E94B1046E
                            SHA-256:3C7AC057935707D3655600A5B44BFACBD14F570E0DF17B7DB414690DA78CABE1
                            SHA-512:1B2A9BD4780574AE1963CA4F5385ABE72EB1E8A54C62E544240580737D640A4EB9D97E0952B77AB36108365470F0DC2399C85A383C44772F501E782480B9CDA0
                            Malicious:false
                            Preview:Timestamp (PT): 2024-12-20 00:26:39..Computer Name: user-PC.User Name: user.BIOS Serial Number: SerialNumber ...LXFEZ4DKRK.Motherboard Serial Number: SerialNumber ...7016943112347789.CPU Info: Name ...Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz ...Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.Total RAM: TotalPhysicalMemory ...4293971968.Disk Info: Model Size ...UFVDLPVY SCSI Disk Device 412300001200.Antivirus: displayName ...Windows Defender.MAC Address: Physical Address Transport Name ..=================== ==========================================================..EC-F4-BB-EA-15-88 \Device\Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}.System Info: Host Name: user-PC..OS Name: Microsoft Windows 10 Pro..OS Version: 10.0.19045 N/A Build 19045..OS Manufacturer: Microsoft Corporation..OS Configuration: Sta

                            Static File Info

                            General

                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                            Entropy (8bit):6.309178734788521
                            TrID:
                            • Win64 Executable GUI (202006/5) 92.65%
                            • Win64 Executable (generic) (12005/4) 5.51%
                            • Generic Win/DOS Executable (2004/3) 0.92%
                            • DOS Executable Generic (2002/1) 0.92%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:data.exe
                            File size:420'864 bytes
                            MD5:be36675f14fb0099896527084200cc80
                            SHA1:7f004012c05fca17a746629179463f6274c48055
                            SHA256:025134d77dcd4ab189301ed58a5c6f5046ac71e2fc3c017fce4122529fc0d7e8
                            SHA512:a0eef8bd56f40809cb6ec0b0521557d9e8ea663604637ec39e63866fcc9c34f6dd4c295857712a6c46a02e99edfec74d00e8751eaeb36cd881a70e8fc4f34af1
                            SSDEEP:6144:dqh3KvUR6Soc0bC4FJ0pJc5N8yo6LkFwoElxGUJ4d6PMvWGqRQ7s/:dAKswSobJqL6LkqSUjMv6m7K
                            TLSH:FA946D16FE9919ACD09AC0B4820646736A36B4CE0731BDFF52C492357E69AF42F3C758
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........aj]..9]..9]..9T..9S..9LT.8T..9LT.8Q..9LT.8u..9...8M..9]..9...9]..9e..9.T.9\..9.T.8\..9Rich]..9........................PE..d..

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0x140040770
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x140000000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6764EDBC [Fri Dec 20 04:08:28 2024 UTC]
                            TLS Callbacks:0x400320d0, 0x1
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:67900e6c89da1700ad08c2a651600941

                            Entrypoint Preview

                            Instruction
                            dec eax
                            sub esp, 28h
                            call 00007F241CA04428h
                            dec eax
                            add esp, 28h
                            jmp 00007F241CA03FB7h
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            nop word ptr [eax+eax+00000000h]
                            dec eax
                            sub esp, 10h
                            dec esp
                            mov dword ptr [esp], edx
                            dec esp
                            mov dword ptr [esp+08h], ebx
                            dec ebp
                            xor ebx, ebx
                            dec esp
                            lea edx, dword ptr [esp+18h]
                            dec esp
                            sub edx, eax
                            dec ebp
                            cmovb edx, ebx
                            dec esp
                            mov ebx, dword ptr [00000010h]
                            dec ebp
                            cmp edx, ebx
                            jnc 00007F241CA04158h
                            inc cx
                            and edx, 8D4DF000h
                            wait
                            add al, dh

                            Rich Headers

                            Programming Language:
                            • [IMP] VS2008 SP1 build 30729

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x62b740x104.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x690000x1f8.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x650000x2b74.pdata
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x6a0000x728.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x5b6400x54.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x5b8000x28.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5b5000x140.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x480000x458.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x467800x46800dad5897d17c917f2f26832e7c034b955False0.486975703679078data6.30546864346262IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x480000x1bbb20x1bc0011928a351ec6e6a2b95448cd73f761fbFalse0.38483600788288286data5.525650941792302IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x640000xac00x20042b3fc86aa605934650a297cfcaa927eFalse0.283203125data2.4304233410263545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .pdata0x650000x2b740x2c008097c06a5587c98b7b5310b49bd89804False0.48881392045454547data5.687109139794465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .padding0x680000xbbb0xc005fdce7897872d21a46b4066c4200d043False0.9964192708333334data7.9098289551869465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .rsrc0x690000x1f80x20026cd93c03b58a409e09faf1c46f13218False0.484375data2.830251446092126IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x6a0000x7280x800ed3acf8bcfa5e93087de6b3309692bc2False0.591796875data5.16921486931481IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0x690600x198OpenPGP Public KeyEnglishUnited States0.5171568627450981

                            Imports

                            DLLImport
                            api-ms-win-core-synch-l1-2-0.dllWakeByAddressAll, WakeByAddressSingle, WaitOnAddress
                            bcryptprimitives.dllProcessPrng
                            kernel32.dllEncodePointer, RaiseException, RtlPcToFileHeader, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, InitializeSListHead, GetStdHandle, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCurrentThreadId, WriteFileEx, SleepEx, GetExitCodeProcess, TerminateProcess, GetSystemTimePreciseAsFileTime, Sleep, HeapReAlloc, lstrlenW, ReleaseMutex, FindClose, CreateFileW, SetWaitableTimer, GetFileInformationByHandleEx, CreateWaitableTimerExW, FindFirstFileW, ReadFile, GetOverlappedResult, CancelIo, DuplicateHandle, GetCurrentThread, GetConsoleMode, GetCurrentProcess, SetFileInformationByHandle, GetModuleHandleW, GetModuleFileNameW, CreateNamedPipeW, ReadFileEx, WaitForMultipleObjects, GetFullPathNameW, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, GetModuleHandleA, SetThreadStackGuarantee, GetEnvironmentVariableW, AddVectoredExceptionHandler, GetEnvironmentStringsW, WaitForSingleObjectEx, CreateMutexA, CompareStringOrdinal, DeleteProcThreadAttributeList, FreeEnvironmentStringsW, GetCurrentDirectoryW, GetTimeZoneInformationForYear, GetComputerNameExW, SetLastError, RtlVirtualUnwind, RtlLookupFunctionEntry, DeleteCriticalSection, WaitForSingleObject, CreateEventW, InitializeCriticalSectionAndSpinCount, FormatMessageW, TlsAlloc, HeapAlloc, TlsGetValue, TlsSetValue, RtlCaptureContext, GetLastError, TlsFree, GetProcAddress, HeapFree, GetProcessHeap, FreeLibrary, LoadLibraryA, CloseHandle, QueryPerformanceCounter, GetFileInformationByHandle, LoadLibraryExW
                            bcrypt.dllBCryptGenRandom
                            advapi32.dllSystemFunction036
                            ntdll.dllRtlNtStatusToDosError, NtReadFile, NtWriteFile
                            api-ms-win-crt-string-l1-1-0.dllwcsncmp, strcpy_s
                            api-ms-win-crt-runtime-l1-1-0.dll_initterm, _get_initial_narrow_environment, __p___argc, _configure_narrow_argv, _initterm_e, __p___argv, _seh_filter_exe, exit, terminate, _initialize_onexit_table, _cexit, abort, _c_exit, _register_thread_local_exe_atexit_callback, _register_onexit_function, _crt_atexit, _exit, _set_app_type, _initialize_narrow_environment
                            api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                            api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __p__commode
                            api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                            api-ms-win-crt-heap-l1-1-0.dllcalloc, malloc, free, _set_new_mode

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Dec 20, 2024 05:16:16.931624889 CET1.1.1.1192.168.2.40x6f13No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                            Dec 20, 2024 05:16:16.931624889 CET1.1.1.1192.168.2.40x6f13No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                            Dec 20, 2024 05:16:16.931624889 CET1.1.1.1192.168.2.40x6f13No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                            Dec 20, 2024 05:16:16.931624889 CET1.1.1.1192.168.2.40x6f13No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                            Dec 20, 2024 05:16:16.931624889 CET1.1.1.1192.168.2.40x6f13No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:23:15:57
                            Start date:19/12/2024
                            Path:C:\Users\user\Desktop\data.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\data.exe"
                            Imagebase:0x7ff796320000
                            File size:420'864 bytes
                            MD5 hash:BE36675F14FB0099896527084200CC80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.1673028261.00007FF796368000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:23:15:57
                            Start date:19/12/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:"wmic" bios get serialnumber
                            Imagebase:0x7ff6cfb20000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:2
                            Start time:23:15:57
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:23:15:57
                            Start date:19/12/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:"wmic" baseboard get serialnumber
                            Imagebase:0x7ff6cfb20000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:23:15:57
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:23:15:58
                            Start date:19/12/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:"wmic" cpu get name
                            Imagebase:0x7ff6cfb20000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:23:15:58
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:23:15:59
                            Start date:19/12/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:"wmic" computersystem get totalphysicalmemory
                            Imagebase:0x7ff6cfb20000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:23:15:59
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0xfa0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:23:16:00
                            Start date:19/12/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:"wmic" diskdrive get model,size
                            Imagebase:0x7ff6cfb20000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:23:16:00
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:23:16:01
                            Start date:19/12/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:"wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayName
                            Imagebase:0x7ff6cfb20000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:12
                            Start time:23:16:01
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:13
                            Start time:23:16:01
                            Start date:19/12/2024
                            Path:C:\Windows\System32\getmac.exe
                            Wow64 process (32bit):false
                            Commandline:"getmac"
                            Imagebase:0x7ff6bcbf0000
                            File size:90'112 bytes
                            MD5 hash:7D4B72DFF5B8E98DD1351A401E402C33
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:14
                            Start time:23:16:01
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:23:16:02
                            Start date:19/12/2024
                            Path:C:\Windows\System32\systeminfo.exe
                            Wow64 process (32bit):false
                            Commandline:"systeminfo"
                            Imagebase:0x7ff72a400000
                            File size:110'080 bytes
                            MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:23:16:02
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:23:16:02
                            Start date:19/12/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:"wmic" computersystem get model
                            Imagebase:0x7ff6cfb20000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:23:16:02
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:23:16:03
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq vmtoolsd.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:23:16:03
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:23:16:03
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq vmwaretray.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:23:16:03
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:23:16:04
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq vmwareuser.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:23:16:04
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:23:16:04
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq vmacthlp.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:23:16:04
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:28
                            Start time:23:16:04
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq vmware-vmx.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:29
                            Start time:23:16:04
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:23:16:05
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq vmware-authd.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:31
                            Start time:23:16:05
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:32
                            Start time:23:16:05
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq vboxservice.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:23:16:05
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:23:16:05
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq vboxtray.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:23:16:05
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:23:16:05
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq vboxcontrol.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:23:16:05
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:23:16:05
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq vboxheadless.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:39
                            Start time:23:16:05
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:40
                            Start time:23:16:06
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq qemu-ga.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:41
                            Start time:23:16:06
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:42
                            Start time:23:16:06
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq qemu-system-x86.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:43
                            Start time:23:16:06
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:44
                            Start time:23:16:06
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq qemu-system-x86_64.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:45
                            Start time:23:16:06
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:46
                            Start time:23:16:07
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq sandboxie.exe"
                            Imagebase:0x7ff70f330000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:47
                            Start time:23:16:07
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:48
                            Start time:23:16:07
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq sbiesvc.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:49
                            Start time:23:16:07
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:50
                            Start time:23:16:07
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq sbiectrl.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:51
                            Start time:23:16:07
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:52
                            Start time:23:16:07
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq sandman.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:53
                            Start time:23:16:07
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:54
                            Start time:23:16:08
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq cockoo.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:55
                            Start time:23:16:08
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:56
                            Start time:23:16:08
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq analyser.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:57
                            Start time:23:16:08
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:58
                            Start time:23:16:08
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq wireshark.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:59
                            Start time:23:16:08
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:60
                            Start time:23:16:09
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq fiddler.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:61
                            Start time:23:16:09
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:62
                            Start time:23:16:09
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq processhacker.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:63
                            Start time:23:16:09
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:64
                            Start time:23:16:09
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq procmon.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:65
                            Start time:23:16:09
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:66
                            Start time:23:16:09
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq procexp.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:67
                            Start time:23:16:09
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:68
                            Start time:23:16:09
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq ida64.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:69
                            Start time:23:16:09
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:70
                            Start time:23:16:10
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq ollydbg.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:71
                            Start time:23:16:10
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:72
                            Start time:23:16:10
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq x32dbg.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:73
                            Start time:23:16:10
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:74
                            Start time:23:16:11
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq x64dbg.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:75
                            Start time:23:16:11
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:76
                            Start time:23:16:11
                            Start date:19/12/2024
                            Path:C:\Windows\System32\tasklist.exe
                            Wow64 process (32bit):false
                            Commandline:"tasklist" /fi "IMAGENAME eq windbg.exe"
                            Imagebase:0x7ff7cb550000
                            File size:106'496 bytes
                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:77
                            Start time:23:16:11
                            Start date:19/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:4.6%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:44%
                              Total number of Nodes:981
                              Total number of Limit Nodes:87
                              execution_graph 35949 7ff79634e40d 35952 7ff796345e50 35949->35952 35951 7ff79634e469 35966 7ff79634fd10 35952->35966 35954 7ff796345e79 35961 7ff796345e90 35954->35961 35976 7ff7963517c0 35954->35976 35956 7ff796346095 35960 7ff79634609a GetLastError CloseHandle 35956->35960 35957 7ff796345f98 CreateFileW 35958 7ff796345fdb 35957->35958 35959 7ff79634604f GetLastError 35957->35959 35958->35961 35964 7ff796345fea GetLastError 35958->35964 35959->35961 35962 7ff7963460b9 35960->35962 35961->35951 35962->35961 35963 7ff796345eba 35963->35956 35963->35957 35963->35961 35964->35961 35965 7ff796345ff7 SetFileInformationByHandle 35964->35965 35965->35960 35965->35961 35967 7ff79634fd78 35966->35967 35971 7ff79634fd41 35966->35971 36001 7ff79633bb20 10 API calls 35967->36001 35968 7ff79634fe8c 36003 7ff796366e00 10 API calls 35968->36003 35971->35967 35971->35968 35973 7ff79634fda6 35975 7ff79634fe21 35973->35975 36002 7ff79633b8f0 10 API calls 35973->36002 35975->35954 35979 7ff7963517f4 35976->35979 35978 7ff796351983 SetLastError GetFullPathNameW 35978->35979 35980 7ff7963519ae GetLastError 35978->35980 35979->35978 35982 7ff7963519c8 GetLastError 35979->35982 35984 7ff796351a00 35979->35984 35998 7ff796351835 35979->35998 36004 7ff7963657d0 10 API calls 35979->36004 35980->35979 35981 7ff796351a56 GetLastError 35980->35981 35981->35998 35982->35979 35983 7ff796351df3 35982->35983 36007 7ff796366fd0 10 API calls 35983->36007 35986 7ff796351e0d 35984->35986 35987 7ff796351a09 35984->35987 36008 7ff796367380 10 API calls 35986->36008 35992 7ff796351ba7 35987->35992 35993 7ff796351a2d 35987->35993 35989 7ff796351b5b 35994 7ff796351bc6 35989->35994 36005 7ff7963657d0 10 API calls 35989->36005 35992->35989 35995 7ff796351e39 35992->35995 35993->35989 35999 7ff796351e24 35993->35999 35994->35998 36006 7ff79633b8f0 10 API calls 35994->36006 36010 7ff796366e00 10 API calls 35995->36010 35998->35963 36009 7ff796366e00 10 API calls 35999->36009 36001->35973 36002->35975 36004->35979 36005->35994 36006->35998 36011 7ff79634e46e 36016 7ff796347630 36011->36016 36013 7ff79634e480 36014 7ff79634e49c CloseHandle 36013->36014 36015 7ff79634e4af 36013->36015 36014->36015 36017 7ff7963476a0 GetCurrentProcessId 36016->36017 36020 7ff7963476b5 36017->36020 36018 7ff7963476c0 ProcessPrng 36018->36018 36018->36020 36020->36017 36020->36018 36021 7ff796347de1 36020->36021 36023 7ff796347b80 CreateNamedPipeW 36020->36023 36029 7ff796347c79 36020->36029 36032 7ff796347995 36020->36032 36033 7ff796359ab0 36020->36033 36041 7ff796366e00 10 API calls 36021->36041 36025 7ff796347bce GetLastError 36023->36025 36026 7ff796347ce6 36023->36026 36025->36020 36025->36029 36027 7ff796345e50 21 API calls 36026->36027 36027->36029 36030 7ff796347ccb 36029->36030 36031 7ff796347cc2 CloseHandle 36029->36031 36030->36013 36031->36030 36040 7ff796366e00 10 API calls 36032->36040 36035 7ff796359ada 36033->36035 36034 7ff796359bc9 36034->36020 36035->36034 36039 7ff796359b99 36035->36039 36042 7ff796367280 10 API calls 36035->36042 36043 7ff796366e00 10 API calls 36039->36043 36044 7ff7963302bd 36050 7ff796365250 36044->36050 36046 7ff7963302b3 36047 7ff796330294 36047->36046 36061 7ff796367280 10 API calls 36047->36061 36062 7ff796332a10 36050->36062 36055 7ff7963652be 36056 7ff7963653f3 36055->36056 36057 7ff796365420 36055->36057 36060 7ff7963654a2 36055->36060 36058 7ff79636541e 36056->36058 36074 7ff796351f60 10 API calls 36056->36074 36057->36058 36075 7ff796366f30 10 API calls 36057->36075 36058->36047 36060->36047 36063 7ff796332a1a 36062->36063 36065 7ff796332a46 36062->36065 36076 7ff796332cc0 36063->36076 36065->36057 36073 7ff7963327e0 10 API calls 36065->36073 36066 7ff796332a25 36066->36065 36068 7ff79635c9bf 36066->36068 36070 7ff79635cab1 36066->36070 36081 7ff79635b1e0 10 API calls 36066->36081 36068->36065 36082 7ff7963674a0 10 API calls 36068->36082 36083 7ff7963674a0 10 API calls 36070->36083 36073->36055 36074->36058 36078 7ff796332d2a 36076->36078 36080 7ff796332cd3 36076->36080 36077 7ff796332cf8 BCryptGenRandom 36079 7ff796332d1c SystemFunction036 36077->36079 36077->36080 36078->36066 36079->36078 36079->36080 36080->36077 36080->36078 36081->36066 36084 7ff7963605f4 36107 7ff796360858 36084->36107 36087 7ff79636074b 36118 7ff796360b84 7 API calls 36087->36118 36088 7ff796360615 __scrt_acquire_startup_lock 36090 7ff796360755 36088->36090 36095 7ff796360633 __scrt_release_startup_lock 36088->36095 36119 7ff796360b84 7 API calls 36090->36119 36092 7ff796360760 36094 7ff796360768 _exit 36092->36094 36093 7ff796360658 36095->36093 36096 7ff7963606de _get_initial_narrow_environment __p___argv __p___argc 36095->36096 36099 7ff7963606d6 _register_thread_local_exe_atexit_callback 36095->36099 36113 7ff79632afd0 36096->36113 36099->36096 36101 7ff796360707 36101->36092 36102 7ff79636070b 36101->36102 36103 7ff796360715 36102->36103 36104 7ff796360710 _cexit 36102->36104 36117 7ff7963609dc 7 API calls 36103->36117 36104->36103 36106 7ff79636071e 36106->36093 36108 7ff796360860 36107->36108 36109 7ff79636086c __scrt_dllmain_crt_thread_attach 36108->36109 36110 7ff79636060d 36109->36110 36111 7ff796360879 36109->36111 36110->36087 36110->36088 36111->36110 36120 7ff7963619a8 7 API calls 2 library calls 36111->36120 36121 7ff79633bf00 AddVectoredExceptionHandler SetThreadStackGuarantee GetCurrentThread SetThreadDescription 36113->36121 36116 7ff796360cd4 GetModuleHandleW 36116->36101 36117->36106 36118->36090 36119->36092 36120->36110 36130 7ff79633c5f0 36121->36130 36123 7ff79633bf6b 36135 7ff79633c2f0 36123->36135 36125 7ff79633bf73 36144 7ff79632e8f0 36125->36144 36127 7ff79632affc 36127->36116 36148 7ff79635b070 10 API calls 36130->36148 36132 7ff79633c61b 36133 7ff79633c685 36132->36133 36149 7ff796365a10 10 API calls 36132->36149 36133->36123 36136 7ff79633c37a 36135->36136 36137 7ff79633c33e 36135->36137 36151 7ff796351f60 10 API calls 36136->36151 36138 7ff79633c3a4 36137->36138 36150 7ff796367280 10 API calls 36137->36150 36140 7ff79633c3db 36138->36140 36152 7ff79633f2d0 10 API calls 36138->36152 36140->36125 36143 7ff79633c44c 36143->36125 36153 7ff79632e770 36144->36153 36147 7ff796365f10 11 API calls 36147->36127 36148->36132 36151->36138 36152->36143 36156 7ff796322450 36153->36156 36154 7ff79632e776 36154->36127 36154->36147 36408 7ff796332ef0 36156->36408 36160 7ff7963224a9 36161 7ff796322533 36160->36161 36162 7ff796328d24 36160->36162 36423 7ff79632b3c0 36161->36423 36657 7ff796367280 10 API calls 36162->36657 36165 7ff79632261c 36166 7ff796322624 36165->36166 36167 7ff796328d54 36165->36167 36170 7ff796359ab0 10 API calls 36166->36170 36658 7ff796367280 10 API calls 36167->36658 36169 7ff796328cbf 36169->36154 36171 7ff7963226f3 36170->36171 36173 7ff79632273b 36171->36173 36615 7ff796364890 10 API calls 36171->36615 36427 7ff79633c9a0 36173->36427 36175 7ff79633c9a0 15 API calls 36180 7ff796322856 36175->36180 36176 7ff79632279b 36177 7ff796328e8e 36176->36177 36179 7ff7963227b8 36176->36179 36667 7ff796366e00 10 API calls 36177->36667 36179->36175 36182 7ff796328ead 36180->36182 36185 7ff796322862 36180->36185 36181 7ff796359ab0 10 API calls 36183 7ff79632294c 36181->36183 36668 7ff796366e00 10 API calls 36182->36668 36187 7ff796322994 36183->36187 36616 7ff796364890 10 API calls 36183->36616 36185->36181 36188 7ff796359ab0 10 API calls 36187->36188 36189 7ff796322a40 36188->36189 36191 7ff796322a88 36189->36191 36617 7ff796364890 10 API calls 36189->36617 36430 7ff796321f80 36191->36430 36193 7ff796322af8 36195 7ff796328d84 36193->36195 36197 7ff796322b2f 36193->36197 36194 7ff796359ab0 10 API calls 36196 7ff796322bf3 36194->36196 36659 7ff796366e00 10 API calls 36195->36659 36200 7ff796322c3b 36196->36200 36618 7ff796364890 10 API calls 36196->36618 36197->36194 36201 7ff796321f80 123 API calls 36200->36201 36203 7ff796322cab 36201->36203 36202 7ff796359ab0 10 API calls 36204 7ff796322daa 36202->36204 36205 7ff796328da6 36203->36205 36207 7ff796322ce2 36203->36207 36209 7ff796322df2 36204->36209 36619 7ff796364890 10 API calls 36204->36619 36660 7ff796366e00 10 API calls 36205->36660 36207->36202 36210 7ff796321f80 123 API calls 36209->36210 36211 7ff796322e62 36210->36211 36213 7ff796328dc8 36211->36213 36215 7ff796322e99 36211->36215 36212 7ff796359ab0 10 API calls 36214 7ff796322f52 36212->36214 36661 7ff796366e00 10 API calls 36213->36661 36218 7ff796322f9a 36214->36218 36620 7ff796364890 10 API calls 36214->36620 36215->36212 36219 7ff796321f80 123 API calls 36218->36219 36220 7ff79632300a 36219->36220 36222 7ff796328dea 36220->36222 36225 7ff796323041 36220->36225 36221 7ff796359ab0 10 API calls 36223 7ff7963230fa 36221->36223 36662 7ff796366e00 10 API calls 36222->36662 36227 7ff796323142 36223->36227 36621 7ff796364890 10 API calls 36223->36621 36225->36221 36228 7ff796321f80 123 API calls 36227->36228 36230 7ff7963231b2 36228->36230 36229 7ff796359ab0 10 API calls 36231 7ff7963232a6 36229->36231 36232 7ff796328e0c 36230->36232 36234 7ff7963231e9 36230->36234 36236 7ff7963232ee 36231->36236 36622 7ff796364890 10 API calls 36231->36622 36663 7ff796366e00 10 API calls 36232->36663 36234->36229 36237 7ff796321f80 123 API calls 36236->36237 36238 7ff79632335e 36237->36238 36240 7ff796328e2e 36238->36240 36242 7ff796323399 36238->36242 36239 7ff796359ab0 10 API calls 36241 7ff796323468 36239->36241 36664 7ff796366e00 10 API calls 36240->36664 36245 7ff7963234a7 36241->36245 36623 7ff796364890 10 API calls 36241->36623 36242->36239 36246 7ff796321f80 123 API calls 36245->36246 36247 7ff796323516 36246->36247 36250 7ff796328e50 36247->36250 36251 7ff79632354d 36247->36251 36248 7ff796359ab0 10 API calls 36249 7ff79632360e 36248->36249 36254 7ff79632364d 36249->36254 36624 7ff796364890 10 API calls 36249->36624 36665 7ff796366e00 10 API calls 36250->36665 36251->36248 36255 7ff796321f80 123 API calls 36254->36255 36257 7ff7963236bc 36255->36257 36256 7ff796359ab0 10 API calls 36258 7ff7963237b4 36256->36258 36259 7ff796328e6f 36257->36259 36260 7ff7963236f3 36257->36260 36276 7ff7963237f3 36258->36276 36625 7ff796364890 10 API calls 36258->36625 36666 7ff796366e00 10 API calls 36259->36666 36260->36256 36263 7ff796324065 36265 7ff7963242b7 36263->36265 36266 7ff7963240a5 36263->36266 36264 7ff796359ab0 10 API calls 36267 7ff796323eb6 LoadLibraryA 36264->36267 36285 7ff7963242d6 36265->36285 36630 7ff796364890 10 API calls 36265->36630 36284 7ff7963240c4 36266->36284 36628 7ff796364890 10 API calls 36266->36628 36267->36276 36273 7ff796359ab0 10 API calls 36273->36284 36274 7ff796325167 36288 7ff796325186 36274->36288 36633 7ff796364890 10 API calls 36274->36633 36275 7ff796324f55 36291 7ff796324f74 36275->36291 36631 7ff796364890 10 API calls 36275->36631 36276->36263 36276->36264 36277 7ff796328c94 36276->36277 36278 7ff796323fb5 FreeLibrary 36276->36278 36626 7ff79632e270 10 API calls 36276->36626 36627 7ff796330200 GetLastError 36276->36627 36654 7ff796367280 10 API calls 36277->36654 36278->36276 36284->36273 36284->36285 36629 7ff796364890 10 API calls 36284->36629 36458 7ff79632fe90 36285->36458 36286 7ff796321f80 123 API calls 36289 7ff79632598d 36286->36289 36287 7ff796359ab0 10 API calls 36287->36291 36288->36286 36474 7ff79632fc10 36289->36474 36291->36287 36291->36288 36632 7ff796364890 10 API calls 36291->36632 36292 7ff796325a64 36294 7ff796325cc7 36292->36294 36295 7ff796325aaa 36292->36295 36311 7ff796325ce6 36294->36311 36636 7ff796364890 10 API calls 36294->36636 36303 7ff796325ac9 36295->36303 36634 7ff796364890 10 API calls 36295->36634 36299 7ff796359ab0 10 API calls 36299->36303 36300 7ff796326cb3 36304 7ff796326f17 36300->36304 36305 7ff796326cf0 36300->36305 36301 7ff796359ab0 10 API calls 36321 7ff79632689c 36301->36321 36303->36299 36303->36311 36635 7ff796364890 10 API calls 36303->36635 36323 7ff796326f36 36304->36323 36641 7ff796364890 10 API calls 36304->36641 36325 7ff796326d12 36305->36325 36639 7ff796364890 10 API calls 36305->36639 36306 7ff796328cc4 36655 7ff796367280 10 API calls 36306->36655 36308 7ff796321f80 123 API calls 36308->36321 36311->36306 36311->36321 36484 7ff796346200 36311->36484 36637 7ff79632e270 10 API calls 36311->36637 36312 7ff796321f80 123 API calls 36314 7ff796327023 36312->36314 36316 7ff79632703e 36314->36316 36317 7ff79632711f 36314->36317 36315 7ff796359ab0 10 API calls 36315->36325 36318 7ff796359ab0 10 API calls 36316->36318 36319 7ff796359ab0 10 API calls 36317->36319 36322 7ff7963270bc 36318->36322 36320 7ff79632719d 36319->36320 36347 7ff7963271dc 36320->36347 36643 7ff796364890 10 API calls 36320->36643 36321->36300 36321->36301 36321->36308 36327 7ff796328cf4 36321->36327 36638 7ff79632e270 10 API calls 36321->36638 36346 7ff7963270ff 36322->36346 36642 7ff796364890 10 API calls 36322->36642 36323->36312 36325->36315 36325->36323 36640 7ff796364890 10 API calls 36325->36640 36656 7ff796367280 10 API calls 36327->36656 36331 7ff796332ef0 12 API calls 36332 7ff796327cf4 36331->36332 36489 7ff79633c4e0 36332->36489 36333 7ff796327bac 36337 7ff796327bdd 36333->36337 36338 7ff796327c70 36333->36338 36336 7ff796332ef0 12 API calls 36340 7ff796327d1a 36336->36340 36337->36346 36645 7ff796364890 10 API calls 36337->36645 36338->36346 36646 7ff796364890 10 API calls 36338->36646 36339 7ff79635a4d0 10 API calls 36339->36347 36500 7ff7963333f0 36340->36500 36346->36331 36347->36169 36347->36333 36347->36339 36644 7ff796321540 10 API calls 36347->36644 36348 7ff796327dd3 36352 7ff796327d84 36348->36352 36648 7ff796364890 10 API calls 36348->36648 36349 7ff796327d65 36349->36352 36647 7ff796364890 10 API calls 36349->36647 36365 7ff796327e97 36352->36365 36510 7ff79632e000 36352->36510 36355 7ff796327ed0 36649 7ff79633e3c0 12 API calls 36355->36649 36356 7ff796327f46 36517 7ff79633e2b0 36356->36517 36359 7ff796327f35 36360 7ff796328939 CloseHandle 36359->36360 36360->36365 36361 7ff796327f80 36362 7ff796359ab0 10 API calls 36361->36362 36363 7ff79632821c 36362->36363 36364 7ff796359ab0 10 API calls 36363->36364 36366 7ff79632836b 36364->36366 36365->36154 36367 7ff7963283d8 36366->36367 36650 7ff7963649f0 11 API calls 36366->36650 36369 7ff79632843a 36367->36369 36527 7ff796364e80 36367->36527 36371 7ff79632848b 36369->36371 36537 7ff796364c30 36369->36537 36372 7ff796359ab0 10 API calls 36371->36372 36374 7ff79632851d 36372->36374 36375 7ff796359ab0 10 API calls 36374->36375 36376 7ff7963285b3 36375->36376 36556 7ff796348e40 36376->36556 36378 7ff7963285ef 36561 7ff796348f60 36378->36561 36381 7ff796348f60 10 API calls 36382 7ff79632862f 36381->36382 36383 7ff796348f60 10 API calls 36382->36383 36384 7ff796328645 36383->36384 36385 7ff796348f60 10 API calls 36384->36385 36386 7ff79632865e 36385->36386 36387 7ff796348f60 10 API calls 36386->36387 36388 7ff796328674 36387->36388 36389 7ff796348f60 10 API calls 36388->36389 36390 7ff796328686 36389->36390 36569 7ff7963490b0 36390->36569 36399 7ff796328813 36653 7ff7963212c0 13 API calls 36399->36653 36400 7ff796328714 36651 7ff7963212c0 13 API calls 36400->36651 36403 7ff796328720 36404 7ff79632879d 36403->36404 36405 7ff796328857 36403->36405 36652 7ff79633e3c0 12 API calls 36404->36652 36406 7ff79633e2b0 14 API calls 36405->36406 36406->36360 36669 7ff796333990 36408->36669 36413 7ff79632248c 36418 7ff796333010 36413->36418 36414 7ff796332fca 36693 7ff796366f30 10 API calls 36414->36693 36419 7ff796333055 36418->36419 36420 7ff796333067 36419->36420 36721 7ff796367060 10 API calls 36419->36721 36420->36160 36425 7ff79632bbb0 36423->36425 36426 7ff79632de3f 36425->36426 36722 7ff796333b50 36425->36722 36426->36165 36739 7ff79633cad0 36427->36739 36429 7ff79633c9b8 36429->36176 36431 7ff796348e40 10 API calls 36430->36431 36432 7ff796321fc8 36431->36432 36433 7ff796321ff8 36432->36433 36436 7ff796348f60 10 API calls 36432->36436 36434 7ff7963490b0 CloseHandle 36433->36434 36435 7ff796322012 36434->36435 36437 7ff7963490f0 CloseHandle 36435->36437 36436->36432 36438 7ff79632202c 36437->36438 36439 7ff796349070 CloseHandle 36438->36439 36440 7ff79632203c 36439->36440 36441 7ff796341e50 117 API calls 36440->36441 36442 7ff796322053 36441->36442 36443 7ff79632206d 36442->36443 36444 7ff796322123 36442->36444 36447 7ff796359ab0 10 API calls 36443->36447 36445 7ff796322178 36444->36445 36446 7ff796322209 36444->36446 36448 7ff796359ab0 10 API calls 36445->36448 36771 7ff79635aac0 10 API calls 36446->36771 36450 7ff7963220e7 36447->36450 36451 7ff7963221de 36448->36451 36450->36451 36772 7ff7963212c0 13 API calls 36450->36772 36451->36450 36452 7ff796322223 36452->36451 36454 7ff796322321 36452->36454 36773 7ff796366e00 10 API calls 36454->36773 36455 7ff7963222f5 36455->36193 36459 7ff796324f24 36458->36459 36461 7ff79632feb5 36458->36461 36459->36274 36459->36275 36461->36459 36463 7ff79632ff08 36461->36463 36774 7ff796321000 15 API calls 36461->36774 36462 7ff7963300b5 36778 7ff796366e00 10 API calls 36462->36778 36463->36462 36465 7ff79632ff3d 36463->36465 36468 7ff79633009c 36465->36468 36472 7ff79632ff75 36465->36472 36466 7ff7963300c3 36779 7ff796366e00 10 API calls 36466->36779 36777 7ff796366e00 10 API calls 36468->36777 36472->36459 36472->36466 36775 7ff796321000 15 API calls 36472->36775 36776 7ff796364930 10 API calls 36472->36776 36780 7ff79632f600 10 API calls 36474->36780 36476 7ff79632fc42 36477 7ff79632fd8c 36476->36477 36481 7ff79632fc55 36476->36481 36483 7ff79632fc9c 36476->36483 36783 7ff796366e00 10 API calls 36477->36783 36481->36292 36483->36481 36781 7ff79632f600 10 API calls 36483->36781 36782 7ff796364930 10 API calls 36483->36782 36784 7ff796346360 36484->36784 36486 7ff796346232 36487 7ff796346360 27 API calls 36486->36487 36488 7ff796346274 36486->36488 36487->36488 36488->36311 36490 7ff79633c4f9 36489->36490 36491 7ff79633c501 CreateWaitableTimerExW 36489->36491 36490->36491 36492 7ff79633c59a 36490->36492 36491->36492 36493 7ff79633c51c 36491->36493 36494 7ff79633c5de Sleep 36492->36494 36497 7ff79633c58f 36492->36497 36495 7ff79633c591 CloseHandle 36493->36495 36498 7ff79633c540 SetWaitableTimer 36493->36498 36496 7ff796327d07 36494->36496 36495->36492 36496->36336 36497->36492 36497->36494 36498->36495 36499 7ff79633c56f WaitForSingleObject CloseHandle 36498->36499 36499->36496 36499->36497 36801 7ff7963358e0 10 API calls 36500->36801 36502 7ff796333550 36803 7ff796365510 10 API calls 36502->36803 36504 7ff796333409 36504->36502 36506 7ff796327d37 36504->36506 36802 7ff796365510 10 API calls 36504->36802 36506->36348 36506->36349 36511 7ff796327ecb 36510->36511 36513 7ff79632e016 36510->36513 36511->36355 36511->36356 36513->36511 36514 7ff79632e1ca 36513->36514 36804 7ff79633cea0 36513->36804 36807 7ff796367310 10 API calls 36514->36807 36819 7ff79633e030 11 API calls 36517->36819 36519 7ff79633e2e4 36520 7ff79633e316 36519->36520 36521 7ff79633e2f3 36519->36521 36821 7ff796365b50 12 API calls 36519->36821 36520->36361 36820 7ff79633d8f0 11 API calls 36521->36820 36524 7ff79633e311 36524->36520 36822 7ff796366f30 10 API calls 36524->36822 36528 7ff796364eb7 36527->36528 36529 7ff796365116 36528->36529 36534 7ff796364fcc 36528->36534 36824 7ff796366f30 10 API calls 36529->36824 36823 7ff796346b60 GetLastError 36534->36823 36539 7ff796364cf3 36537->36539 36540 7ff796364c61 36537->36540 36538 7ff796364de1 36833 7ff796366f30 10 API calls 36538->36833 36539->36538 36549 7ff796364d7c 36539->36549 36540->36538 36545 7ff796364cad 36540->36545 36542 7ff796364e2d 36834 7ff796366eb0 10 API calls 36542->36834 36545->36542 36548 7ff796364da4 36545->36548 36825 7ff79632ae70 36548->36825 36831 7ff796346b60 GetLastError 36549->36831 36555 7ff796364dcf 36555->36371 36557 7ff796348e5c 36556->36557 36559 7ff796348e88 36556->36559 36557->36559 36836 7ff796366e00 10 API calls 36557->36836 36559->36378 36562 7ff796348fa9 36561->36562 36564 7ff796348f7f 36561->36564 36566 7ff796328616 36562->36566 36837 7ff79633b830 10 API calls 36562->36837 36563 7ff796349017 36838 7ff796366e00 10 API calls 36563->36838 36564->36562 36564->36563 36566->36381 36570 7ff7963286a3 36569->36570 36571 7ff7963490c8 36569->36571 36573 7ff7963490f0 36570->36573 36571->36570 36572 7ff7963490cd CloseHandle 36571->36572 36572->36570 36574 7ff796349108 36573->36574 36575 7ff7963286c0 36573->36575 36574->36575 36576 7ff79634910d CloseHandle 36574->36576 36577 7ff796349070 36575->36577 36576->36575 36578 7ff7963286d3 36577->36578 36579 7ff796349088 36577->36579 36581 7ff796341e50 36578->36581 36579->36578 36580 7ff79634908d CloseHandle 36579->36580 36580->36578 36839 7ff796349130 36581->36839 36583 7ff796341e90 36584 7ff7963286f3 36583->36584 36585 7ff796341ed9 36583->36585 36586 7ff796341ed3 CloseHandle 36583->36586 36584->36399 36584->36400 36587 7ff796341f96 36585->36587 36588 7ff796341f36 36585->36588 36586->36585 36589 7ff796341f9b 36587->36589 36590 7ff796342000 WaitForSingleObject 36587->36590 36591 7ff796341fcd 36588->36591 36592 7ff796341f3f 36588->36592 36594 7ff796348190 13 API calls 36589->36594 36596 7ff79634201c GetLastError 36590->36596 36597 7ff796342061 GetExitCodeProcess 36590->36597 37075 7ff796348190 36591->37075 37081 7ff796348560 20 API calls 36592->37081 36601 7ff796341fb2 36594->36601 36598 7ff79634202d 36596->36598 36597->36596 36600 7ff796342049 36597->36600 36598->36600 36599 7ff796341f4f 36599->36590 36603 7ff796341f5f 36599->36603 36604 7ff7963420a5 CloseHandle CloseHandle 36600->36604 36605 7ff79634211e 36601->36605 36606 7ff796341fbb CloseHandle 36601->36606 36602 7ff796341fe7 36607 7ff796341ff7 CloseHandle 36602->36607 36608 7ff796342152 36602->36608 37082 7ff796367280 10 API calls 36603->37082 36611 7ff7963420c2 36604->36611 37083 7ff796367280 10 API calls 36605->37083 36606->36590 36607->36590 37084 7ff796367280 10 API calls 36608->37084 36611->36584 36615->36173 36616->36187 36617->36191 36618->36200 36619->36209 36620->36218 36621->36227 36622->36236 36623->36245 36624->36254 36625->36276 36626->36278 36627->36276 36628->36284 36629->36284 36630->36285 36631->36291 36632->36291 36633->36288 36634->36303 36635->36303 36636->36311 36637->36311 36638->36321 36639->36325 36640->36325 36641->36323 36642->36346 36643->36347 36644->36347 36645->36346 36646->36346 36647->36352 36648->36352 36649->36359 36650->36367 36651->36403 36652->36359 36653->36405 36694 7ff796342350 GetSystemTimePreciseAsFileTime 36669->36694 36671 7ff7963339a0 36672 7ff796333a65 36671->36672 36677 7ff796333a30 36671->36677 36695 7ff7963355d0 36671->36695 36705 7ff796367280 10 API calls 36672->36705 36678 7ff796332f09 36677->36678 36704 7ff796366eb0 10 API calls 36677->36704 36679 7ff796335030 36678->36679 36709 7ff7963352b0 GetTimeZoneInformationForYear 36679->36709 36682 7ff79633515b 36690 7ff796332f25 36682->36690 36717 7ff796333200 10 API calls 36682->36717 36683 7ff79633507c 36684 7ff796335089 36683->36684 36685 7ff79633520a 36683->36685 36715 7ff796333200 10 API calls 36684->36715 36718 7ff796333200 10 API calls 36685->36718 36689 7ff7963350ad 36716 7ff796333200 10 API calls 36689->36716 36690->36413 36690->36414 36692 7ff796366f30 10 API calls 36690->36692 36694->36671 36696 7ff796335688 36695->36696 36697 7ff7963355e3 36695->36697 36696->36677 36698 7ff796335642 36697->36698 36706 7ff796367060 10 API calls 36697->36706 36698->36696 36700 7ff796335709 36698->36700 36707 7ff796367060 10 API calls 36698->36707 36708 7ff796367060 10 API calls 36700->36708 36710 7ff7963352f2 36709->36710 36714 7ff796335054 36709->36714 36710->36714 36719 7ff7963353e0 10 API calls 36710->36719 36712 7ff79633535d 36712->36714 36720 7ff7963353e0 10 API calls 36712->36720 36714->36682 36714->36683 36714->36690 36715->36689 36716->36690 36717->36690 36718->36690 36719->36712 36720->36714 36723 7ff796333b69 36722->36723 36724 7ff796333be6 36723->36724 36725 7ff796333cdb 36723->36725 36734 7ff796333db6 36723->36734 36728 7ff796333c04 36724->36728 36731 7ff796333ffb 36724->36731 36724->36734 36725->36731 36737 7ff796366fd0 10 API calls 36725->36737 36732 7ff7963341bc 36728->36732 36728->36734 36735 7ff7963674a0 10 API calls 36728->36735 36730 7ff7963674a0 10 API calls 36730->36731 36731->36730 36731->36734 36738 7ff796366fd0 10 API calls 36731->36738 36732->36734 36736 7ff7963674a0 10 API calls 36732->36736 36734->36425 36740 7ff79634fd10 10 API calls 36739->36740 36744 7ff79633cb02 36740->36744 36742 7ff79633cc08 SetLastError GetEnvironmentVariableW 36743 7ff79633cc29 GetLastError 36742->36743 36742->36744 36743->36744 36745 7ff79633ccfc GetLastError 36743->36745 36744->36742 36746 7ff79633cc43 GetLastError 36744->36746 36748 7ff79633cc76 36744->36748 36754 7ff79633cb15 36744->36754 36756 7ff7963657d0 10 API calls 36744->36756 36745->36754 36746->36744 36747 7ff79633cd91 36746->36747 36766 7ff796366fd0 10 API calls 36747->36766 36749 7ff79633cdab 36748->36749 36750 7ff79633cc7f 36748->36750 36767 7ff796367380 10 API calls 36749->36767 36757 7ff79633f630 36750->36757 36754->36429 36756->36744 36759 7ff79633f65f 36757->36759 36764 7ff79633f689 36757->36764 36758 7ff79633f684 36770 7ff796366e00 10 API calls 36758->36770 36759->36758 36759->36764 36762 7ff79633f7d0 36762->36754 36764->36762 36768 7ff796343090 10 API calls 36764->36768 36769 7ff796365870 10 API calls 36764->36769 36768->36764 36769->36764 36771->36452 36772->36455 36774->36461 36775->36472 36776->36472 36780->36476 36781->36483 36782->36483 36785 7ff796345e50 21 API calls 36784->36785 36786 7ff7963463ed 36785->36786 36787 7ff7963464b9 36786->36787 36791 7ff7963463f9 36786->36791 36800 7ff7963460f0 GetFileInformationByHandle GetFileInformationByHandleEx GetLastError 36787->36800 36788 7ff796346493 36788->36486 36790 7ff7963464c4 CloseHandle 36790->36788 36791->36788 36792 7ff79634fd10 10 API calls 36791->36792 36793 7ff79634643d 36792->36793 36793->36788 36794 7ff7963517c0 15 API calls 36793->36794 36795 7ff796346480 36794->36795 36795->36788 36796 7ff7963464e2 36795->36796 36797 7ff7963464f9 FindFirstFileW 36796->36797 36798 7ff79634650f FindClose 36797->36798 36799 7ff796346531 36797->36799 36798->36799 36799->36788 36800->36790 36801->36504 36808 7ff796346a40 36804->36808 36809 7ff796346a78 NtWriteFile 36808->36809 36810 7ff796346a70 36808->36810 36811 7ff796346abe WaitForSingleObject 36809->36811 36812 7ff796346ad6 36809->36812 36810->36809 36811->36812 36813 7ff796346b03 36811->36813 36814 7ff79633ceb5 36812->36814 36815 7ff796346ae2 RtlNtStatusToDosError 36812->36815 36818 7ff79633f2d0 10 API calls 36813->36818 36814->36513 36815->36814 36817 7ff796346b3d 36818->36817 36819->36519 36820->36524 36821->36521 36828 7ff79632ae8f 36825->36828 36826 7ff79632af15 36829 7ff796359ab0 10 API calls 36826->36829 36828->36826 36835 7ff79632ea30 12 API calls 36828->36835 36830 7ff79632af8a 36829->36830 36832 7ff796351ed0 WakeByAddressAll 36830->36832 36832->36555 36835->36828 36837->36566 36840 7ff79634918b 36839->36840 36841 7ff7963491ce GetEnvironmentStringsW 36840->36841 36867 7ff796349190 36840->36867 36883 7ff796349359 36840->36883 36842 7ff79634cf3e GetLastError 36841->36842 36863 7ff7963491e4 36841->36863 37191 7ff796366f30 10 API calls 36842->37191 36847 7ff7963499f7 36852 7ff796349a3d 36847->36852 36853 7ff79634cee9 36847->36853 36848 7ff796349345 FreeEnvironmentStringsW 36848->36883 36849 7ff796349ffc 36849->36583 36850 7ff796349ff2 CloseHandle 36850->36849 37122 7ff79633bcb0 10 API calls 36852->37122 37188 7ff796366e00 10 API calls 36853->37188 36855 7ff796349601 37182 7ff796366e00 10 API calls 36855->37182 36856 7ff796349f63 36955 7ff796349fe6 36856->36955 37125 7ff7963369d0 10 API calls 36856->37125 36857 7ff796349cee 36872 7ff796349d0a 36857->36872 36887 7ff796349e86 36857->36887 36863->36848 37116 7ff796346f50 10 API calls 36863->37116 37117 7ff79633bcb0 10 API calls 36863->37117 37118 7ff796337de0 12 API calls 36863->37118 36864 7ff79634ce65 37183 7ff796366e00 10 API calls 36864->37183 36865 7ff79634cfb2 37192 7ff796366e00 10 API calls 36865->37192 36866 7ff79633a7c0 10 API calls 36866->36883 36867->36856 36867->36857 36868 7ff796349d2a 36867->36868 36867->36887 36871 7ff796349d2e 36868->36871 36868->36872 36870 7ff796349b25 CompareStringOrdinal 36878 7ff796349a7b 36870->36878 36874 7ff79634fd10 10 API calls 36871->36874 36872->36865 36876 7ff796349da4 36872->36876 36881 7ff796349d4b 36874->36881 36875 7ff79634ceaf 37186 7ff796366fd0 10 API calls 36875->37186 37123 7ff796350c40 10 API calls 36876->37123 36877 7ff79634ce78 37184 7ff796366e00 10 API calls 36877->37184 36878->36867 36878->36870 36879 7ff796349b93 36878->36879 36942 7ff796349e50 36878->36942 36879->36867 36880 7ff79634cdcd GetLastError 36879->36880 37181 7ff796366f30 10 API calls 36880->37181 36907 7ff796349d66 36881->36907 37126 7ff796345d50 36881->37126 36883->36847 36883->36855 36883->36864 36883->36866 36883->36875 36883->36877 37119 7ff796335a20 10 API calls 36883->37119 37120 7ff79633b1f0 12 API calls 36883->37120 37121 7ff796337de0 12 API calls 36883->37121 36887->36856 36888 7ff79634aea6 36887->36888 37151 7ff796347110 36887->37151 37085 7ff7963473b0 36888->37085 36893 7ff796349de6 36894 7ff79634e280 26 API calls 36893->36894 36897 7ff796349e19 36894->36897 36895 7ff79634fd10 10 API calls 36898 7ff79634a19b 36895->36898 36896 7ff79634aeb9 36932 7ff79634aed6 36896->36932 37102 7ff7963417a0 36896->37102 36897->36907 37124 7ff7963418d0 10 API calls 36897->37124 36905 7ff796345d50 25 API calls 36898->36905 36898->36907 36899 7ff79634a0c7 36899->36895 36900 7ff79634a165 37139 7ff796366fd0 10 API calls 36900->37139 36902 7ff79634a337 SetLastError GetFullPathNameW 36906 7ff79634a35c GetLastError 36902->36906 36902->36907 36905->36907 36906->36907 36914 7ff79634a5b6 GetLastError 36906->36914 36907->36856 36907->36902 36915 7ff79634a376 GetLastError 36907->36915 36917 7ff79634a3b2 36907->36917 36918 7ff79634a3a9 36907->36918 37140 7ff7963657d0 10 API calls 36907->37140 36908 7ff79634a17d CloseHandle 36908->36583 36909 7ff79634b89d 36911 7ff796340750 10 API calls 36909->36911 36910 7ff796340750 10 API calls 36934 7ff79634ae8f 36910->36934 36919 7ff79634b8d2 36911->36919 36913 7ff79634a704 37142 7ff79633b8f0 10 API calls 36913->37142 36914->36856 36915->36907 36921 7ff79634ce92 36915->36921 36916 7ff796347110 10 API calls 36916->36934 36917->36913 36935 7ff79634a461 36917->36935 36918->36917 36931 7ff79634cfc8 36918->36931 36929 7ff79634b8f2 36919->36929 36937 7ff7963413f0 10 API calls 36919->36937 37185 7ff796366fd0 10 API calls 36921->37185 36922 7ff79634af19 36922->36909 36928 7ff79634af4c 36922->36928 36923 7ff79634ba07 SetLastError GetSystemDirectoryW 36923->36932 36933 7ff79634ba22 GetLastError 36923->36933 36926 7ff79634e280 26 API calls 36926->36934 36927 7ff79634a535 SetLastError GetSystemDirectoryW 36927->36935 36936 7ff79634a550 GetLastError 36927->36936 36940 7ff796366fd0 10 API calls 36928->36940 36938 7ff79634e280 26 API calls 36929->36938 36930 7ff79634a746 37143 7ff79633bb20 10 API calls 36930->37143 37193 7ff796367380 10 API calls 36931->37193 36932->36923 36945 7ff79634ba3c GetLastError 36932->36945 36950 7ff79634ba6f 36932->36950 36956 7ff79634bb7a 36932->36956 37162 7ff7963657d0 10 API calls 36932->37162 36933->36932 36944 7ff79634bb94 GetLastError 36933->36944 36934->36888 36934->36910 36934->36916 36934->36926 36934->36956 37157 7ff7963413f0 10 API calls 36934->37157 36935->36927 36948 7ff79634a56a GetLastError 36935->36948 36952 7ff79634a5fe 36935->36952 37141 7ff7963657d0 10 API calls 36935->37141 36936->36935 36947 7ff79634a639 GetLastError 36936->36947 36937->36929 36938->36932 36940->36908 36942->36899 36942->36900 36983 7ff79634badd 36944->36983 36945->36932 36951 7ff79634cf04 36945->36951 36947->36856 36948->36935 36957 7ff79634cecc 36948->36957 36949 7ff79634a782 36968 7ff79634a79e 36949->36968 37144 7ff79633b8f0 10 API calls 36949->37144 36953 7ff79634ba78 36950->36953 36954 7ff79634d011 36950->36954 37189 7ff796366fd0 10 API calls 36951->37189 36963 7ff79634cfdf 36952->36963 36970 7ff79634a607 36952->36970 36959 7ff79633f630 10 API calls 36953->36959 37197 7ff796367380 10 API calls 36954->37197 36955->36849 36955->36850 36956->36944 37187 7ff796366fd0 10 API calls 36957->37187 36964 7ff79634ba87 36959->36964 37194 7ff796367380 10 API calls 36963->37194 37105 7ff796340750 36964->37105 36967 7ff79634bccd SetLastError 36967->36983 36968->36856 36975 7ff79634a845 36968->36975 37145 7ff79633b8f0 10 API calls 36968->37145 37146 7ff7963458a0 10 API calls 36968->37146 36969 7ff79634ba9d 36973 7ff79634bac0 36969->36973 36979 7ff7963413f0 10 API calls 36969->36979 36977 7ff79634d002 36970->36977 36989 7ff79634a631 36970->36989 36980 7ff79634e280 26 API calls 36973->36980 36974 7ff79634ad74 36997 7ff79634b066 36974->36997 37063 7ff79634ae03 36974->37063 37166 7ff79633b8f0 10 API calls 36974->37166 36975->36856 36975->36974 37150 7ff79633b8f0 10 API calls 36975->37150 37196 7ff796366e00 10 API calls 36977->37196 36979->36973 36980->36983 36981 7ff79634bce1 GetLastError 36981->36983 36984 7ff79634be6c GetLastError 36981->36984 36983->36967 36983->36981 36985 7ff79634bd0c GetLastError 36983->36985 36986 7ff79634bd3a 36983->36986 37022 7ff79634bdaf 36983->37022 37163 7ff7963657d0 10 API calls 36983->37163 37050 7ff79634be1c 36984->37050 36985->36983 36987 7ff79634cf21 36985->36987 36991 7ff79634d028 36986->36991 36992 7ff79634bd43 36986->36992 37190 7ff796366fd0 10 API calls 36987->37190 37010 7ff79634a9cd 36989->37010 37147 7ff7963657d0 10 API calls 36989->37147 37198 7ff796367380 10 API calls 36991->37198 36994 7ff79633f630 10 API calls 36992->36994 37000 7ff79634bd52 36994->37000 36997->36856 37016 7ff79634b08d 36997->37016 37174 7ff79633bcb0 10 API calls 36997->37174 37005 7ff796340750 10 API calls 37000->37005 37001 7ff79634cff3 37195 7ff796366e00 10 API calls 37001->37195 37003 7ff79633cad0 15 API calls 37061 7ff79634beed 37003->37061 37004 7ff79634c859 37004->37016 37175 7ff79633b8f0 10 API calls 37004->37175 37009 7ff79634bd6f 37005->37009 37006 7ff79634c6c8 37172 7ff7963369d0 10 API calls 37006->37172 37007 7ff79634b1af 37014 7ff79634cc97 CloseHandle 37007->37014 37015 7ff79634cca4 37007->37015 37012 7ff79634bd92 37009->37012 37164 7ff7963413f0 10 API calls 37009->37164 37010->36856 37010->37001 37027 7ff79634ab17 37010->37027 37109 7ff79634e280 37012->37109 37013 7ff79634c6d8 37013->36997 37173 7ff79633b8f0 10 API calls 37013->37173 37014->37015 37020 7ff79634ccbb 37015->37020 37021 7ff79634ccae CloseHandle 37015->37021 37016->36856 37028 7ff79634b0cb 37016->37028 37176 7ff796365c70 WaitOnAddress GetLastError 37016->37176 37019 7ff79634c64d 37025 7ff79634cc6a CloseHandle 37019->37025 37026 7ff79634ccc5 CloseHandle 37020->37026 37037 7ff79634ccd2 37020->37037 37021->37020 37022->36984 37022->37050 37024 7ff79634ac99 37057 7ff79634acc4 37024->37057 37149 7ff79633b8f0 10 API calls 37024->37149 37025->37007 37029 7ff79634cc80 CloseHandle 37025->37029 37026->37037 37027->37024 37148 7ff7963657d0 10 API calls 37027->37148 37028->37007 37028->37019 37036 7ff79634c8d9 37028->37036 37038 7ff79634c9d9 37028->37038 37177 7ff79634ed60 15 API calls 37028->37177 37029->37007 37033 7ff79634ca5f CreateProcessW 37039 7ff79634cbfe GetLastError 37033->37039 37040 7ff79634caa9 37033->37040 37035 7ff79634cd07 WakeByAddressSingle 37035->36856 37041 7ff79634cc5d CloseHandle 37036->37041 37037->36856 37037->37035 37038->37033 37043 7ff79634cc2e 37038->37043 37047 7ff79634cc23 37039->37047 37048 7ff79634cc42 CloseHandle 37039->37048 37044 7ff79634caeb CloseHandle CloseHandle CloseHandle 37040->37044 37045 7ff79634cae0 37040->37045 37041->37025 37043->37048 37054 7ff79634cb23 37044->37054 37055 7ff79634cb16 CloseHandle 37044->37055 37178 7ff796337310 DeleteProcThreadAttributeList 37045->37178 37046 7ff796340750 10 API calls 37046->37061 37180 7ff796337310 DeleteProcThreadAttributeList 37047->37180 37048->37041 37049 7ff79634c4c6 37170 7ff7963369d0 10 API calls 37049->37170 37050->37003 37053 7ff796347110 10 API calls 37053->37061 37179 7ff796336b40 WakeByAddressSingle 37054->37179 37055->37054 37057->36856 37062 7ff79634b210 37057->37062 37158 7ff7963657d0 10 API calls 37057->37158 37059 7ff79634e280 26 API calls 37059->37061 37061->36856 37061->36907 37061->37046 37061->37053 37061->37059 37165 7ff7963413f0 10 API calls 37061->37165 37074 7ff79634b250 37062->37074 37159 7ff79633b8f0 10 API calls 37062->37159 37063->37006 37063->37049 37070 7ff79633b8f0 10 API calls 37063->37070 37167 7ff796339160 10 API calls 37063->37167 37168 7ff7963657d0 10 API calls 37063->37168 37169 7ff79633bb20 10 API calls 37063->37169 37066 7ff79634c672 37066->36975 37171 7ff79633b8f0 10 API calls 37066->37171 37067 7ff79634cb2f 37067->36955 37070->37063 37071 7ff79633b8f0 10 API calls 37071->37074 37073 7ff7963657d0 10 API calls 37073->37074 37074->36856 37074->37066 37074->37071 37074->37073 37160 7ff7963458a0 10 API calls 37074->37160 37161 7ff796360210 10 API calls 37074->37161 37076 7ff7963481c5 37075->37076 37080 7ff7963481cd 37075->37080 37207 7ff79633e4c0 37076->37207 37078 7ff79633e4c0 13 API calls 37078->37080 37079 7ff796346780 13 API calls 37079->37080 37080->36602 37080->37078 37080->37079 37081->36599 37086 7ff796347450 37085->37086 37089 7ff79634741f 37085->37089 37086->37089 37087 7ff7963474a7 SetLastError GetModuleFileNameW 37087->37089 37090 7ff7963474c4 GetLastError 37087->37090 37089->37086 37089->37087 37092 7ff7963474de GetLastError 37089->37092 37093 7ff796347511 37089->37093 37199 7ff7963657d0 10 API calls 37089->37199 37090->37089 37091 7ff79634757b GetLastError 37090->37091 37094 7ff796347529 37091->37094 37092->37089 37095 7ff7963475af 37092->37095 37097 7ff79634751a 37093->37097 37098 7ff7963475c9 37093->37098 37094->36896 37200 7ff796366fd0 10 API calls 37095->37200 37100 7ff79633f630 10 API calls 37097->37100 37201 7ff796367380 10 API calls 37098->37201 37100->37094 37202 7ff796351330 10 API calls 37102->37202 37104 7ff7963417c7 37106 7ff796340790 37105->37106 37203 7ff796351330 10 API calls 37106->37203 37108 7ff7963407bb 37110 7ff79634fd10 10 API calls 37109->37110 37111 7ff79634e29d 37110->37111 37112 7ff796345d50 25 API calls 37111->37112 37115 7ff79634e2b4 37111->37115 37113 7ff79634e2db 37112->37113 37114 7ff79634e2fd GetFileAttributesW 37113->37114 37113->37115 37114->37115 37115->37022 37116->36863 37117->36863 37118->36863 37119->36883 37120->36883 37121->36883 37122->36878 37123->36893 37125->36955 37127 7ff796345d6a 37126->37127 37128 7ff796345d7f 37126->37128 37127->36907 37129 7ff796345d9b 37128->37129 37132 7ff796345df2 37128->37132 37133 7ff796345dda 37128->37133 37130 7ff7963517c0 15 API calls 37129->37130 37131 7ff796345db7 37130->37131 37131->36907 37132->37129 37136 7ff796345e31 37132->37136 37204 7ff79634fef0 15 API calls 37133->37204 37135 7ff796345deb 37135->36907 37205 7ff7963503f0 15 API calls 37136->37205 37138 7ff796345e47 37138->36907 37140->36907 37141->36935 37142->36930 37143->36949 37144->36968 37145->36968 37146->36968 37147->36989 37148->37027 37149->37057 37150->36974 37152 7ff796347170 37151->37152 37153 7ff7963472eb 37152->37153 37206 7ff79633b8f0 10 API calls 37152->37206 37154 7ff79633f630 10 API calls 37153->37154 37156 7ff7963472fa 37153->37156 37154->37156 37156->36934 37157->36934 37158->37062 37159->37074 37160->37074 37161->37074 37162->36932 37163->36983 37164->37012 37165->37061 37166->37063 37167->37063 37168->37063 37169->37063 37170->36856 37171->36975 37172->37013 37173->36997 37174->37004 37175->37016 37176->37028 37177->37038 37178->37044 37179->37067 37180->37043 37199->37089 37202->37104 37203->37108 37204->37135 37205->37138 37206->37152 37218 7ff796346610 37207->37218 37209 7ff79633e6a7 37213 7ff79633e6bc 37209->37213 37221 7ff796365870 10 API calls 37209->37221 37210 7ff79633e6ff 37222 7ff796367380 10 API calls 37210->37222 37213->37080 37214 7ff79633e4f3 37214->37213 37216 7ff796346610 13 API calls 37214->37216 37217 7ff79633e573 37214->37217 37216->37214 37217->37209 37217->37210 37223 7ff796346920 37218->37223 37221->37213 37224 7ff796346958 NtReadFile 37223->37224 37225 7ff796346950 37223->37225 37226 7ff79634699e WaitForSingleObject 37224->37226 37227 7ff7963469af 37224->37227 37225->37224 37226->37227 37228 7ff796346628 37227->37228 37229 7ff7963469f0 37227->37229 37230 7ff7963469c3 37227->37230 37228->37214 37232 7ff79633f2d0 10 API calls 37229->37232 37230->37228 37231 7ff7963469cf RtlNtStatusToDosError 37230->37231 37231->37228 37233 7ff796346a2a 37232->37233 37234 7ff796364f86 37235 7ff796364f8f 37234->37235 37236 7ff796364f70 37234->37236 37238 7ff796364ff4 37235->37238 37239 7ff796365162 37235->37239 37237 7ff796365116 37236->37237 37248 7ff796364fcc 37236->37248 37275 7ff796366f30 10 API calls 37237->37275 37257 7ff796332d50 GetComputerNameExW 37238->37257 37276 7ff796366eb0 10 API calls 37239->37276 37243 7ff796365000 37246 7ff79636502e 37243->37246 37272 7ff796351270 10 API calls 37243->37272 37245 7ff79636516e 37273 7ff796350e70 10 API calls 37246->37273 37271 7ff796346b60 GetLastError 37248->37271 37249 7ff796365071 37254 7ff796365170 37249->37254 37256 7ff7963650b0 37249->37256 37253 7ff796365101 37254->37245 37277 7ff796366e00 10 API calls 37254->37277 37274 7ff796351ed0 WakeByAddressAll 37256->37274 37258 7ff796332d86 37257->37258 37260 7ff796332d8b 37257->37260 37278 7ff796332ed0 GetLastError 37258->37278 37266 7ff796332dd1 GetComputerNameExW 37260->37266 37267 7ff796332e76 37260->37267 37262 7ff796332dfa 37264 7ff79633f630 10 API calls 37262->37264 37263 7ff796332e1b 37279 7ff796332ed0 GetLastError 37263->37279 37269 7ff796332e0a 37264->37269 37266->37262 37266->37263 37280 7ff796366e00 10 API calls 37267->37280 37269->37243 37272->37246 37273->37249 37274->37253 37278->37260 37279->37269

                              Executed Functions

                              Function 00007FF796349130 Relevance: 87.3, APIs: 40, Strings: 8, Instructions: 3341COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: EnvironmentStrings$CloseFreeHandle
                              • String ID: #$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "batch file arguments are invalid$.exeprogram not found$PATHlibrary\std\src\sys_common\process.rs$\?\\$]?\\$assertion failed: is_code_point_boundary(self, new_len)$assertion failed: self.height > 0$exe\\.\NUL\cmd.exemaximum number of ProcThreadAttributes exceeded
                              • API String ID: 1070102993-4160752474
                              • Opcode ID: e780c65bf7f3ffb2d2b0c30332644c6784d582df1fcd0c6681f2f538e4040a48
                              • Instruction ID: 82dd3baf224df4fb3ef380298d1ebcaabbf736cef82758d36c3e6396e32e192f
                              • Opcode Fuzzy Hash: e780c65bf7f3ffb2d2b0c30332644c6784d582df1fcd0c6681f2f538e4040a48
                              • Instruction Fuzzy Hash: 68738362A19ED188EB70AF35DC503FBA761FB44789F80523DDA4D4BB99DF3992418320
                              Function 00007FF796322450 Relevance: 70.7, APIs: 3, Strings: 35, Instructions: 4181libraryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • COMPUTERNAMEComputer Name: , xrefs: 00007FF796322782
                              • sandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.exefiddler.exeprocesshacker.exeprocmon.exeprocexp.exeida64.exeollydbg.exex32dbg.exex64dbg.exewindbg.exeprocmon64.exefilemon.exeregmon.exeidag.exeidaw.exeidaq.exeidaq64.exeidau64.exe, xrefs: 00007FF796326366
                              • C:\Program Files\VMware\VMware Tools\C:\windows\sysnative\drivers\VBoxMouse.sysC:\windows\sysnative\drivers\VBoxGuest.sysC:\windows\sysnative\drivers\VBoxSF.sysC:\windows\sysnative\drivers\VBoxVideo.sysC:\windows\sysnative\vboxdisp.dllC:\windows\sysnative\vbox, xrefs: 00007FF796325E52
                              • scylla.exeprotection_id.exedumpcap.exehookexplorer.exeimportrec.exepetools.exelordpe.exeprl_tools.exeprl_cc.exexenclient.exexenservice.exedepends.exeautoruns.exeautorunsc.exefilescan.exetcpview.exepestudio.exeregshot.exeprocess monitor.exesystem explorer.exesy, xrefs: 00007FF7963265BE
                              • C:\windows\sysnative\drivers\xensvc.sysC:\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-, xrefs: 00007FF7963261EF
                              • Virtual-Bochs-0123-4567-89AB-CDEFFFFF-FFFF-FFFF-FFFF0000-0000-0000-00001111-1111-1111-1111SANDBOX_MALTEST_VIRUS_SECURITY_TEST_MACHINE_AUTO-TEST-CI-SERVER-BUILD-MACHINE-JENKINS-GITLAB-RUNNER-12345ABCDETEST1DEMO1TEMP11111-2222-3333-4444-5555-6666-77%Y-%m-%d %H:%, xrefs: 00007FF7963278AD
                              • sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsam, xrefs: 00007FF79632383A
                              • getmacMAC Address: , xrefs: 00007FF7963234F7
                              • currentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefenderesettrendpandadefendercorpcyberinfosecforensicsincidentreversesocblueteamredteamanalystanalyticresearchertestmaltestusertestsystemtestpctestboxnewuserstudentpocAdminist, xrefs: 00007FF79632481B
                              • /fitasklistcsproductidentifyingnumber, xrefs: 00007FF796326A6B
                              • sandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dll, xrefs: 00007FF796323A92
                              • system_info.txtFailed to write to file: , xrefs: 00007FF796327E70
                              • ed., xrefs: 00007FF796325D0B
                              • 111122223333444455556666777D4B67276A58480C8ete9t8e8t3UnknownDefault string1234567890 NoneN/AAllDefaultSystem50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 7, xrefs: 00007FF79632726C
                              • systemexplorerservice.exenetworkminer.exetcpdump.exenetworktrafficview.exeettercap.exefireshark.exeIMAGENAME eq , xrefs: 00007FF7963267CB
                              • C:\Program Files\Cuckoo\C:\Program Files\Joe Sandbox\C:\Program Files\Wireshark\C:\Program Files\Fiddler\C:\Program Files\Process Hacker\C:\Program Files\Process Monitor\C:\Program Files\Process Explorer\C:\Program Files\IDA Pro\C:\Program Files\x64dbg\C:\Prog, xrefs: 00007FF796325FE2
                              • VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware, Inc.VirtualBox-00 11 22 33 44 55 66 77-88 99 aa bb cc dd ee ffVBOX-1234567890VBOX_HARDDISK0VIRTUAL_DISKQEMU0001QEMU1234TEST-1234567890DESKTOP-TESTSANDBOX-PCANALYSIS-PCVirtual-1234567, xrefs: 00007FF796327436
                              • VM-TEST-PCVM-ANALYSISVIRTUAL_MACHINE000000000000111111111111AAAAAAAAAAAABCDEF123456TEMP-CLONE-EC2-GCP-AZURE-AWS-LAB-PC-RESEARCH-MALWARE-ANALYSIS-123456789012987654321098ABCDEFGHIJKLTo be filled by O.E.M.System manufacturerNot ApplicableXen-KVM-Parallels-HyperV, xrefs: 00007FF7963275F8
                              • ormation, xrefs: 00007FF7963233AE
                              • vmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dllx64dbg.dll, xrefs: 00007FF796323D0E
                              • administratoradminrootguestuserdefaultsystemsandboxmalwareanalysisanalyzerresearchsecuritytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonjoneslisapaulpetersmithworkvtcdekkerhoneyhone, xrefs: 00007FF796324384
                              • tected., xrefs: 00007FF796326F5B
                              • AlBrunoFredGeorgeharry johnsonLisaPaul Joneslabuserlabtechlabtestersandbox_uservm_usertest_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWARE, xrefs: 00007FF796324C2E
                              • a Display implementation returned an error unexpectedly/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\alloc\src\string.rs, xrefs: 00007FF796328D30
                              • CUCKOOJOEBOXVPCJETBRAINSHYBRID ANALYSISVM PLATFORMVIRTUALIZEDPCVMGENERATIONVM INSTANCECLOUD INSTANCEcomputersystemgetmodel, xrefs: 00007FF796325851
                              • a Display implementation returned an error unexpectedly/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\alloc\src\string.rs, xrefs: 00007FF796328CA0, 00007FF796328CD0, 00007FF796328D00, 00007FF796328D60
                              • PARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRANTEC2AMAZONT2.MICROT3.MICROGOOGLE CLOUDMICROSOFT AZUREDIGITALOCEANLINODEVULTRSANDBOXVIRTUAL PLATFORMWINEA, xrefs: 00007FF796325518
                              • C:\windows\sysnative\vboxmrxnp.dllC:\Program Files\Oracle\VirtualBox Guest Additions\C:\windows\sysnative\drivers\qemu-ga.sysC:\windows\sysnative\drivers\qemufwcfg.sysC:\windows\sysnative\drivers\qemupciserial.sysC:\sandcastle\C:\sandbox\C:\tools\sandbox\C:\Pr, xrefs: 00007FF796325F01
                              • wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysC:\windows\sysnative\drivers\vmrawdsk.sysC:\windows\sysnative\drivers\vmmemctl.sysC:\windows\sysnative\drivers\vmx86.sysC:\windows\sys, xrefs: 00007FF796322AD8, 00007FF796322C8B, 00007FF796322E42, 00007FF796322FEA, 00007FF796323192, 00007FF79632333E, 00007FF79632596D, 00007FF796327003
                              • C:\Analysis\C:\Analyser\C:\Sandbox\C:\Malware\C:\Research\C:\Test\C:\windows\sysnative\drivers\prleth.sysC:\windows\sysnative\drivers\prlfs.sysC:\windows\sysnative\drivers\prlmouse.sysC:\windows\sysnative\drivers\prlvideo.sysC:\windows\sysnative\drivers\xennet, xrefs: 00007FF7963260DC
                              • 1111-2222-3333-4444-5555-6666-77%Y-%m-%d %H:%M:%STimestamp (PT): , xrefs: 00007FF79632725A
                              • nown, xrefs: 00007FF79632289F
                              • USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS , xrefs: 00007FF79632283D
                              • x DLLs:, xrefs: 00007FF7963240DD
                              • systeminfoSystem Info: , xrefs: 00007FF79632369D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: Library$FreeLoad
                              • String ID: /fitasklistcsproductidentifyingnumber$1111-2222-3333-4444-5555-6666-77%Y-%m-%d %H:%M:%STimestamp (PT): $111122223333444455556666777D4B67276A58480C8ete9t8e8t3UnknownDefault string1234567890 NoneN/AAllDefaultSystem50023570840958302290236455696557BSS-01234567897865625393116424L1HF0CF008J3209-6896-4881-1621-1204-9357-891RLVSSVMware-42 23 54 12 34 56 78 90-12 34 56 7$AlBrunoFredGeorgeharry johnsonLisaPaul userlabuserlabtechlabtestersandbox_uservm_usertest_adminmalwarelabanalysisstnsec_analystsysadminnetadminsupporthelpdeskservicesupervisormaintaincontrolscanmonitorUSERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWARE$C:\Analysis\C:\Analyser\C:\Sandbox\C:\Malware\C:\Research\C:\Test\C:\windows\sysnative\drivers\prleth.sysC:\windows\sysnative\drivers\prlfs.sysC:\windows\sysnative\drivers\prlmouse.sysC:\windows\sysnative\drivers\prlvideo.sysC:\windows\sysnative\drivers\xennet$C:\Program Files\Cuckoo\C:\Program Files\Joe Sandbox\C:\Program Files\Wireshark\C:\Program Files\Fiddler\C:\Program Files\Process Hacker\C:\Program Files\Process Monitor\C:\Program Files\Process Explorer\C:\Program Files\IDA Pro\C:\Program Files\x64dbg\C:\Prog$C:\Program Files\VMware\VMware Tools\C:\windows\sysnative\drivers\VBoxMouse.sysC:\windows\sysnative\drivers\VBoxGuest.sysC:\windows\sysnative\drivers\VBoxSF.sysC:\windows\sysnative\drivers\VBoxVideo.sysC:\windows\sysnative\vboxdisp.dllC:\windows\sysnative\vbox$C:\windows\sysnative\drivers\xensvc.sysC:\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exeqemu-ga.exeqemu-system-x86.exeqemu-system-$C:\windows\sysnative\vboxmrxnp.dllC:\Program Files\Oracle\VirtualBox Guest Additions\C:\windows\sysnative\drivers\qemu-ga.sysC:\windows\sysnative\drivers\qemufwcfg.sysC:\windows\sysnative\drivers\qemupciserial.sysC:\sandcastle\C:\sandbox\C:\tools\sandbox\C:\Pr$COMPUTERNAMEComputer Name: $CUCKOOJOEBOXVPCJETBRAINSHYBRID ANALYSISVM PLATFORMVIRTUALIZEDPCVMGENERATIONVM INSTANCECLOUD INSTANCEcomputersystemgetmodel$PARALLELS PLATFORMPARALLELS TOOLSKVMQEMU/KVMKVM VIRTUALLINUX KVMRED HAT KVMVIRTUALBHYVEPROXMOXDOCKERLXCOPENVZCITRIXAMAZON EC2AWSGOOGLE COMPUTEGCPAZUREVAGRANTEC2AMAZONT2.MICROT3.MICROGOOGLE CLOUDMICROSOFT AZUREDIGITALOCEANLINODEVULTRSANDBOXVIRTUAL PLATFORMWINEA$USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS $VM-TEST-PCVM-ANALYSISVIRTUAL_MACHINE000000000000111111111111AAAAAAAAAAAABCDEF123456TEMP-CLONE-EC2-GCP-AZURE-AWS-LAB-PC-RESEARCH-MALWARE-ANALYSIS-123456789012987654321098ABCDEFGHIJKLTo be filled by O.E.M.System manufacturerNot ApplicableXen-KVM-Parallels-HyperV$VMware-56 4d 14 aa bb cc dd ee-ff 00 11 22 33 44 55 66VM-1234567890VMWVMware, Inc.VirtualBox-00 11 22 33 44 55 66 77-88 99 aa bb cc dd ee ffVBOX-1234567890VBOX_HARDDISK0VIRTUAL_DISKQEMU0001QEMU1234TEST-1234567890DESKTOP-TESTSANDBOX-PCANALYSIS-PCVirtual-1234567$Virtual-Bochs-0123-4567-89AB-CDEFFFFF-FFFF-FFFF-FFFF0000-0000-0000-00001111-1111-1111-1111SANDBOX_MALTEST_VIRUS_SECURITY_TEST_MACHINE_AUTO-TEST-CI-SERVER-BUILD-MACHINE-JENKINS-GITLAB-RUNNER-12345ABCDETEST1DEMO1TEMP11111-2222-3333-4444-5555-6666-77%Y-%m-%d %H:%$a Display implementation returned an error unexpectedly/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\alloc\src\string.rs$a Display implementation returned an error unexpectedly/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\alloc\src\string.rs$administratoradminrootguestuserdefaultsystemsandboxmalwareanalysisanalyzerresearchsecuritytesttestertestingviruslabmaltestsamplesecurediagnosticvmwarevboxvirtualvmqemucuckooabbeyalalexbrunofredgeorgeharryjohnjohnsonuserlisapaulpetersmithworkvtcdekkerhoneyhone$currentlocalaudittechdebugnulldummytempdemoevalsophosmcafeesymanteckasperskyavastbitdefenderesettrendpandadefendercorpcyberinfosecforensicsincidentreversesocblueteamredteamanalystanalyticresearchertestmaltestusertestsystemtestpctestboxnewuserstudentpocAdminist$ed.$getmacMAC Address: $nown$ormation$sandbox.dllagent.dlldbgcore.dllavghook.dllavghooka.dlllog_api.dllapi_hook.dllapimon.dllapispy.dllregmon.dllfilemon.dllprocmon.dllsysmon.dllsyscall.dllhooks.dllmonitor.dlldefense.dllprotect.dllanalyzer.dlltrace.dllqemu-ga.dllparallels.dllprl_tools.dllvpcmap.dll$sandboxie.exesbiesvc.exesbiectrl.exesandman.execockoo.exeanalyser.exewireshark.exefiddler.exeprocesshacker.exeprocmon.exeprocexp.exeida64.exeollydbg.exex32dbg.exex64dbg.exewindbg.exeprocmon64.exefilemon.exeregmon.exeidag.exeidaw.exeidaq.exeidaq64.exeidau64.exe$sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dlldir_watch.dllwpespy.dllcigdll.dllpstorec.dllvmcheck.dllallerror.dllsam$scylla.exeprotection_id.exedumpcap.exehookexplorer.exeimportrec.exepetools.exelordpe.exeprl_tools.exeprl_cc.exexenclient.exexenservice.exedepends.exeautoruns.exeautorunsc.exefilescan.exetcpview.exepestudio.exeregshot.exeprocess monitor.exesystem explorer.exesy$system_info.txtFailed to write to file: $systemexplorerservice.exenetworkminer.exetcpdump.exenetworktrafficview.exeettercap.exefireshark.exeIMAGENAME eq $systeminfoSystem Info: $tected.$vmusbmouse.dllvmtray.dllwireshark.dllwindbg.dllollydbg.dllimmunity.dllghidra.dllida.dllx64dbg.dll$wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysC:\windows\sysnative\drivers\vmrawdsk.sysC:\windows\sysnative\drivers\vmmemctl.sysC:\windows\sysnative\drivers\vmx86.sysC:\windows\sys$x DLLs:
                              • API String ID: 534179979-1405943658
                              • Opcode ID: 3c1afe77419fb8759d34e7c1d9baa9576e811432dd8c33c36a6f330a03f522f2
                              • Instruction ID: deda3883e0bbd11a2180fb6acd32076a7c2d79fefe03f94d0bbb71c434052ef6
                              • Opcode Fuzzy Hash: 3c1afe77419fb8759d34e7c1d9baa9576e811432dd8c33c36a6f330a03f522f2
                              • Instruction Fuzzy Hash: F8D3A476A09FC698E7709F20EC453EA73A5FB48748F80423DCA8C4AB99DF799254C351
                              Function 00007FF796347630 Relevance: 8.0, APIs: 5, Instructions: 503COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2002 7ff796347630-7ff796347693 2003 7ff7963476a0-7ff7963476b3 GetCurrentProcessId 2002->2003 2004 7ff7963476e6-7ff79634777a call 7ff796359ab0 2003->2004 2005 7ff7963476b5 2003->2005 2009 7ff79634778d-7ff7963477bd 2004->2009 2010 7ff79634777c-7ff796347788 call 7ff7963301d0 2004->2010 2006 7ff7963476c0-7ff7963476e4 ProcessPrng 2005->2006 2006->2004 2006->2006 2011 7ff7963477e0-7ff7963477fd 2009->2011 2012 7ff7963477bf-7ff7963477ca 2009->2012 2010->2009 2016 7ff7963478d3-7ff7963478ef call 7ff7963301c0 2011->2016 2014 7ff7963477cc-7ff7963477d0 2012->2014 2015 7ff796347810-7ff796347822 2012->2015 2017 7ff796347874-7ff796347879 2014->2017 2018 7ff796347868-7ff796347871 2015->2018 2019 7ff796347824-7ff796347836 2015->2019 2029 7ff7963478f5-7ff796347914 2016->2029 2030 7ff796347de3-7ff796347e0d call 7ff796366e00 2016->2030 2023 7ff79634787c-7ff7963478be 2017->2023 2018->2017 2021 7ff79634783c-7ff796347861 2019->2021 2022 7ff796347c34-7ff796347c45 2019->2022 2021->2017 2025 7ff796347863 2021->2025 2022->2017 2028 7ff796347c4b-7ff796347c74 2022->2028 2026 7ff796347de1 2023->2026 2027 7ff7963478c4-7ff7963478ce 2023->2027 2025->2028 2026->2030 2027->2016 2028->2023 2031 7ff796347933-7ff796347939 2029->2031 2035 7ff796347e12-7ff796347e4b 2030->2035 2033 7ff7963479e0-7ff7963479e5 2031->2033 2034 7ff79634793f-7ff796347943 2031->2034 2038 7ff7963479eb-7ff7963479f3 2033->2038 2039 7ff796347b80-7ff796347bc8 CreateNamedPipeW 2033->2039 2036 7ff7963479a0-7ff7963479a7 2034->2036 2037 7ff796347945-7ff79634794b 2034->2037 2040 7ff796347e4d-7ff796347e5d call 7ff7963301d0 2035->2040 2041 7ff796347e62-7ff796347e9b 2035->2041 2036->2033 2046 7ff7963479a9-7ff7963479b7 2036->2046 2044 7ff79634794d-7ff79634798f 2037->2044 2045 7ff796347920-7ff796347930 2037->2045 2047 7ff796347a70-7ff796347a76 2038->2047 2048 7ff7963479f5-7ff796347a15 2038->2048 2042 7ff796347bce-7ff796347be5 GetLastError 2039->2042 2043 7ff796347ce6-7ff796347cf0 2039->2043 2040->2041 2050 7ff796347c79-7ff796347c93 2042->2050 2051 7ff796347beb-7ff796347bf1 2042->2051 2054 7ff796347cf2-7ff796347d01 call 7ff7963301d0 2043->2054 2055 7ff796347d06-7ff796347d75 call 7ff796345e50 2043->2055 2052 7ff796347a1b-7ff796347a4d 2044->2052 2053 7ff796347995 2044->2053 2045->2031 2056 7ff7963479bd-7ff7963479c9 2046->2056 2057 7ff796347aac-7ff796347ac1 2046->2057 2059 7ff796347a7e 2047->2059 2048->2052 2058 7ff796347dd8 2048->2058 2068 7ff796347ca6-7ff796347ca9 2050->2068 2069 7ff796347c95-7ff796347ca1 call 7ff7963301d0 2050->2069 2060 7ff796347c00-7ff796347c03 2051->2060 2061 7ff796347bf3-7ff796347bfd 2051->2061 2052->2059 2070 7ff796347a4f-7ff796347a63 2052->2070 2053->2058 2054->2055 2079 7ff796347d7a-7ff796347d7d 2055->2079 2056->2045 2066 7ff7963479cf 2056->2066 2064 7ff796347b0a-7ff796347b22 2057->2064 2065 7ff796347ac3-7ff796347ad5 2057->2065 2062 7ff796347dda-7ff796347ddf call 7ff796366e00 2058->2062 2073 7ff796347a80-7ff796347a9d call 7ff79633b640 2059->2073 2060->2050 2076 7ff796347c05-7ff796347c0b 2060->2076 2074 7ff796347c0d-7ff796347c19 2061->2074 2062->2035 2064->2045 2080 7ff796347b28 2064->2080 2077 7ff796347ad7-7ff796347b02 2065->2077 2078 7ff796347b2d-7ff796347b44 2065->2078 2066->2044 2071 7ff796347cbc-7ff796347cc0 2068->2071 2072 7ff796347cab-7ff796347cb7 call 7ff7963301d0 2068->2072 2069->2068 2070->2073 2084 7ff796347ccb-7ff796347ce5 2071->2084 2085 7ff796347cc2-7ff796347cc5 CloseHandle 2071->2085 2072->2071 2098 7ff796347dce-7ff796347dd6 2073->2098 2099 7ff796347aa3 2073->2099 2074->2003 2087 7ff796347c1f-7ff796347c2f call 7ff7963301d0 2074->2087 2076->2050 2076->2074 2077->2037 2088 7ff796347b08 2077->2088 2078->2037 2091 7ff796347b4a-7ff796347b71 2078->2091 2089 7ff796347d9c-7ff796347db2 2079->2089 2090 7ff796347d7f-7ff796347d91 2079->2090 2080->2078 2085->2084 2087->2003 2088->2091 2089->2084 2096 7ff796347db8-7ff796347dc9 call 7ff7963301d0 2089->2096 2090->2072 2095 7ff796347d97 2090->2095 2091->2045 2092 7ff796347b77 2091->2092 2092->2044 2095->2071 2096->2084 2098->2062 2099->2057
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CurrentPrng
                              • String ID:
                              • API String ID: 716580790-0
                              • Opcode ID: febaf20dcaaebedca5b352bdbaf2aa2190e9f40f303c37fef2ac41af8988f772
                              • Instruction ID: 321fd004cc013724321d6fe47f616bfcb19bd4af5a5a4677c56975a3137eecd1
                              • Opcode Fuzzy Hash: febaf20dcaaebedca5b352bdbaf2aa2190e9f40f303c37fef2ac41af8988f772
                              • Instruction Fuzzy Hash: 5C229B72A08A8189EB759F359C003BAAAA2FB04798F94473DDE5E47B94EE7DD144C310
                              Function 00007FF796346360 Relevance: 4.6, APIs: 3, Instructions: 143fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseFind$FileFirstHandle
                              • String ID:
                              • API String ID: 1310327803-0
                              • Opcode ID: 5c5f8338d567aeec1b2ea0d7707a34befd891ef5aef36dfa3283eed44c1e173e
                              • Instruction ID: e5fe18539d22618314fc40efdc7ca9e052cdadf198dc7e2fe3b9c1a2adb1767a
                              • Opcode Fuzzy Hash: 5c5f8338d567aeec1b2ea0d7707a34befd891ef5aef36dfa3283eed44c1e173e
                              • Instruction Fuzzy Hash: D5518D32A04B8186EB70AF71EC553ABA6A1FB45798F50823DCE6D0AB95CF3CE1458350
                              Function 00007FF796346A40 Relevance: 4.6, APIs: 3, Instructions: 83filenativesynchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorFileObjectSingleStatusWaitWrite
                              • String ID:
                              • API String ID: 3447438843-0
                              • Opcode ID: 8531f7d929273bddc373d40e22a451b88738e285fd4a72613cfacdaff5f4dce8
                              • Instruction ID: 63171614eb9e04c0252ce4e48579df0b46c756c46be60fc43a848023b0297ca9
                              • Opcode Fuzzy Hash: 8531f7d929273bddc373d40e22a451b88738e285fd4a72613cfacdaff5f4dce8
                              • Instruction Fuzzy Hash: 7F318432B04F5589E720DF74EC407AA77A5EB55358F948238EA4D43A98EF3CD1958350
                              Function 00007FF796346920 Relevance: 4.6, APIs: 3, Instructions: 75filenativesynchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorFileObjectReadSingleStatusWait
                              • String ID:
                              • API String ID: 3583596364-0
                              • Opcode ID: ea6200bda6fe03d73fc07ac18d55f378c85d4fb063f3c8c752bdbdd7fe03d4ef
                              • Instruction ID: ffd150e01f61c833748140353772cc4cd7875a0155c6f1adc2f76ca82a4703d9
                              • Opcode Fuzzy Hash: ea6200bda6fe03d73fc07ac18d55f378c85d4fb063f3c8c752bdbdd7fe03d4ef
                              • Instruction Fuzzy Hash: 8631A732B08B5189F720DF70EC507AE73A5EB55358F90823CEA4D82698EF7CD1958350
                              Function 00007FF796332CC0 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2198 7ff796332cc0-7ff796332cd1 2199 7ff796332d32 2198->2199 2200 7ff796332cd3-7ff796332ced 2198->2200 2202 7ff796332d34-7ff796332d44 2199->2202 2201 7ff796332cf8-7ff796332d1a BCryptGenRandom 2200->2201 2203 7ff796332d1c-7ff796332d28 SystemFunction036 2201->2203 2204 7ff796332cf0-7ff796332cf6 2201->2204 2203->2204 2205 7ff796332d2a-7ff796332d30 2203->2205 2204->2199 2204->2201 2205->2202
                              APIs
                              • BCryptGenRandom.BCRYPT(?,-00000120,?,00007FF796332A25,?,?,00000010,00007FF79632EA6D), ref: 00007FF796332D12
                              • SystemFunction036.ADVAPI32(?,-00000120,?,00007FF796332A25,?,?,00000010,00007FF79632EA6D), ref: 00007FF796332D23
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: CryptFunction036RandomSystem
                              • String ID:
                              • API String ID: 1232939966-0
                              • Opcode ID: 9342be9b4e9d4828e24e87e33803fc7e85e4f791ea97dba74869249418b21032
                              • Instruction ID: 8e9b5e738033505ed8a15071f7a860df89ebab816bc5316e66e2bd8d1208174c
                              • Opcode Fuzzy Hash: 9342be9b4e9d4828e24e87e33803fc7e85e4f791ea97dba74869249418b21032
                              • Instruction Fuzzy Hash: 70F0FF12F0A45511FA746A776D04D32D5402F28BF0EE8473DAE3C83BD8EC3CD8826220
                              Function 00007FF7963352B0 Relevance: 1.6, APIs: 1, Instructions: 75timeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2206 7ff7963352b0-7ff7963352ec GetTimeZoneInformationForYear 2207 7ff7963352f2-7ff796335319 2206->2207 2208 7ff79633538f 2206->2208 2207->2208 2210 7ff79633531b-7ff79633531e 2207->2210 2209 7ff796335395-7ff7963353a1 2208->2209 2210->2208 2211 7ff796335320-7ff79633532c 2210->2211 2211->2208 2212 7ff79633532e-7ff796335335 2211->2212 2212->2208 2213 7ff796335337-7ff79633533b 2212->2213 2213->2208 2214 7ff79633533d-7ff796335349 2213->2214 2214->2208 2215 7ff79633534b-7ff796335362 call 7ff7963353e0 2214->2215 2215->2208 2218 7ff796335364-7ff79633538d call 7ff7963353e0 2215->2218 2218->2208 2221 7ff7963353a2-7ff7963353d4 2218->2221 2221->2209
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: InformationTimeYearZone
                              • String ID:
                              • API String ID: 2325421820-0
                              • Opcode ID: 8541c9e689f33b9422a433280ca6a9e260ffc78f3630092748a3d317c3d59afa
                              • Instruction ID: b099d5853867e6585a81de9929a694097e8e67e25dfde53799ac8a8af7890bd8
                              • Opcode Fuzzy Hash: 8541c9e689f33b9422a433280ca6a9e260ffc78f3630092748a3d317c3d59afa
                              • Instruction Fuzzy Hash: 603154726086858AE7399F29E8407BBF7A1F794365F804139DB8A46B54EB7CE085CF10
                              Function 00007FF796341E50 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 203synchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1827 7ff796341e50-7ff796341e9c call 7ff796349130 1830 7ff796341ea2-7ff796341ed1 1827->1830 1831 7ff7963420c5-7ff7963420d6 1827->1831 1833 7ff796341ed9-7ff796341f34 1830->1833 1834 7ff796341ed3 CloseHandle 1830->1834 1832 7ff796342107-7ff79634211d 1831->1832 1835 7ff796341f96-7ff796341f99 1833->1835 1836 7ff796341f36-7ff796341f39 1833->1836 1834->1833 1837 7ff796341f9b-7ff796341fb5 call 7ff796348190 1835->1837 1838 7ff796342000-7ff79634201a WaitForSingleObject 1835->1838 1839 7ff796341fcd-7ff796341ff1 call 7ff796348190 1836->1839 1840 7ff796341f3f-7ff796341f59 call 7ff796348560 1836->1840 1857 7ff79634211e-7ff796342150 call 7ff796367280 1837->1857 1858 7ff796341fbb-7ff796341fcb CloseHandle 1837->1858 1844 7ff79634201c-7ff79634202b GetLastError 1838->1844 1845 7ff796342061-7ff79634207d GetExitCodeProcess 1838->1845 1859 7ff796341ff7-7ff796341ffa CloseHandle 1839->1859 1860 7ff796342152-7ff79634217f call 7ff796367280 1839->1860 1840->1838 1853 7ff796341f5f-7ff796341f91 call 7ff796367280 1840->1853 1846 7ff79634202d-7ff796342037 call 7ff7963301d0 1844->1846 1847 7ff79634203c-7ff796342047 1844->1847 1845->1844 1849 7ff79634207f-7ff7963420a1 1845->1849 1846->1847 1854 7ff796342049-7ff796342053 call 7ff7963301d0 1847->1854 1855 7ff796342058-7ff79634205f 1847->1855 1856 7ff7963420a5-7ff7963420c0 CloseHandle * 2 1849->1856 1867 7ff796342184-7ff7963421ca CloseHandle 1853->1867 1854->1855 1855->1856 1864 7ff7963420d8-7ff796342103 1856->1864 1865 7ff7963420c2 1856->1865 1857->1867 1858->1838 1859->1838 1860->1867 1864->1832 1865->1831
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$CodeErrorExitLastObjectProcessSingleWait
                              • String ID: called `Result::unwrap()` on an `Err` value
                              • API String ID: 17306042-2333694755
                              • Opcode ID: 438e643e377771e270f847e2905fd42895b57f0edc2496966572b8b956f0190b
                              • Instruction ID: f288d59df9933def272a539f360c19b6f5244b625bffd2014466e2ec64e7db2a
                              • Opcode Fuzzy Hash: 438e643e377771e270f847e2905fd42895b57f0edc2496966572b8b956f0190b
                              • Instruction Fuzzy Hash: DBA12D32A04A8199E7719F31EC413EAB7A0FB4879CF948239EE5D16B59DF38E185C350
                              Function 00007FF7963605F4 Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                              • String ID:
                              • API String ID: 1804101941-0
                              • Opcode ID: de9c70b039618d4213ae7027ef4f1e966bc2cfb6d50e925aa29a9a76d3c31a36
                              • Instruction ID: ff563e844aa65177857fa7e205904968143b28be0e9ce762d50f65adb397ed4b
                              • Opcode Fuzzy Hash: de9c70b039618d4213ae7027ef4f1e966bc2cfb6d50e925aa29a9a76d3c31a36
                              • Instruction Fuzzy Hash: 3D315E11A08A4751FA34BB309E533FB92919F85788FC6423DD61D472EBDF6CA8458270
                              Function 00007FF796345E50 Relevance: 9.2, APIs: 6, Instructions: 184fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1921 7ff796345e50-7ff796345e8e call 7ff79634fd10 1924 7ff796345e9a-7ff796345eca call 7ff7963517c0 1921->1924 1925 7ff796345e90-7ff796345e95 1921->1925 1929 7ff796345ecc-7ff796345ecf 1924->1929 1930 7ff796345ed4-7ff796345ee0 1924->1930 1926 7ff79634603f-7ff79634604e 1925->1926 1929->1926 1931 7ff796345eec-7ff796345eee 1930->1931 1932 7ff796345ee2-7ff796345ee4 1930->1932 1933 7ff796345ef0-7ff796345ef8 1931->1933 1935 7ff796345f35-7ff796345f39 1931->1935 1932->1933 1934 7ff796345ee6-7ff796345eea 1932->1934 1938 7ff796345f49-7ff796345f4d 1933->1938 1939 7ff796345efa-7ff796345efc 1933->1939 1934->1938 1936 7ff796345efe-7ff796345f0b 1935->1936 1937 7ff796345f3b-7ff796345f3f 1935->1937 1936->1926 1940 7ff796345f11-7ff796345f30 call 7ff7963301d0 1936->1940 1937->1936 1941 7ff796345f41-7ff796345f45 1937->1941 1942 7ff796345f82-7ff796345f84 1938->1942 1943 7ff796345f4f-7ff796345f51 1938->1943 1939->1936 1939->1938 1940->1926 1941->1936 1945 7ff796345f47 1941->1945 1946 7ff796345f8a-7ff796345f93 1942->1946 1948 7ff79634607f-7ff79634608f 1942->1948 1943->1946 1947 7ff796345f53-7ff796345f5c 1943->1947 1945->1938 1949 7ff796345f95 1946->1949 1952 7ff796345f5e-7ff796345f62 1946->1952 1947->1949 1947->1952 1948->1949 1950 7ff796346095 1948->1950 1955 7ff796345f98-7ff796345fd9 CreateFileW 1949->1955 1958 7ff79634609a-7ff7963460b7 GetLastError CloseHandle 1950->1958 1953 7ff796345f68-7ff796345f80 1952->1953 1954 7ff79634606c-7ff79634606f 1952->1954 1953->1955 1959 7ff7963460da-7ff7963460dc 1954->1959 1960 7ff796346071-7ff796346073 1954->1960 1956 7ff796345fdb-7ff796345fe2 1955->1956 1957 7ff79634604f-7ff796346068 GetLastError 1955->1957 1961 7ff79634601b-7ff796346020 1956->1961 1962 7ff796345fe4-7ff796345fe8 1956->1962 1966 7ff79634606a 1957->1966 1967 7ff796346022-7ff796346039 call 7ff7963301d0 1957->1967 1963 7ff7963460b9-7ff7963460c8 call 7ff7963301d0 1958->1963 1964 7ff7963460cd-7ff7963460d5 1958->1964 1959->1936 1965 7ff7963460e2-7ff7963460e7 1959->1965 1960->1965 1968 7ff796346075-7ff79634607a 1960->1968 1961->1967 1971 7ff79634603c 1961->1971 1962->1961 1969 7ff796345fea-7ff796345ff5 GetLastError 1962->1969 1963->1964 1964->1926 1965->1955 1966->1971 1967->1971 1968->1955 1969->1961 1973 7ff796345ff7-7ff796346019 SetFileInformationByHandle 1969->1973 1971->1926 1973->1958 1973->1961
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$FileHandle$CloseCreateInformation
                              • String ID:
                              • API String ID: 1617036312-0
                              • Opcode ID: c588b790e690c99f623b02e1666e4cc61c003076d644450367950b55c6f4fbb6
                              • Instruction ID: 96a20ceb02b52dd903bd05eb74302c3a16e36c0c258fe1c69d8967a04bde2fcb
                              • Opcode Fuzzy Hash: c588b790e690c99f623b02e1666e4cc61c003076d644450367950b55c6f4fbb6
                              • Instruction Fuzzy Hash: 9571B3A1E0C55286FB716A319D103BBE6A1AB45BD8F94833DCD4D07AC9CF3DE8858721
                              Function 00007FF79633C4E0 Relevance: 9.1, APIs: 6, Instructions: 81timesleepsynchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1975 7ff79633c4e0-7ff79633c4f7 1976 7ff79633c4f9-7ff79633c4fb 1975->1976 1977 7ff79633c501-7ff79633c51a CreateWaitableTimerExW 1975->1977 1976->1977 1978 7ff79633c59a-7ff79633c5aa 1976->1978 1977->1978 1979 7ff79633c51c-7ff79633c52a 1977->1979 1980 7ff79633c5de Sleep 1978->1980 1981 7ff79633c5ac-7ff79633c5bc 1978->1981 1982 7ff79633c52c-7ff79633c53c 1979->1982 1983 7ff79633c591-7ff79633c594 CloseHandle 1979->1983 1985 7ff79633c5e4-7ff79633c5ef 1980->1985 1981->1980 1984 7ff79633c5be-7ff79633c5d0 1981->1984 1982->1983 1986 7ff79633c53e 1982->1986 1983->1978 1984->1980 1987 7ff79633c5d2-7ff79633c5da 1984->1987 1986->1983 1988 7ff79633c540-7ff79633c56d SetWaitableTimer 1986->1988 1987->1980 1988->1983 1989 7ff79633c56f-7ff79633c58d WaitForSingleObject CloseHandle 1988->1989 1989->1985 1990 7ff79633c58f 1989->1990 1990->1978
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandleTimerWaitable$CreateObjectSingleSleepWait
                              • String ID:
                              • API String ID: 2261246915-0
                              • Opcode ID: 50505995981c3806f9d2cc1924f5b46220df0c5dcdf9623345c63962f85de179
                              • Instruction ID: 32f49c77c4ceb515f56a99a022cc3ab47fd8053808aeb17bd865d94d52f5f3d8
                              • Opcode Fuzzy Hash: 50505995981c3806f9d2cc1924f5b46220df0c5dcdf9623345c63962f85de179
                              • Instruction Fuzzy Hash: 4521E522F49A1202FE78AB366D25B37D6565F897A4FC4833CDD2E467E4DE3DA8414320
                              Function 00007FF79633BF00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: Thread$CurrentDescriptionExceptionGuaranteeHandlerStackVectored
                              • String ID: main
                              • API String ID: 3663057573-3207122276
                              • Opcode ID: 053a5457683d3ba11eda5a4faf6eeecc55e1d40f605e8ed44498af0681589062
                              • Instruction ID: c50db06c57ec04aefd1c3e4e1634b56d92ed8748d57005a6c0d2894b6849de36
                              • Opcode Fuzzy Hash: 053a5457683d3ba11eda5a4faf6eeecc55e1d40f605e8ed44498af0681589062
                              • Instruction Fuzzy Hash: 93118C25B04B1589FB20EB74EC583EE6361BB457A8FC0033CDD5D56AA8DF38A448C360
                              Function 00007FF796332D50 Relevance: 3.1, APIs: 2, Instructions: 109COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ComputerName$ErrorLast
                              • String ID:
                              • API String ID: 2051095488-0
                              • Opcode ID: 8f101f71efb719af5b8a7ccb1d35d6f2ab03b6159112b36e9cac9af29825f4a1
                              • Instruction ID: 9c9810188abd6c6df5a7c04471eac2528982df2145407c22198913e86b6c53d3
                              • Opcode Fuzzy Hash: 8f101f71efb719af5b8a7ccb1d35d6f2ab03b6159112b36e9cac9af29825f4a1
                              • Instruction Fuzzy Hash: B141A022F04A1199F720EB76DC427FEA771BF44798F84823CDE5D26A95DF38A5918320
                              Function 00007FF79634E280 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00007FF79634B909), ref: 00007FF79634E308
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: AttributesFile
                              • String ID:
                              • API String ID: 3188754299-0
                              • Opcode ID: b4ada52c40fb24d04368cba50722f6225311cdc453e75f22b7eeee1d05bd2027
                              • Instruction ID: e7dae6df07504498c73eb0a4639e89e5f49684e07ab6e2b9936cf35207316fc2
                              • Opcode Fuzzy Hash: b4ada52c40fb24d04368cba50722f6225311cdc453e75f22b7eeee1d05bd2027
                              • Instruction Fuzzy Hash: 1A214F33B05A1198EB21AFA1EC401AEA774BB447A8FD44639DE9D17B98DF38D592C310
                              Function 00007FF79634E46E Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseCurrentHandlePrng
                              • String ID:
                              • API String ID: 842889843-0
                              • Opcode ID: 40431f0a896bf0ff88a2f31a179851803967304d75aabc459fa07889b5685e1c
                              • Instruction ID: 7ad35629c8a54e360132101d7b7ee7cb970915e0147481fb04f7e44d235b1aec
                              • Opcode Fuzzy Hash: 40431f0a896bf0ff88a2f31a179851803967304d75aabc459fa07889b5685e1c
                              • Instruction Fuzzy Hash: 25F04F36704A4181E6616B36DD403AAE352A744BE4F988239DA4D477C4EE7CE481C360

                              Non-executed Functions

                              Function 00007FF7963522A0 Relevance: 44.1, APIs: 17, Strings: 8, Instructions: 333libraryloadersynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$CurrentProcess$Mutex$CloseCreateHandleLibraryLoadObjectReleaseSingleWaitlstrlen
                              • String ID: EnumerateLoadedModulesW64$SymGetOptions$SymGetSearchPathW$SymInitializeW$SymSetOptions$SymSetSearchPathW$assertion failed: len >= 0$dbghelp.dll
                              • API String ID: 422451348-310313858
                              • Opcode ID: 9f1da83dd881848518d80b052b2155f30598394ab288e34e040013385bb04330
                              • Instruction ID: fc73400afcf29e44d16e5a3d03a9fa5641c6acf485ad08edbaf5077b9530c80c
                              • Opcode Fuzzy Hash: 9f1da83dd881848518d80b052b2155f30598394ab288e34e040013385bb04330
                              • Instruction Fuzzy Hash: D9E1A021A09B4285FB21AF32AC057BAA7A0BF48B98F85473CDD5D47799EF3CD0459320
                              Function 00007FF796360B84 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                              • String ID:
                              • API String ID: 3140674995-0
                              • Opcode ID: e2de14775ffad1f602ba76568c3758ac3fe60dc9f166d8b1a9f9a2c27a06c495
                              • Instruction ID: 289bf9248b115258de14f37d8e15e2608003e62c9b87b2b2053a20557eb2eba9
                              • Opcode Fuzzy Hash: e2de14775ffad1f602ba76568c3758ac3fe60dc9f166d8b1a9f9a2c27a06c495
                              • Instruction Fuzzy Hash: AE315E72604F8186EB709F60E8413EAB360FB88748F85453DDA4E47B98DF78C148C720
                              Function 00007FF796346B70 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 220windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • NTDLL.DLL, xrefs: 00007FF796346BC5
                              • assertion failed: self.is_char_boundary(new_len)/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\alloc\src\string.rs, xrefs: 00007FF796346EAC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorFormatHandleLastMessageModule
                              • String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\alloc\src\string.rs
                              • API String ID: 1273946083-2010291737
                              • Opcode ID: b2afb033c773aa6c1825c27157dbce3a42429b17fe06e54e98bbb5bcccce994d
                              • Instruction ID: 87922589408af982d8ee71e55a5acaeae1fcb25a638f902ca1bae62eb5cfac53
                              • Opcode Fuzzy Hash: b2afb033c773aa6c1825c27157dbce3a42429b17fe06e54e98bbb5bcccce994d
                              • Instruction Fuzzy Hash: 32A1B632A09BC284E7759F30DE447FAE6A0BB06394F94923DCA5D06BD4DF789685D320
                              Function 00007FF79634ED60 Relevance: 7.8, APIs: 5, Instructions: 271threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: AttributeInitializeListProcThread
                              • String ID:
                              • API String ID: 1263136677-0
                              • Opcode ID: f779f410fc06935e3512d6707c87bc9408ab9daf8fbd787225f70a1fd02ffeb4
                              • Instruction ID: 022d3e17bda04a9d2d22a5301b90a18a4205446ba49abe49e3d231d15bab5c67
                              • Opcode Fuzzy Hash: f779f410fc06935e3512d6707c87bc9408ab9daf8fbd787225f70a1fd02ffeb4
                              • Instruction Fuzzy Hash: F0A19262B19A5185EA24AB75ED047BBE6A1BB88BD8FC9473DDD1D03794DE3CE041C320
                              Function 00007FF796358980 Relevance: 4.6, Strings: 3, Instructions: 821COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: .llvm./rust/deps\rustc-demangle-0.1.24\src/lib.rs$__ZN$`fmt::Error`s should be impossible without a `fmt::Formatter`
                              • API String ID: 0-1033176386
                              • Opcode ID: d3dd76650a8c78379d602ba57b0a1280dcee97a3f993eb52b67bf0754e9eb0be
                              • Instruction ID: be1ee8e599c667bfd32a55aa641f20eea9dc43b94379de6ca515414de73079d3
                              • Opcode Fuzzy Hash: d3dd76650a8c78379d602ba57b0a1280dcee97a3f993eb52b67bf0754e9eb0be
                              • Instruction Fuzzy Hash: 0F620462E1C5A245F735AA319C046BEAFA2AB15394FC5473EDE6E076C8DF3C9944C320
                              Function 00007FF796366910 Relevance: 4.1, Strings: 3, Instructions: 306COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Authenti$GenuineI$HygonGen
                              • API String ID: 0-696657513
                              • Opcode ID: 80f95d2119d08c5787cd09f134c09ef8f38516dd3ccdc86bfceb3dab823e25bd
                              • Instruction ID: 2d35c0293210ad8de437bc0f1c8cbb6c36e1c3a9d04947b4bb13d0b19bd1f911
                              • Opcode Fuzzy Hash: 80f95d2119d08c5787cd09f134c09ef8f38516dd3ccdc86bfceb3dab823e25bd
                              • Instruction Fuzzy Hash: DB9168A3B25D5102FF5C85A5AD32BBA4892B3987C8F49A13DED5F97BC4DC7CCA118200
                              Function 00007FF796333B50 Relevance: 1.8, Strings: 1, Instructions: 582COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: assertion failed: nextspec > 0
                              • API String ID: 0-3745277292
                              • Opcode ID: 0227fdff4b7109a86f1b751bd42c503a5f7812272dae9c35c3400f30d18a2ff5
                              • Instruction ID: 4ca6bfd7c84509c9a9c5cb980d60b59e4b7017818caa5d291aaf80f068091c4f
                              • Opcode Fuzzy Hash: 0227fdff4b7109a86f1b751bd42c503a5f7812272dae9c35c3400f30d18a2ff5
                              • Instruction Fuzzy Hash: 47225712E1C6A741FE796B349D10F7FEA50AB11390FC4433DDA9E066D2DE6EEA509320
                              Function 00007FF796354840 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: punycode{-}0
                              • API String ID: 0-2450133883
                              • Opcode ID: 053aecdc7316c8b1436549b1b27151e8faccf68d201d3868917389c9d11c319b
                              • Instruction ID: 8f31af5d667b53920e0dda75829f4e0b9173326533411efcbca9c5de9c6a8b4f
                              • Opcode Fuzzy Hash: 053aecdc7316c8b1436549b1b27151e8faccf68d201d3868917389c9d11c319b
                              • Instruction Fuzzy Hash: D8E1F762F1D68546EB789A35DC047FAAA91BB49B98F80833DCD1D07BCADF3CA5458310
                              Function 00007FF79635E550 Relevance: 1.6, Strings: 1, Instructions: 382COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 00000000
                              • API String ID: 0-3221785859
                              • Opcode ID: 84c91a71ed89441361df7bab482b99566e65242d53e2c6b1b104a21d81f7ee7c
                              • Instruction ID: ba624c10f369b11f16b5e8e78628baa5c77e549e804a23fe02635c2f0f43044a
                              • Opcode Fuzzy Hash: 84c91a71ed89441361df7bab482b99566e65242d53e2c6b1b104a21d81f7ee7c
                              • Instruction Fuzzy Hash: 58D13A62F0875286FB359E759C007BAAAA2AB50798FC4833EDD4D07B98DE38D5429311
                              Function 00007FF796342350 Relevance: 1.5, APIs: 1, Instructions: 11timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimePreciseAsFileTime.KERNEL32(?,?,?,?,?,00007FF7963339A0,?,?,?,?,?,?,?,?,?,?), ref: 00007FF796342366
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$FilePreciseSystem
                              • String ID:
                              • API String ID: 1802150274-0
                              • Opcode ID: e64f389279675482a1b45439958a359736278ab7bad984a68f043836db635dcd
                              • Instruction ID: e10c079fed745be6aa2c7d36aab6a5883dd372c2f2d960540213f531222757e8
                              • Opcode Fuzzy Hash: e64f389279675482a1b45439958a359736278ab7bad984a68f043836db635dcd
                              • Instruction Fuzzy Hash: D9D0923AB20A40EEE300DB70D4457AD7774A75830CF940194DE5D52A58CB349696CA64
                              Function 00007FF7963433A0 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0123456789abcdef
                              • API String ID: 0-1757737011
                              • Opcode ID: 5584ba66d0d1ef25337e10376626b38a4b1563621e9c164a676faac673f9e15e
                              • Instruction ID: 449468ea7f692107912a171415ef34f04ee364a4d86ed6c63d9e8f9d165f58c3
                              • Opcode Fuzzy Hash: 5584ba66d0d1ef25337e10376626b38a4b1563621e9c164a676faac673f9e15e
                              • Instruction Fuzzy Hash: 3F614952E185E259F729AE354C512FEEEA0AB15388F44433DDAAB277D5CA3D9101D320
                              Function 00007FF79635B1E0 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0123456789abcdefBorrowMutErroralready borrowed:
                              • API String ID: 0-1320686809
                              • Opcode ID: 9982269f84fb5d7b879eb5ed728527327f0c552c9284964940c04e1140d4af95
                              • Instruction ID: 17397c9c1853e3c4ad04381e747782b35b75e6b71076b401c89119e72e1a9276
                              • Opcode Fuzzy Hash: 9982269f84fb5d7b879eb5ed728527327f0c552c9284964940c04e1140d4af95
                              • Instruction Fuzzy Hash: EB512F63F2D6E09AE33197749C10AAD7F619F11B44F8581ADCA8C17F86C61AC115E371
                              Function 00007FF79634FD10 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                              Download Yara Rule
                              Strings
                              • USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS , xrefs: 00007FF79634FEAE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS
                              • API String ID: 0-3632559206
                              • Opcode ID: d1e430ffa0591cfced729cf4aea7ad83123c583e651f86554173f913e6275ac5
                              • Instruction ID: 5855baaea38cce118a7d562189cc87b1eaf3b900fd8b795626a27598839c121a
                              • Opcode Fuzzy Hash: d1e430ffa0591cfced729cf4aea7ad83123c583e651f86554173f913e6275ac5
                              • Instruction Fuzzy Hash: DF51BF62F0461184FB31ABA5DC442BAE2B1BB547A8F88923DDE1C036D5EB7CD1C1C360
                              Function 00007FF79633BB20 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                              Download Yara Rule
                              Strings
                              • USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS , xrefs: 00007FF79633BB2B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS
                              • API String ID: 0-3632559206
                              • Opcode ID: 4a27bb410a3a5486d5df31291ae0b78a8c33eef00ace1576bb634094f5eb446d
                              • Instruction ID: 1708875d01de7bbbf173d7347415e9f29e5a04cfae0b5e8600df93ac6686ca46
                              • Opcode Fuzzy Hash: 4a27bb410a3a5486d5df31291ae0b78a8c33eef00ace1576bb634094f5eb446d
                              • Instruction Fuzzy Hash: 4A31F663919AD545D6788A21AC44A3A9658FB14790FC4523DEFAF063D0EFB8D590D310
                              Function 00007FF796321000 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                              Download Yara Rule
                              Strings
                              • USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS , xrefs: 00007FF796321018
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: USERNAMEVBOXVIRTUALBOXORACLE VMINNOTEKSUN VIRTUALBOXVMWAREVM_VIRTUAL MACHINEVMXNETVMX86VSPCQEMUQEMU HARDDISKQEMU DVD-ROMQEMU VIRTUALQ35BOCHSXENHVM DOMUXEN VIRTUALXENVMXVMHYPER-VMICROSOFT VIRTUALVIRTUAL HDMICROSOFTVIRTUALMICROSOFT CORPORATIONPARALLELSPARALLELS
                              • API String ID: 0-3632559206
                              • Opcode ID: 765f13d1265d95886eaa91c57eacb5ebcce89e2c8eb1e53d756f1f44c66f179d
                              • Instruction ID: 2d573f855040c9a65094d04022f323fb3cda15c10084510ce71f8398a7805669
                              • Opcode Fuzzy Hash: 765f13d1265d95886eaa91c57eacb5ebcce89e2c8eb1e53d756f1f44c66f179d
                              • Instruction Fuzzy Hash: 3B21A176F15A5188FF20AA76D9407EE6772AB44BD8F84823DDE1D27B89DE39D0408310
                              Function 00007FF796345870 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: HeapProcess
                              • String ID:
                              • API String ID: 54951025-0
                              • Opcode ID: d627c754dd116b8a8d7d66547d194918a6f74e26dce80dce038cb46b66c02cdd
                              • Instruction ID: 601d447de8c6d77dc51e4999eb8d6db64143a7a515218ed21720591d8c08120b
                              • Opcode Fuzzy Hash: d627c754dd116b8a8d7d66547d194918a6f74e26dce80dce038cb46b66c02cdd
                              • Instruction Fuzzy Hash: 26F06D16B49E0289FA7A6B667C051B692949F88FE0F99423C8D0D42790ED3CA4C28220
                              Function 00007FF796337530 Relevance: .6, Instructions: 628COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4fcdc2cc5fd2016affeff08607b5d1b30e8419e08dc107411f389d981e745315
                              • Instruction ID: d46c2f8b8f4b42aaea7968632a06879f242f1f33b1184a7f205c37b268fb5d35
                              • Opcode Fuzzy Hash: 4fcdc2cc5fd2016affeff08607b5d1b30e8419e08dc107411f389d981e745315
                              • Instruction Fuzzy Hash: 93321722F18A9645FB31AA358805AFEAB61AB15798FC5033EDE4E13785EF38D245C314
                              Function 00007FF79633E970 Relevance: .5, Instructions: 500COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorHandleLast
                              • String ID:
                              • API String ID: 2586478127-0
                              • Opcode ID: 03e371ac5fd054416776627c3bcd35001221e66efcb18725a4b96d13f7e7c55e
                              • Instruction ID: 322fdfdc9567901ad27a493a9b46558c63bf70124aa7cc1c44c5f79b01c845b6
                              • Opcode Fuzzy Hash: 03e371ac5fd054416776627c3bcd35001221e66efcb18725a4b96d13f7e7c55e
                              • Instruction Fuzzy Hash: E7020562F19A5686FF24EB75AC05BBAA6A0BF04784FD0863DDE1D17784DF3CA5818310
                              Function 00007FF796359C60 Relevance: .5, Instructions: 499COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 62dbe6c13b7a332b12a274c90412a8ad38a8de751e4550ad597c79e3a2da3766
                              • Instruction ID: 9e223ba117969ccf5b97ec58c91c5cc6aa709d708e65ad66d7b4796d14daacb4
                              • Opcode Fuzzy Hash: 62dbe6c13b7a332b12a274c90412a8ad38a8de751e4550ad597c79e3a2da3766
                              • Instruction Fuzzy Hash: AF121C12F28BE145F7726B385C032BA9B50BF5A3D4F84533EEE9C1399ADF7892419250
                              Function 00007FF79632B3C0 Relevance: .5, Instructions: 487COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 48d35dc0458081c0a2c0967d3ed2af03b1eb0770752ba531e85ccff613e0b559
                              • Instruction ID: 31ee38c921cb59c19bcc864ec9d191326fe63891154dcfb9d9de8bca3e196b1f
                              • Opcode Fuzzy Hash: 48d35dc0458081c0a2c0967d3ed2af03b1eb0770752ba531e85ccff613e0b559
                              • Instruction Fuzzy Hash: 4922A0736246D48ED3398F39DC557E97BA8F354348F40622ADA4A8BF98DB388745CB40
                              Function 00007FF79635D930 Relevance: .4, Instructions: 365COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 55fa4808fc21aa46131cc963152b5ce10321bd5ba6d35b51527931e47f9b07ef
                              • Instruction ID: 3310334611f691fff8d0f41e5a7e7a2ce984bfacfec69fdf9b14287aeb8d04a4
                              • Opcode Fuzzy Hash: 55fa4808fc21aa46131cc963152b5ce10321bd5ba6d35b51527931e47f9b07ef
                              • Instruction Fuzzy Hash: 03C1F622B3C6A542FA25EA319C14BBBAA51BB11B90FC1873CDD4E43B84DF7CE5519318
                              Function 00007FF796351330 Relevance: .4, Instructions: 351COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6d4d307b5553b2c18539f5e8076636027dfc2f6b82a2fee4642d494f6f44f0a0
                              • Instruction ID: 5b26463ae5011797f0178349fea41df7f08ba822dd895d49afbfa42192d3876e
                              • Opcode Fuzzy Hash: 6d4d307b5553b2c18539f5e8076636027dfc2f6b82a2fee4642d494f6f44f0a0
                              • Instruction Fuzzy Hash: 8EC157B2E0C39244FB329A789C007BBEE915702764FD9573CCA6E175D9CA7C99928320
                              Function 00007FF79635D340 Relevance: .3, Instructions: 337COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5f767a4aa7cfb8797c7efa2101f642a61807a3f16a045992521436a0c5e84fb1
                              • Instruction ID: 877980b8502df499a677a0e084de29b6fa527bf4f5b93d3cd0069b99fc82ac26
                              • Opcode Fuzzy Hash: 5f767a4aa7cfb8797c7efa2101f642a61807a3f16a045992521436a0c5e84fb1
                              • Instruction Fuzzy Hash: 9FC18F96E3D7A201F63353395C016B68D009F637A4A81D73FFC7D32BD5EB25A6429218
                              Function 00007FF7963458A0 Relevance: .3, Instructions: 334COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9e430e3fa7e22b40b773cfc55d21833a262aca8cf5e768d9fa686734ed554366
                              • Instruction ID: 6082bbaea40672c87ad24ec4e0cc92a0d6bd018da4788dfb16aba47bdf46dab5
                              • Opcode Fuzzy Hash: 9e430e3fa7e22b40b773cfc55d21833a262aca8cf5e768d9fa686734ed554366
                              • Instruction Fuzzy Hash: 99C1F262E18A4681EA369B35DD0027FE6A1FF117A8F84573DDE5F06EE0DE7CE5418220
                              Function 00007FF79635A4D0 Relevance: .3, Instructions: 328COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 59236467b43aceb388c99ff7bc78b8b8a505f02b587d67e7a0ed987863fbb109
                              • Instruction ID: 9ff2c51c2863faa6c064cda478e62a2f292380dc14a1f2ef69c12a5c595db178
                              • Opcode Fuzzy Hash: 59236467b43aceb388c99ff7bc78b8b8a505f02b587d67e7a0ed987863fbb109
                              • Instruction Fuzzy Hash: 46D1E852F14FE545F3626B399C032BAA720BF9A3D4F40533DEED862E56CB7892429250
                              Function 00007FF79632E330 Relevance: .3, Instructions: 316COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 09b117894a3927ac0494a286526aa2d3647665dfa48a18296e92920ee41d25a8
                              • Instruction ID: 8a525f7551f8dae6527c16023fbf5b9e765572e21abd03274fa925a5c1118a5d
                              • Opcode Fuzzy Hash: 09b117894a3927ac0494a286526aa2d3647665dfa48a18296e92920ee41d25a8
                              • Instruction Fuzzy Hash: 7BB15527B1865546EB30AA35E84277BA792EB51B84FC4523DDB8E07BD2CF3CE1028710
                              Function 00007FF796360D28 Relevance: .0, Instructions: 2COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 931e0f708bb2377af8dd989904cbc28dcefbfd5f4961acc0f03ecbe931a6d39c
                              • Instruction ID: 3bbb2458a7fb9ff06793994f716c44f09f2556d75ce71b3289f11173abbf4e87
                              • Opcode Fuzzy Hash: 931e0f708bb2377af8dd989904cbc28dcefbfd5f4961acc0f03ecbe931a6d39c
                              • Instruction Fuzzy Hash: 96A00121908D02E0EA68AB20AD52022A220AF95344B82073DC21E854649F7CA441C220
                              Function 00007FF79636214C Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 310COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: BlockFrameHandler3::Unwindterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStateabortstd::bad_alloc::bad_alloc
                              • String ID: csm$csm$csm
                              • API String ID: 9366333-393685449
                              • Opcode ID: 9eb8710d1c2cf3d7fd4f9ee9a1cbdf044062f2e8aa85e940a8b9194d5ca9c9df
                              • Instruction ID: 64f566802498755771b66c45e388344c1e4c482abf61a15f1a68d1579b0a54f9
                              • Opcode Fuzzy Hash: 9eb8710d1c2cf3d7fd4f9ee9a1cbdf044062f2e8aa85e940a8b9194d5ca9c9df
                              • Instruction Fuzzy Hash: 60D18032908B4186EB30AB7698423AEB7A0FB55788F92023DDE8D57B95DF38E051D750
                              Function 00007FF7963528A0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 220libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,00000001,00000000,?,00007FF796352723), ref: 00007FF7963528D8
                              • GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF796352723), ref: 00007FF796352910
                              • GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF796352723), ref: 00007FF79635294A
                              • GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF796352723), ref: 00007FF7963529B0
                              • GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF796352723), ref: 00007FF7963529E3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$CurrentProcess
                              • String ID: SymAddrIncludeInlineTrace$SymFromInlineContextW$SymGetLineFromInlineContextW$SymQueryInlineTrace
                              • API String ID: 2190909847-3384281969
                              • Opcode ID: 09d54c18f1615d95bd4cea366ad29c5c9bd20369c13f797db71038b71ceea2fc
                              • Instruction ID: 6d224a848e1609111f34f1edec87ebb89ee8c4e9599640577ef45ff84b4575db
                              • Opcode Fuzzy Hash: 09d54c18f1615d95bd4cea366ad29c5c9bd20369c13f797db71038b71ceea2fc
                              • Instruction Fuzzy Hash: DAB16031908AC285E7319F36EC417EAB7A0FF44B98F84423DEA8D07B58DF7892919350
                              Function 00007FF7963517C0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 422COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$FullNamePath
                              • String ID: \\?\$\\?\UNC\
                              • API String ID: 2482867836-3019864461
                              • Opcode ID: 8ac8b30296e947894d0509a80c0f06ef3711bf65b21722398c23464ab87d79f9
                              • Instruction ID: 864708c4625aabe79f6ea83499474251ac82c084de958bdfd45c319410066e6b
                              • Opcode Fuzzy Hash: 8ac8b30296e947894d0509a80c0f06ef3711bf65b21722398c23464ab87d79f9
                              • Instruction Fuzzy Hash: 5902B772E04A9285EB71AF31DC447BAA7A5FB04B98F80823DDA5C57788DF78D6818311
                              Function 00007FF79634E3AE Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: Handle$CloseErrorLast$CreateCurrentDuplicateProcessThread
                              • String ID: RUST_MIN_STACK$failed to spawn thread
                              • API String ID: 4152547513-917136298
                              • Opcode ID: e1fe5ed1eafe8fdf8fdfa34dfc41f82cdc4ecd80e4ae4ebbe172128a9ffc96c8
                              • Instruction ID: f0643f7c38e22200e2cfaa5b9827c707a61903e346d4f511ee18b7ded861dbbf
                              • Opcode Fuzzy Hash: e1fe5ed1eafe8fdf8fdfa34dfc41f82cdc4ecd80e4ae4ebbe172128a9ffc96c8
                              • Instruction Fuzzy Hash: 31D16122A08B8189EB60AF75DC403FAA7A1FB54798F84423DEA4D43B95DF3DE445C360
                              Function 00007FF7963423E0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 199COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • stack backtrace:, xrefs: 00007FF796342489
                              • note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...], xrefs: 00007FF7963427C5
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$CaptureContextCurrentDirectoryEntryFunctionLookup
                              • String ID: note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...]$stack backtrace:
                              • API String ID: 2800785878-3192684347
                              • Opcode ID: 4bbe36f0fe447586e8357a7e4dd4ed2b824feb644bd07eeacd858a07ae087f45
                              • Instruction ID: 206bf99440f02c16823a8970b8dbb1cda616ec29b6463acf2f4112ccb5de810a
                              • Opcode Fuzzy Hash: 4bbe36f0fe447586e8357a7e4dd4ed2b824feb644bd07eeacd858a07ae087f45
                              • Instruction Fuzzy Hash: D8B1F726608FC088EB719F35DC403EAB7A4FB05799F84022DCA4C5BB99EF789245DB10
                              Function 00007FF796348560 Relevance: 10.7, APIs: 7, Instructions: 185COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateErrorEventHandleLastMultipleObjectsOverlappedResultWait
                              • String ID:
                              • API String ID: 1266231692-0
                              • Opcode ID: 3f3dbb084d398a919d2193d6839360a082df21ce421ae49279b81c65541117a3
                              • Instruction ID: 520ef5e1fd294712e19f534ac62dc0d31bfd1fcf51a216bd8612bf8af9c02b03
                              • Opcode Fuzzy Hash: 3f3dbb084d398a919d2193d6839360a082df21ce421ae49279b81c65541117a3
                              • Instruction Fuzzy Hash: 6D816C22B18A9189FB20AB75DC503AEA760FB147D8F80073DDE1D17B89DF38E4918360
                              Function 00007FF796342C00 Relevance: 10.6, APIs: 7, Instructions: 148fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$FileSleep$ErrorLastReadWrite
                              • String ID:
                              • API String ID: 4082512061-0
                              • Opcode ID: e5d52f58ac41d464b07f71f492d0680f30e667673786d98217f25f9f77bdd33c
                              • Instruction ID: 794ae43c9e605a890ea5437c7175ccb74674e7ce889b5d1679ec471ef721da63
                              • Opcode Fuzzy Hash: e5d52f58ac41d464b07f71f492d0680f30e667673786d98217f25f9f77bdd33c
                              • Instruction Fuzzy Hash: 94516222604AC695E731AF35EC017FAA7A0FF44798F844739EDAC16B98DF789285D310
                              Function 00007FF79636344C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF7963636FE,?,?,?,00007FF7963633F0,?,?,?,00007FF796361989), ref: 00007FF7963634D1
                              • GetLastError.KERNEL32(?,?,?,00007FF7963636FE,?,?,?,00007FF7963633F0,?,?,?,00007FF796361989), ref: 00007FF7963634DF
                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF7963636FE,?,?,?,00007FF7963633F0,?,?,?,00007FF796361989), ref: 00007FF796363509
                              • FreeLibrary.KERNEL32(?,?,?,00007FF7963636FE,?,?,?,00007FF7963633F0,?,?,?,00007FF796361989), ref: 00007FF796363577
                              • GetProcAddress.KERNEL32(?,?,?,00007FF7963636FE,?,?,?,00007FF7963633F0,?,?,?,00007FF796361989), ref: 00007FF796363583
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: Library$Load$AddressErrorFreeLastProc
                              • String ID: api-ms-
                              • API String ID: 2559590344-2084034818
                              • Opcode ID: 26cd646a3230e95e4884bdabb7b30b0d07ccc3cf38f01ba52032b2c893856c9c
                              • Instruction ID: 038ebc685834d077432d8c94b5e7270ce20e8b1c84029065731cc89e916c17b4
                              • Opcode Fuzzy Hash: 26cd646a3230e95e4884bdabb7b30b0d07ccc3cf38f01ba52032b2c893856c9c
                              • Instruction Fuzzy Hash: 1D31C721A09E4591FE31AB26AC01576A3D4BF48BA4F9A173DDE1D47740EF3CE4448220
                              Function 00007FF79634F240 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 197COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: Handle$CloseConsoleErrorLastMode
                              • String ID: called `Result::unwrap()` on an `Err` value
                              • API String ID: 1170577072-2333694755
                              • Opcode ID: 817507dc5c808a15f47d92dd7bcf823e26b7afb95f7ccb482339663f7335e823
                              • Instruction ID: 882d530c5557bdce41c49e13c4101867c9ecf67f66897bf71bf248e8f7008c41
                              • Opcode Fuzzy Hash: 817507dc5c808a15f47d92dd7bcf823e26b7afb95f7ccb482339663f7335e823
                              • Instruction Fuzzy Hash: 4C817262A18A9288FB30AF719D013FAA761AB45798FC4423DDE5D13B99DF3CD185C360
                              Function 00007FF79636261C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: CallEncodePointerTranslatorabort
                              • String ID: MOC$RCC
                              • API String ID: 292945357-2084237596
                              • Opcode ID: c2ed09c5c8d930a1964cbcab0c248ebb2b83f3af9058a32a62ede220a89339ae
                              • Instruction ID: eb85fa4d301551afcb6973056f43eec63c7a6ec0d0a2f7bf16c2502db62de7af
                              • Opcode Fuzzy Hash: c2ed09c5c8d930a1964cbcab0c248ebb2b83f3af9058a32a62ede220a89339ae
                              • Instruction Fuzzy Hash: 14619032908BC582EB709B26E8417AAB7A0FB95B84F45422DEB9C17B55DF7CD094CB10
                              Function 00007FF7963629CC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_recordabort
                              • String ID: csm$csm
                              • API String ID: 4198837600-3733052814
                              • Opcode ID: a5019e4792ad5e89698bbfe75330b11f4ed95280b0d1c5aa801017d5ea5b5d05
                              • Instruction ID: 3ca521942552611e0e348f50d34569103c75d6a93cc2181e8bd0d274ffe98395
                              • Opcode Fuzzy Hash: a5019e4792ad5e89698bbfe75330b11f4ed95280b0d1c5aa801017d5ea5b5d05
                              • Instruction Fuzzy Hash: FB51C332908A4286EB34AF32D94536AB7A0FB50B84F97423DDA8C43B95CF3CE450DB10
                              Function 00007FF7963503F0 Relevance: 7.8, APIs: 5, Instructions: 257COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$FullNamePath
                              • String ID:
                              • API String ID: 2482867836-0
                              • Opcode ID: f4ce7651041b39ed863c9ba837ad02450806269708d70ae02e2dd2be7cd27e5d
                              • Instruction ID: 31806ac004e5b7f6675f72d31d4939a3c88903fa02795d86f16cfaa4c95bfe06
                              • Opcode Fuzzy Hash: f4ce7651041b39ed863c9ba837ad02450806269708d70ae02e2dd2be7cd27e5d
                              • Instruction Fuzzy Hash: 22B1BC62A04BC296EB31AF31DC457EAA669FB05BC8F94423DDE1C1B789DF39D2418310
                              Function 00007FF79634FEF0 Relevance: 7.8, APIs: 5, Instructions: 253COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$FullNamePath
                              • String ID:
                              • API String ID: 2482867836-0
                              • Opcode ID: f8885a954afcc379b487f3f8152eb6d331321888d4890d83c88af7ea092aa73f
                              • Instruction ID: 1179e2cac37ffcc4d7382fac98e9eb31991904252fd17938373a2a2baf424e07
                              • Opcode Fuzzy Hash: f8885a954afcc379b487f3f8152eb6d331321888d4890d83c88af7ea092aa73f
                              • Instruction Fuzzy Hash: A0B1C062A05BC29AEB31AF31DC447FAA665FB45BD8F84423DDE1C1B789CF7992418310
                              Function 00007FF79633CAD0 Relevance: 7.7, APIs: 5, Instructions: 191COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnvironmentVariable
                              • String ID:
                              • API String ID: 2691138088-0
                              • Opcode ID: fc5a4d72df07968e39e1387b0a46eb29a363855e0daa9cc5c2e1efe9fb11da28
                              • Instruction ID: 05d382f9b4c544508efde6fddf8f18b5daef0f7014d8b591f96d268d6c238439
                              • Opcode Fuzzy Hash: fc5a4d72df07968e39e1387b0a46eb29a363855e0daa9cc5c2e1efe9fb11da28
                              • Instruction Fuzzy Hash: C581B262A04AC289EB71AF35DD457EAA365FF047D8F80823DDE5C5B795DF3892818320
                              Function 00007FF79634F560 Relevance: 7.7, APIs: 5, Instructions: 169COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ConsoleErrorLastWrite$ByteCharMultiWide
                              • String ID:
                              • API String ID: 1956605914-0
                              • Opcode ID: 48effe38b741a0eb6a41198d29e970fe561dbfea08ea2de7f55e5ffc83a58158
                              • Instruction ID: 0d66ab35fa8e399e5705c47c1c5dd362868c3f49d4eb9166d4d4b71bfd0a7090
                              • Opcode Fuzzy Hash: 48effe38b741a0eb6a41198d29e970fe561dbfea08ea2de7f55e5ffc83a58158
                              • Instruction Fuzzy Hash: 2F51BF72A08A9345E730AB30DC093FAE651EB847D8F98433DD94D47AE9DF7C92858360
                              Function 00007FF7963473B0 Relevance: 7.7, APIs: 5, Instructions: 155COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$FileModuleName
                              • String ID:
                              • API String ID: 1026760046-0
                              • Opcode ID: f5bdda413f1ae2e473f34ff7b3e99cc3eb0dea0200a86c3a64f99f5000ca240d
                              • Instruction ID: 9cc0d53637860e56635181e9c0cfeee327b7fbd3d0b6e187ddb94427c15eb9e1
                              • Opcode Fuzzy Hash: f5bdda413f1ae2e473f34ff7b3e99cc3eb0dea0200a86c3a64f99f5000ca240d
                              • Instruction Fuzzy Hash: 3D51D122A04B8149EB71AF35AC457FAA365BB04BE8F90833DDD5C4A785DF7CE2858310
                              Function 00007FF79633C720 Relevance: 7.7, APIs: 5, Instructions: 154COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$CurrentDirectory
                              • String ID:
                              • API String ID: 3993060814-0
                              • Opcode ID: bdd27f3b08b8cd255969bcbe2a5c860f6a453ba4a70200ed8c3c5971649517e9
                              • Instruction ID: 853081e0fe437fefeba6c1df80d27871f09438cd0bf5c54b4459199ce780d407
                              • Opcode Fuzzy Hash: bdd27f3b08b8cd255969bcbe2a5c860f6a453ba4a70200ed8c3c5971649517e9
                              • Instruction Fuzzy Hash: 1B51CF26A04BC149EB71AF31AC45BAAA354BB04BE8FD4833DDD5C5A785DF7CA3858310
                              Function 00007FF79634E380 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorHandleLast$CurrentDuplicateProcess
                              • String ID:
                              • API String ID: 3697983210-0
                              • Opcode ID: b4b9231016c4aa9a4bfc9daeb7efb58c065290c6a6bb3da55ef2d6eb4c47869f
                              • Instruction ID: 14887b004f4088e9041f7088d9637f2f7fa8d9016085e6f6cb4729831790de4f
                              • Opcode Fuzzy Hash: b4b9231016c4aa9a4bfc9daeb7efb58c065290c6a6bb3da55ef2d6eb4c47869f
                              • Instruction Fuzzy Hash: 5F11FE71B08B4686FB70AB71AC4537BA291AB447A8F94437CD95E067C4EF7DE5848320
                              Function 00007FF796343D30 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 267COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressSingleWake
                              • String ID: <unnamed>$Box<dyn Any>aborting due to panic at $main
                              • API String ID: 3114109732-896199136
                              • Opcode ID: 81f333dd2c48f0b95aebd32add5313a8d1868162962f6c27835901bc0c024b94
                              • Instruction ID: 36dce09c65755f64fa199323d69f0f4e8d45e84b590608071cd91d9b4ea73fcb
                              • Opcode Fuzzy Hash: 81f333dd2c48f0b95aebd32add5313a8d1868162962f6c27835901bc0c024b94
                              • Instruction Fuzzy Hash: 11D1AF32A09B4185FB61AB35DC803BEA7A0EB54B88F84063EDA4D47795DF3DE459C360
                              Function 00007FF796361768 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                              • String ID: csm
                              • API String ID: 2395640692-1018135373
                              • Opcode ID: 9fba6ed063106470f6b14403b4dd8a29e9ed539f984e3a76dab556ad91a6477d
                              • Instruction ID: 627b9c516d397dacd322a63b3b17b890ccdb7c7979365ba8fd50b3b0cb31d1ca
                              • Opcode Fuzzy Hash: 9fba6ed063106470f6b14403b4dd8a29e9ed539f984e3a76dab556ad91a6477d
                              • Instruction Fuzzy Hash: 4551E632B19A028AEB64EB29D805A3EB795FB44B98F92423CDA4D43744DF7CE841C750
                              Function 00007FF796361AB4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: terminate
                              • String ID: MOC$RCC$csm
                              • API String ID: 1821763600-2671469338
                              • Opcode ID: 7452083ed9cb36d213407fe42873fc44bc2a82579146da1c61ef2b8bef4380e9
                              • Instruction ID: a91300c583b43e3e316396e80d2befa3fc693d0c168fe964ea3510e6f28192c6
                              • Opcode Fuzzy Hash: 7452083ed9cb36d213407fe42873fc44bc2a82579146da1c61ef2b8bef4380e9
                              • Instruction Fuzzy Hash: A3F08136918E46C6EB347B79D9420BEB260EF48740F8A523DD70807792DF7CE4A0C661
                              Function 00007FF796350900 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: SetThreadDescription$kernel32
                              • API String ID: 1646373207-1950310818
                              • Opcode ID: 2f949e137d4db0aaf66a4741d07585fd00b72f5cfcc57f6eaff7e3f3a327ded4
                              • Instruction ID: 1671f9459f0dfd3412c08c73bc139e76ba3d7ba074660e11200e9f82dd1e7852
                              • Opcode Fuzzy Hash: 2f949e137d4db0aaf66a4741d07585fd00b72f5cfcc57f6eaff7e3f3a327ded4
                              • Instruction Fuzzy Hash: 84F05E55B09F42E1FA35AB61AC440F6A7A06F4ABD0FD4433ECC0D037A8AF3CA549C220
                              Function 00007FF796348CA0 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                              Download Yara Rule
                              APIs
                              • CancelIo.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,00007FF7963371BD,?,?,00000000,00000000,?), ref: 00007FF796348CC8
                              • GetOverlappedResult.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,00007FF7963371BD,?,?,00000000,00000000,?), ref: 00007FF796348CEA
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,00007FF7963371BD,?,?,00000000,00000000,?), ref: 00007FF796348CFC
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,00007FF7963371BD,?,?,00000000,00000000,?), ref: 00007FF796348D68
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$CancelOverlappedResult
                              • String ID:
                              • API String ID: 3836860830-0
                              • Opcode ID: a37bd27734ec0f5057a43c152be64d362c6e416520bc844136d6f4e25c5d8bdf
                              • Instruction ID: 46ef867cb0a284274a69978e5b412b645a6df025c9f42c92945477f21f43d1c6
                              • Opcode Fuzzy Hash: a37bd27734ec0f5057a43c152be64d362c6e416520bc844136d6f4e25c5d8bdf
                              • Instruction Fuzzy Hash: 6E415E32A15A4185FB20AB75EC003AEA7A0EB99B98F94473DDE5D137D4DF78D5808360
                              Function 00007FF79634A3E8 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$DirectorySystem
                              • String ID:
                              • API String ID: 860285823-0
                              • Opcode ID: 3e7445bc8bc846b82c9ef6b2e70350b60c97af766578589fdaf505a780311739
                              • Instruction ID: 9747f288850aab93df767b49ea909c2464a00713d09ba8d661dc6713213c610a
                              • Opcode Fuzzy Hash: 3e7445bc8bc846b82c9ef6b2e70350b60c97af766578589fdaf505a780311739
                              • Instruction Fuzzy Hash: EF41B322A15EA145E7746E358C983BFA291BB04BA9F90433ED95D8BBCCDF3C95418320
                              Function 00007FF796348910 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • CreateEventW.KERNEL32(?,?,?,00000000,?,?,?,00007FF79634859D), ref: 00007FF796348940
                              • GetLastError.KERNEL32(?,?,?,00000000,?,?,?,00007FF79634859D), ref: 00007FF79634899D
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,00007FF79634859D), ref: 00007FF796348A0E
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,00007FF79634859D), ref: 00007FF796348A14
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$CreateErrorEventLast
                              • String ID:
                              • API String ID: 3743700123-0
                              • Opcode ID: 0ea33f64bb86a0bfbfb1f78974fee3de5b4cde7664b66cd5d542502202ef255e
                              • Instruction ID: 4dfb021465cc2662a5d2ebace12c3df157de67f29b00d3eae15f8b76fc7246ec
                              • Opcode Fuzzy Hash: 0ea33f64bb86a0bfbfb1f78974fee3de5b4cde7664b66cd5d542502202ef255e
                              • Instruction Fuzzy Hash: E7218533A04B4185F7215B22BC4176AA664F7887A4F588739DF9D037D0DF3895D28360
                              Function 00007FF796360A5C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                              • String ID:
                              • API String ID: 2933794660-0
                              • Opcode ID: 707d0c8de3e436c226fe970ee754dcb65eb07336b431ed5efaae52b4305e41aa
                              • Instruction ID: 24de4351e7d4fe7f70a2d0d67778484d0c207c7130e1758a6d9f3f3670a8a5ea
                              • Opcode Fuzzy Hash: 707d0c8de3e436c226fe970ee754dcb65eb07336b431ed5efaae52b4305e41aa
                              • Instruction Fuzzy Hash: 3D111C22B54F018AEB109B70EC552BA73A4FB19B58F840B39DA6D46BA4DF78D1548360
                              Function 00007FF796365F84 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 190COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs, xrefs: 00007FF7963662CC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressWake$Single
                              • String ID: use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs
                              • API String ID: 1135737206-63010627
                              • Opcode ID: 151bc918fb9338870a589600710fff827362a2434cc7f3ee8bb3171c759614f6
                              • Instruction ID: 3d760b22745f3983e93dbb0895bf3634a5e1d13348434a54485c51859b212c08
                              • Opcode Fuzzy Hash: 151bc918fb9338870a589600710fff827362a2434cc7f3ee8bb3171c759614f6
                              • Instruction Fuzzy Hash: 5A915021E0CA4684F721EB34ED413BBA7A0AB55B64F85833DD91D837A2DF3DE4858360
                              Function 00007FF7963664A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressWake
                              • String ID: system_info.txtFailed to write to file:
                              • API String ID: 98804233-2426490079
                              • Opcode ID: eed8d59a4b507ff0baefa16787b906ccf608dc6cd5e4ea5ab4c3d94ce952860d
                              • Instruction ID: c7a5f26bd6b042d8b3c37190f9d537789d59b75649045d00c82562fce331ddae
                              • Opcode Fuzzy Hash: eed8d59a4b507ff0baefa16787b906ccf608dc6cd5e4ea5ab4c3d94ce952860d
                              • Instruction Fuzzy Hash: A8317532908A0186F732AB21FD5537BF6A0EB45754F81863DCB8D46691DF7CE486C361
                              Function 00007FF79633DDF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                              Download Yara Rule
                              Strings
                              • lock count overflow in reentrant mutexlibrary\std\src\sync\reentrant_lock.rs, xrefs: 00007FF79633DDCC
                              • use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs, xrefs: 00007FF79633DDB4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressSingleWake
                              • String ID: lock count overflow in reentrant mutexlibrary\std\src\sync\reentrant_lock.rs$use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs
                              • API String ID: 3114109732-122189663
                              • Opcode ID: 246852d7639cdd672d989760a2505eca24b54e310bdaad073569c3b70c1914a4
                              • Instruction ID: ca745ffec28da8777924196dd4ab410d14a597f62040c69ff8f9fa13dde10971
                              • Opcode Fuzzy Hash: 246852d7639cdd672d989760a2505eca24b54e310bdaad073569c3b70c1914a4
                              • Instruction Fuzzy Hash: 9531AB22F04B0588EB60EB70DC417FDA7B0AB50718FD48A3DCA4C12699EF38A586C350
                              Function 00007FF7963616C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF796352DD0), ref: 00007FF796361710
                              • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF796352DD0), ref: 00007FF796361751
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2485668285.00007FF796321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF796320000, based on PE: true
                              • Associated: 00000000.00000002.2485640721.00007FF796320000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485711078.00007FF796368000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485743843.00007FF796384000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2485771023.00007FF796385000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff796320000_data.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFileHeaderRaise
                              • String ID: csm
                              • API String ID: 2573137834-1018135373
                              • Opcode ID: fcde23e9e5406fba0f778db976cffc4e8cfe53f0c5df9932781582a26edf6273
                              • Instruction ID: 14827e6e131c5acdb4431079652297c53b52430c2ce36871082576877e13038b
                              • Opcode Fuzzy Hash: fcde23e9e5406fba0f778db976cffc4e8cfe53f0c5df9932781582a26edf6273
                              • Instruction Fuzzy Hash: EB112E36618F4182EB219F29F84025AB7E5FB88B94F994338DE8D07B68DF3CD5518710